Diving into the Washington My Health My Data Act
Just in time for the 4th of July, we tackle a WMHMDA topic that is certainly causing some fireworks in the privacy community: consent and authorization requirements for the collection, use, disclosure, sharing, sale, and other processing of consumer health data. These affirmative, opt-in requirements will likely have a significant effect on technical and operational processes and overall user experience.
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in!
- Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA
- Part Three: Broad Scope of Consumer Health Data
- Part Four: Geofencing Requirements
- Part Five: Consent and Authorization Requirements (this is what you are reading now)
- Part Seven: Biometric Data
- Part Eight: Individual Rights
- Part Nine: Enforcement and Private Right of Action
- Part Ten: Operational Realities and Next Steps
- Part Eleven: HIPAA vs. WMHMDA (for table lovers)
- Part Twelve: Washington AG Guidance
Consent – Extensive Opt-In Requirements
When it goes into effect, WMHMDA will impose extensive consent requirements. In general, WMHMDA requires affirmative opt-in consent for collection, use, disclosure, and other processing of consumer health data beyond processing necessary to provide a product or service requested by a consumer.
The definition of “consent” under WMHMDA is, like many other terms under WMHMDA, quite broad.
“Consent” means “a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means.”
This level of affirmative consent is similar to what we see under the European Union/European Economic Area’s General Data Protection Regulation (GDPR). For consent to be valid under WMHMDA, it may not be obtained by a consumer:
- Hovering over, muting, pausing, or closing a piece of content; or
- Agreement obtained through the use of deceptive designs. A deceptive design is defined as a user interface designed or manipulated with the effect of subverting or impairing user autonomy, decision making, or choice.
But, WMHMDA’s opt-in requirement is different from what we have seen in other state comprehensive privacy laws. For example, the California Consumer Privacy Act (CCPA) allows opt-outs, and other state privacy laws require opt-in for only limited processing (e.g., profiling/targeted advertising). In contrast, WMHMDA requires opt-in for all processing in excess of processing necessary to provide consumer-requested products and services. Further, MHMDA does not have opt-in exceptions for common use cases and requires an authorization distinct from the consent to be obtained to permit the sale of data. The requirements for the authorization are summarized in the “Consent to Sell” section below.
Entities subject to WMHMD, or “regulated entities” as they are referred to in the WMMDA, will need to analyze the user experience to build appropriate consents into the process. Given the individual consent requirements, we expect to see a significant increase in consent requests that will disrupt the user experience. Under WMHMD, consumers also can withdraw consent at any time, so entities will need to be prepared to process withdrawals and pivot data collection and processing activities accordingly.
Consent to Collect or Share – Opt-In
When consumer health data will be collected or shared for purposes other than as necessary to provide the product or service the consumer has requested, regulated entities must obtain prior consumer consent before collecting or sharing such consumer health data.
What is “necessary” processing? WMHMDA does not provide a definition, so the interpretation of “necessary” will have ripple effects throughout the consent analysis. This issue will be ripe for litigation, and regulated entities should be prepared to justify the necessity of processing activities in support of consent decisions.
Consent for Collection. Unsurprisingly, the term “collect” is defined broadly (and rather unusually) under WMHMDA. “Collect” is defined as “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.” We find it odd that the definition of “collect” includes “processing,” where “processing” means “any operation or set of operations performed on consumer health data.” Inclusion of “processing” therefore further broadens the scope of “collection” under WMHMDA to include actions like data analytics and deidentification. Essentially, any actions that meet the definitions of collection or processing will require opt-in consent unless they are necessary to provide a consumer-requested product or service.
Taken to an extreme, the broad and overlapping definitions of “collection” and “processing” may produce unintended consequences such as requiring opt-in consent for all secondary processing, including requiring consent for activities like data destruction.
Consent for Sharing. Unlike “collection,” “sharing” is conceptualized as a subset of “processing” data. Notably, WMHMDA requires a separate consumer opt-in consent for data sharing. Thus, regulated entities may be required to obtain two distinct consents from consumers to address collection and sharing consumer health data for a use case requiring third-party data sharing for a secondary data processing purpose.
WMHMDA’s definition of “share” is broadly defined as to “release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or a small business to a third party or affiliate.”
It is notable that this definition includes any disclosures to affiliates, meaning that affiliated entities that may have information systems that allow for sharing information among affiliates could be required to either overhaul their information systems to create appropriate firewalls, or obtain consumer opt-in to cover such sharing practices. Inclusion of the term “making available” in the definition of “sharing” suggests that third-party cookies and tracking pixels that access consumer health data may also require opt-in consent.
Helpfully, disclosures to processors of consumer health data acting on behalf of the regulated entity are excluded from the definition of “sharing,” and disclosures that occur as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes all or part of the regulated entity’s assets and whether the third party complies with the WMHMDA requirements are also excepted. In addition, there is a limited security-related exception that we discuss in more detail below.
- Collection, use, or sharing additional categories of consumer health data not disclosed in the policy; and
- Collection, use, or sharing of consumer health data for additional purposes not disclosed in the policy.
Consent to Sell – Authorization
Under WMHMD, entities are required to obtain a heightened level of affirmative opt-in consent (i.e., an authorization) from consumers prior to the sale of any consumer health data. The consent to “sell” consumer health data must be separate from other consents to prevent a compound authorization.
“Sell” is defined as “the exchange of consumer health data for monetary or other valuable consideration.” The definition of “sell” has a parallel exception for sharing consumer health data in the context of certain mergers, acquisitions, bankruptcy. This exception aligns with the exceptions to the definition of “sharing.” Also similar to the definition of sharing, there is one limited security-related exception that we discuss in more detail below. While the definition of “sell” is generally in line with other state privacy law definitions of sale (e.g., CCPA), WMHMDA does not provide for other common exceptions to the definition of sale seen in other state laws.
The level of detail required by WMHMDA for authorization to sell consumer health data is unprecedented under U.S. privacy law. Not only must the authorization describe the consumer health data being sold and the purpose of the sale, it must also (among other things) identify the purchaser, how the purchaser will use the data, and provide contact information for the purchaser. In addition, the authorization must contain:
- The specific consumer health data to be sold (meaning the authorization itself may contain consumer health data)
- The name and contact information of the seller
- The name and contact information of the purchaser
- The purpose of sale, including:
- How the consumer health data will be gathered
- How the consumer health data will be used by the purchaser
- Required statements:
- Provision of goods or services may not be conditioned on authorization
- Consumer has right to revoke the authorization at any time and how the consumer may submit the revocation
- The data sold may be subject to redisclosure and may no longer be protected by WMHMDA
- The date of signing
- An expiration data that is one year from the date of signing
- Consumer signature
For many entities, this level of authorization will be nearly impossible to obtain and will likely dissuade them from seeking these authorizations for sale – resulting either in a limitation on data sales by these entities or non-compliance with WMHMDA’s authorization provisions.
Authorizations to sell consumer health data are only valid for one year. The regulated entity must provide a signed authorization to the consumer and both the seller and the purchaser of the data must retain a copy of the authorization for six years.
Limited Exceptions – Security Purposes
While other state privacy laws contain general exceptions to consent requirements for common uses and disclosures of data, WMHMDA has very limited exceptions. However, the Act does contain one exception for security-related purposes that permits some limited uses and disclosures of consumer health data without consent. WMHMDA does not restrict an entity’s ability to “collect, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.” While helpful in these limited circumstances, this exception does very little to alleviate the burden placed on regulated entities by WMHMDA’s consent requirements.
Notes from Quarles
Swimming in WMHMDA means regulated entities should expect users to decline to consents and authorizations for processing activities that are currently unrestricted. As such, preparing for WMHMDA compliance (and avoiding sinking) will necessarily involve internal discussions with business stakeholders regarding the ripple effects for research and development, analytics, and other business activities.
Thirsty for a cold lemon-aid and more WMHMA? In Part Six, we will dive into how WMHMDA will require entities to create new or updated privacy policies and Part Seven will immerse ourselves in a discussion of individual rights. Until next time… turn on your grill, light a sparkler (where permitted by applicable law), and enjoy a safe holiday!
Don’t spend too much time on that pool float – Nevada and Connecticut are jumping in the pool as well. Nevada SB 370 and Connecticut SB3 were just approved by their governors with effective dates on March 31, 2024 (Nevada) and July 1, 2023 (Connecticut). We’ve got you covered; analysis on the new consumer health data requirements are forthcoming.
For guidance and advice on implementing changes to your data privacy program in light of WMHMDA or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or: