Diving into the Washington My Health My Data Act
This is Part Nine in a series of legal updates on the Washington My Health My Data (“WMHMDA”) where Quarles continues its deep dive into the various factors and intricacies of WMHMDA that are creating waves in the privacy space – and not just for the health and life sciences industry.
Last week, we packed up our beach bag and cooler with all the WMHMDA consumer rights. Today, we’re staying safe on our open swim and covering WMHMDA’s enforcement mechanisms and private right of action to helping you keep your summer vacation from turning into a bad day at the beach.
Catch up with the WMHMDA summer series: We do not want to send you off into the deep end, so we will coach you through this consequential legislation in short 50m sprints. Grab your sunscreen and get ready to jump in:
- Overview: Washington Poised to Transform Consumer Health Data Landscape with Passage of My Health My Data Act
- Part One: What Regulated Entities are Subject to WMHMDA
- Part Two: Consumers Covered by WMHMDA
- Part Three: Broad Scope of Consumer Health Data
- Part Four: Geofencing Requirements
- Part Five: Consent and Authorization Requirements
- Part Seven: Biometric Data
- Part Eight: Individual Rights
- Part Nine: Enforcement and Private Right of Action (this is what you are reading now)
- Part Ten: Operational Realities and Next Steps
- Part Eleven: HIPAA vs. WMHMDA (for table lovers)
- Part Twelve: Washington AG Guidance
Remember to swim parallel to the shore when caught in a rip current. WMHMDA offers two different rip currents to track – regulatory enforcement through the Washington Attorney General and an extensive private right of action under the Washington Consumer Protection Act (“CPA”).
Don’t get caught in the riptide of enforcement – read more below.
Expansive Private Right of Action
We are used to U.S. state consumer privacy laws with enforcement mechanisms. The California Privacy Rights Act (CPRA) established a new agency (the California Privacy Protection Agency) for implementation and enforcement. Other privacy laws provide for enforcement via the state Attorney General (e.g., Colorado and Virginia). Only California offers a private right of action and it is limited to unauthorized access/disclosure due to failure to implement and maintain reasonable security procedures.
WMHMDA takes a different approach to enforcement, providing for arguably the broadest private right of action of any state privacy law by establishing that a violation of the Act is an unfair or deceptive act under the CPA.
WMHMDA does not limit enforcement opportunities to instances of breaches. Instead, any violation of WMHMDA is “not reasonable in relation to the development and preservation of business.” This exposes regulated entities to a wide range of potential violations, including consent and authorization requirements, notice obligations, geofencing restrictions, responses to consumer rights request, and collection, processing, sale and sharing restrictions.
In addition, WMHMDA does not offer an opportunity to cure (which we see in other state privacy laws) and does not require claimants to establish a knowledge or intent level. We break down the elements of a CPA claim below, but with broad definitions of “consumer” and “consumer health data” under the Act, we are left with an ocean-sized scope for a private right of action.
Washington Consumer Protection Act
Washington’s Consumer Protection Act states that:
Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.
A person injured by a violation of CPA may bring an action in civil court to enjoin further violations and recover damages sustained by the injury (more on damages below). But what does this actually mean for WMHMDA’s regulated entities? Just like SPF 50, we’re here to help you avoid getting burned by potential enforcement.
- Bringing a claim under the Washington CPA
A successful claim under CPA must meet a five-element test:
- The existence of an unfair or deceptive act or practice;
- That occurs in trade or commerce;
- Impacting the public interest;
- Injuring a plaintiff in his or her business or property; and
- A causal link between the unfair or deceptive act complained of and the injury suffered by the plaintiff.
Under Section 11 of WMHMDA, the first three prongs of the test are automatically satisfied if there has been a violation of WMHMDA:
The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the Consumer Protection Act.
Thus, any consumer who alleges a violation of WMHMDA need only focus on the latter two elements – injuries to the consumer and a causal link between the unfair or deceptive act and the consumer’s injury. CPA allows “natural persons” to bring claims, and there is no apparent limitation to the scope of a class action - bringing us to a yet unknown depth of exposure.
- What is an “injury” under the Washington CPA?
Like a nasty sunburn, a jellyfish sting, or a seagull stealing your sandwich, consumers can be “injured” for the purposes of filing an action under the CPA. Proving such an “injury” is required for a consumer to prevail in a suit brought under the CPA. But what does it mean to be “injured” under the CPA?
Importantly, an injury under the CPA does not require monetary damages. Instead, it merely requires that a consumer’s “property interest or money is diminished because of the unlawful conduct, even if the expenses caused by the statutory violation are minimal.” Nordstrom, Inc. v. Tampourlos, 107 Wash. 2d 735, 733 P.2d 208 (1987) (stating that no monetary damages must be proven, and that non-quantifiable injuries such as loss of goodwill, suffice for purposes of Washington law).
Courts in Washington have found that injuries to consumers exist in a variety of circumstances, both monetary and non-monetary, including false advertising for goods or services received that were different than what was advertised (Williams v. Lifestyle Lift Holdings, Inc., 175 Wash. App. 62, 302 P.3d 523 (2013)), time and effort expended related to infringement of a trade name (Nordstrom, Inc. v. Tampourlos, 107 Wash. 2d 735, 733 P.2d 208 (1987)), and loss of use of a homeowner’s property during a dispute between a mortgage lender and a mobile home company. Mason v. Mortg. Am., Inc., 114 Wash. 2d 842, 792 P.2d 142 (1990). Both the time and money spent investigating whether a violation has occurred are recoverable under the law. Panag v. Farmers Ins. Co. of Washington, 166 Wash. 2d 27, 40 (2009).
Washington’s civil jury instructions shed more light on how a WMHMDA-regulated entity should think about defending against any claim of injury by a consumer. The April 2022 update of Washington’s pattern jury instructions read as follows:
The plaintiff has suffered an “injury” if their business or property has been injured to any degree. Under the Consumer Protection Act, plaintiff has the burden of proving that they have been injured, but no monetary amount need be proved and proof of any injury is sufficient, even if expenses or losses caused by the violation are minimal.
Injuries to business or property do not include physical injury to a person's body, or pain and suffering.
Injuries to business or property, if any, include: financial loss, loss of professional business reputation, loss of goodwill, difficulty in securing a loan or other credit, time away from work, or inability to tend to business establishment.
The jury instructions also permit a judge to add other types of injury if appropriate to the particular case at hand.
CPA provides for:
- Actual damages;
- Treble damages in the court’s direction up to $25,000;
- Attorneys’ fees and costs; and
- Injunctive relief
It is not yet clear whether claims for WMHMDA violations accrue once (e.g., when consumer health data is first collected, when consumer data is inappropriately processed, etc.) or if a new claim accrues for each instance data is processed. Statutory and liquated damages are not available in private suits, but private suits may accompany enforcement from the Washington Attorney General and damages may add up fast with big data, attorneys’ fees, and putative class availability.
Notes from Quarles
As we wrap up our enforcement beach day (hopefully without a sunburn and with calm water), what should WMHMDA-regulated entities expect when the Act comes into full effect? It is likely that many legal contours of WMHMDA enforcement are going to be left to Washington courts, leaving entities waiting for a fuller picture of which violations constitute material “injury” and which are merely technical. Additionally, the broad definition of “consumer health data” and other expansive WMHMDA terms means that a variety of entities and data may be pulled into the scope of public or private enforcement if a viable claim of “injury” to a consumer can be stated. Note that WMHMDA requires a committee to prepare a report on whether WMHMDA enforcement provisions require changes due to frivolous claims.
What is clear is that drafters’ statements regarding the purpose and role of WMHMDA are plaintiff friendly and risk of class actions is high in the current enforcement environment. This may mean that entities should put time and energy into their WMHMDA compliance programs well in advance of the effective date (recall geofencing provisions are already in effect). Options remain.
In Part Ten, we try to stave off the end-of-summer blues with operational realities and next steps. Until next time, stay hydrated, apply aloe, and keep dreaming of your next beach vacation.
For guidance and advice on implementing changes to your data privacy program in light of WMHMDA or other changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or: