Diving into the Washington My Health My Data Act
This is Part Four in a series of legal updates on the Washington My Health My Data Act (“WMHMDA”) where Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating tidal waves in the privacy space – and not just for the health and life sciences industry.
Today we are diving into an element of WMHMDA that is making an early splash – geofencing requirements.
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:
- Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA
- Part Three: Broad Scope of Consumer Health Data
- Part Four: Geofencing Requirements (this is what you are reading now)
- Part Five: Consent and Authorization Requirements
- Part Seven: Biometric Data
- Part Eight: Individual Rights
- Part Nine: Enforcement and Private Right of Action
- Part Ten: Operational Realities and Next Steps
- Part Eleven: HIPAA vs. WMHMDA (for table lovers)
- Part Twelve: Washington AG Guidance
Why Should You Care About Geofencing?
Geofencing is not a concept we expect to see in current iterations of U.S. state privacy law. However, WMHMDA dives into geofence prohibitions, making it unlawful for regulated entities to utilize a geofence around a facility that provides health care services. Unlike the 2024 effective date for most WMHMDA requirements, the geofence prohibition goes into effect in July 2023.
What is Geofence Technology?
In general, geofence technology enables users to set up a virtual perimeter around a specific geographic location. Through radio frequency identification (RFID), Wi-Fi, GPS, Bluetooth, and cellular data, applications and software programs can track when a consumer enters and exits the virtual perimeter. WMHMDA defines a “geofence” as “technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary that is 2,000 feet or less from the perimeter of a physical location.”
How is Geofence Technology Used?
In some instances, this tracking technology is used to send targeted advertising to consumers via text message, push notification, and social media posts. Geofence technology is used to trigger smart home devices to turn on the lights and adjust the thermostat to 71 degrees when you enter the virtual perimeter. You may also use geofence technology when you track your child’s location, set up a wireless fence for your pet, or search for your phone. While most uses of geofence technology are relatively innocuous, some are more controversial.
The Fourth Amendment of the United States Constitution protects the right of individuals to be secure in their “persons, houses, papers, and effects” against unreasonable searches and seizures, namely by law enforcement. Except in limited situations, law enforcement must have a warrant to execute a constitutionally valid search. In obtaining a warrant, the Fourth Amendment requires law enforcement to have probable cause and to describe in detail the place to be searched and the person and items to be seized.
In recent years, law enforcement has begun using “geofence warrants” to ascertain who was within a particular virtual perimeter at a given time by compelling technology companies to hand over data collected by their geofence technologies. Obtaining this data often significantly decreases the government’s necessary investigative efforts and resource allocation in order to apprehend alleged criminals. However, many criminal defense attorneys push back on the constitutionality of these warrants with their assertion that law enforcement cannot state with particularity what persons or items are to be seized when requesting lists of information identifying individuals who have visited a particular virtual perimeter.
Why Does the Fourth Amendment Matter in the Context of WMHMDA?
On March 4th, the primary sponsor of the WMHMDA, Rep. Vandana Slatter, D-Wash., issued a statement indicating that the legislation was introduced as a “response to the Dobbs v. Jackson Supreme Court Decision.” In the Dobbs decision, the Supreme Court held that the Constitution does not confer a right to an abortion. In turn, this ruling empowered numerous states to enact strict civil and criminal penalties for individuals who receive or provide abortion care services. Specifically, Texas state government officials have indicated that they will prosecute anyone leaving the state for the purpose of having an abortion. Additionally, Texas passed a civil statute that permits lawsuits against health care providers and other people who aid or abet “the performance or inducement of abortion.” Notably, that statute does not require that the conduct occur within Texas state borders in order to justify a lawsuit.
As a result, legislators in states where varying degrees of abortion care are still permitted, like Rep. Slatter in Washington, have become increasingly concerned that law enforcement will turn to geofence warrants to cast a digital net to catch and prosecute individuals who enter the virtual perimeter of a reproductive health clinic in any state.
However, WMHMDA is also intended to broadly protect against the collection and sale by technology platforms of geofence tracking insights that may contain sensitive health data.
Does WMHMDA Prohibit Geofencing?
Under the WMHMDA, it is unlawful for any person to “implement a geofence around an entity that provides in-person health care services where such geofence is used to:
- Identify or track consumers seeking health care services;
- Collect consumer health data from consumers; or
- Send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.”
Under WMHMDA, the definition of a “health care service” is any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health. As we noted in Part Three, “consumer health data” is any “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”
In Part One, we discussed the breadth of WMHMDA’s application to most non-governmental entities. While it isn’t within the Washington legislature’s jurisdiction to limit the ability of law enforcement officials to seek geofence warrants, the governing body is permitted to prohibit companies from taking actions that harm consumers. As a refresher, the WMHMDA applies to any legal entity that:
- Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
- Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.
Arguably, because the definitions of “health care service” and “physical or mental health status” are so broad, and the definition of a regulated entity does not contain carveouts for nonprofits, the WMHMDA prohibition on geofencing is potentially global if the geofence has any nexus to Washington. In effect, WMHMDA could prohibit, for example, the use of a geofence by a charitable organization to research the impacts of food deserts on health outcomes through the collection of data from families in Washington, a company that provides connected pedometers to track steps and subsequently store the data in Washington, a personal journal mobile application where a consumer chooses to share their location data and a story about a trip to the emergency room during a vacation to Washington, and a whole pool of others.
Should Businesses Cease Using Geofences Now in Case the WMHMDA Prohibition Applies?
Most of the law’s requirements clearly indicate an effective date for regulated entities of March 31, 2024. However, the geofencing prohibition does not provide an effective date, which means by default rule in Washington, that the geofencing prohibition is effective 90 days after the end of the legislative session, which falls on July 22, 2023.
Instead of draining all use of geofences from your business model, we recommend reviewing your data map (or conducting a data mapping exercise) using the definitions we have provided to identify and categorize the scope of data collected by your organization using a geofence that:
- Has a nexus to Washington, and
- Is used to identify or track consumers seeking health care services, collect consumer health data from consumers, and/or send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.
Once this data has been identified, your organization will be more equipped to navigate the changing tides of geofence regulation.
In Part 5 we will surf on over to the WMHMDA consent and authorization requirements, which are making some big waves in the privacy community. Additional issues raised by WMHMDA are forthcoming. Until next time… grab a drink with an umbrella, put on some more sunscreen, and get ready to dive in.
For guidance and advice on implementing changes to your data privacy program in light of WMHMDA or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or: