Diving into the Washington My Health My Data Act
This is Part Seven in a series of legal updates on the Washington My Health My Data (“WMHMDA”), where Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.
In previous updates, we’ve covered who is subject to the law, the broad definitions of “consumer” and “consumer health data,” and discussed specific requirements of the law such as geofencing, consent and authorization, and privacy policies. Now that the grill is preheated, we are adding hot dogs to WMHMDA’s flames. Do you take your biometric privacy with a side of fries?
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:
- Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA
- Part Three: Broad Scope of Consumer Health Data
- Part Four: Geofencing Requirements
- Part Five: Consent and Authorization Requirements
- Part Seven: Biometric Data (this is what you are reading now)
- Part Eight: Individual Rights
- Part Nine: Enforcement and Private Right of Action
- Part Ten: Operational Realities and Next Steps
- Part Eleven: HIPAA vs. WMHMDA (for table lovers)
- Part Twelve: Washington AG Guidance
Consumer Health Data and Biometric Data
Biometric data is part of the broadly defined “consumer health data” regulated by WMHMDA. Recall that WMHMDA defines “consumer health data” as:
Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
In conjunction with the definition of consumer health data, WMHMDA lists a non-exhaustive group of data elements that may make up “physical or mental health status.” Included within these examples of physical or mental health status is “biometric data.” Under WMHMDA, biometric data is defined as:
Data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Biometric data includes but is not limited to:
(a) Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings from which an identifier template can be extracted; or
(b) Keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.
Of note, this definition of biometric data includes facial photographs as well as data from which an identifier template can be extracted – much broader than requiring an actual extraction. In other words, you do not need to actually extract the biometric data to identify an individual; it is enough that it could be used to identify an individual to constitute biometric data under WMHMDA.
It is important to keep the broad definition of “consumer” in mind when you think about the data that may meet the definition of “biometric data.” Take a look at Part 2 for a summary of “consumers” covered by WMHMDA.
Interestingly, because the definition of “consumer” under WMHMDA does not include individuals acting in an employment context, WMHMDA does not apply to biometric data of employees or in a business-to-business data processing context. As noted below, however, entities still need to keep in mind other existing biometric laws in Washington (and across the U.S.).
Washington’s Existing Biometric Privacy Law
To make matters more confusing, Washington already has a biometric privacy law (RCW 19.375), which remains in effect; though WMHMDA’s definition of biometric data is generally broader. RCW 19.375 defines biometric identifier as “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” No person (which includes certain business entities) may enroll a biometric identifier for a commercial purpose in Washington without providing to the consumer notice, obtaining the consumer’s consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.
WMHMDA goes significantly further than RCW 19.375 in defining “biometric data”; businesses that may have been carved out of RCW 19.375 compliance obligations may need to re-examine their biometric practices under WMHMDA to ensure they are complying with the full scope of Washington’s applicable biometric laws, as biometric data may be subject to WMHMDA, RCW 19.375, or both.
Notes from Quarles
For entities already complying with more stringent biometric laws (like Illinois’ BIPA), the WMHMDA requirements may seem familiar. However, do not assume you are good to go with your BIPA practices in Washington. RCW 19.375 in Washington complicates the compliance analysis.
The RCW 19.375 and WMHMDA consent requirements are different with RCW 19.375 requiring consent for any processing of a biometric identifier for a commercial purpose vs. WMHMDA’s consent requirements limited to collection, processing, or sharing biometric data for secondary purposes other than as necessary to provide the consumer-requested product or service. As outlined in Part 5, consent required by WMHMDA for standard data collection, processing, or sharing (or elevated authorization requirements for sale of biometric data) is a difficult standard that is likely to stifle the consumer experience.
In Part 8, we will dive into a consumer’s rights under WMHMDA, which include rights of access and deletion that are broader than what we typically see in U.S. privacy laws. Regulated entities will need to think through how to comply with these access and deletion rights for biometric data without compromising related algorithms, reference templates, or verification processes.
Additional issues raised by WMHMDA are forthcoming. Until next time… grab a bun and some chips for that hot dog.
For guidance and advice on implementing changes to your data privacy program in light of WMHMDA or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or: