Washington My Health My Data Act Now in Effect: Key Considerations for the Digital Advertising Industry
By Meaghan Donahue
After a year of anticipation, Washington’s My Health My Data Act (“MHMD”) came into force for covered entities on March 31 (and becomes effective on June 30 for small businesses), kicking off an unprecedented new era in privacy compliance not only for companies directly engaged in health-related advertising, but the ad-tech ecosystem more broadly. As the industry adjusts to this groundbreaking law, we break down what covered entities need to know.
When signed into law last spring, Washington became the first U.S. state to pass a health-focused privacy law to create stronger protections for non-HIPAA health-related personal information. While the impetus for the legislation was to protect citizens’ data from being used to prosecute those seeking reproductive healthcare services in states where abortion is newly illegal, MHMD is much broader in application. Ultimately, legislators sought to increase consumer protections around how health data was being collected, stored, and used quite broadly. Several states followed Washington’s lead and introduced similar bills in the 2023 session, with versions passed in Nevada and Connecticut. The NAI shares the goals of MHMD and believes that sensitive health data should never be used as the basis for targeted advertising without a consumer’s affirmative consent, informed by clear and conspicuous notice. The NAI has long promoted the highest voluntary standards for notice and consent requirements for this information, as well as heightened processing restrictions. However, MHMD’s expansive definitions of covered information, strict consumer choice requirements, and a private right of action go beyond traditional means of regulation and have left many confused about the scope of the law and concerned about the risk of liability.
Provisions of Note
MHMD imposes new requirements and obligations regarding the collection, sharing, and sale of “Consumer Health Data” (“CHD”) – broadly defined as personal information that is “linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” The definition provides a non-exhaustive list of examples of physical or mental health status, such as “[i]ndividual health conditions, treatment, diseases, or diagnosis” and “data that identifies a consumer seeking health care services.” Notably, the law defines “health care services” to include “any service provided to a person to assess, measure, improve, or learn about a person’s mental or physical health.” While some in the legal community have suggested that these expansive definitions could be read to include information generally considered to be unrelated to a consumer’s health status, such as interest in fitness products or purchase of general toiletries, the Attorney General’s office has indicated through FAQs that this expansive reading does not reflect the intent of the law. However, the NAI still anticipates private litigants to push the boundaries of what is included in CHD.
MHMD requires regulated entities and small businesses (“covered businesses”) to obtain consumer consent prior to collecting or sharing CHD beyond the extent necessary to provide a consumer-requested product or service. Consent for each activity must be “separate and distinct” and include 1) the categories of CHD to be collected or shared, 2) the specific purpose for which the CHD is being collected or shared, 3) the categories of entities with which CHD will be shared, and 4) instructions for withdrawing consent. For sales of CHD, covered businesses must obtain “valid authorization” which notably requires a physical consumer signature and a one year expiration date, among other disclosures. Covered businesses are also required to maintain a “consumer health data privacy policy” that is separate from its more generic privacy policy and is individually linked from any page that collects personal information, in addition to other data security and organizational access control obligations.
MHMD also imposes novel location-related prohibitions. The law prohibits “any person” from erecting a geofence within 2,000 feet or less from the perimeter of a location that provides “in person health care services” when used to identify or track consumers seeking these services, to collect CHD, or to send notifications, advertisements or messages to consumers relating to CHD or health care services. Based on the broad definitions of CHD and health care services enumerated in the law, the full extent of locations this geofencing provision covers remains unclear.
MHMD’s protections extend beyond Washington residents to any individual whose consumer health data is “collected” in the state. Collection includes buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing this data. Covered businesses must provide consumers the right to confirm whether their CHD is being collected, shared, or sold (including names and contact information for entities with which the covered business has shared or sold CHD), withdraw consent, and to delete their CHD.
Like many state privacy laws, the state attorney general has authority to enforce MHMD. However, the law also links to the state’s consumer protection act, which offers a private right of action enforceable by consumers. While Washington Attorney General Bob Ferguson has provided some additional clarity regarding how he views the application of the law through FAQs, he lacks regulatory authority under the law, making substantial clarifications unlikely. It remains to be seen in the weeks and months ahead how private litigants may urge courts to interpret the law’s ambiguities.
Best Practices and Preparing for Enforcement
Despite the MHMD’s ambiguity and the legal uncertainty, the NAI believes that there remain viable paths to compliance and best practices for those engaged in health-related advertising in Washington state. However, some companies may (and some have) chosen to cease business operations that potentially involve CHD in Washington until uncertainties are ironed out through litigation and enforcement actions. Ultimately, compliance decisions will vary based on each company’s tolerance for risk. In order to assess your own path to compliance, the NAI suggests the following.
- Internal Due Diligence Is Key
MHMD isn’t the only framework governing sensitive health information. Numerous state attorneys general and the FTC have made it a priority to regulate the collection and use of information that may be used to reveal attributes of a user’s health broadly. Based on recent FTC enforcement actions and updated policy interpretations, many companies may inadvertently be handling “sensitive information,” and commonly employed uses of data that have traditionally been considered “non-sensitive” may now require heightened consumer notice and consent (or be off limits altogether). For these reasons, it is an essential step for companies to determine potential compliance risks by performing thorough internal due diligence, and categorizing your data assets in light of recent policy and enforcement actions beyond Washington State. You may be surprised at what you learn!
Further, some participants in the ad-tech industry are also concerned about categories of information that may be in the CHD “gray area” under MHMD, including data related to toiletry products and generic pharmacy items like ibuprofen, multivitamins, and toothpaste. Whether this type of data could potentially reveal a consumer’s “past, present or future physical or mental health status” by identifying a consumer “seeking health care services” isn’t always obvious and may depend on highly fact-specific considerations (e.g., are the vitamins at issue related to a specific health condition or status?), so conducting internal due diligence to carefully consider how these types of data will or will not be considered CHD is important.
- Understand the Intent of the Law
Establishing and refining an internal compliance program for MHMD will in many cases take significant time and resources, and covered entities may need to prioritize the types of information on which they will focus initially. One way to guide this prioritization is to consider MHMD’s legislative intent.
Some categories of data, such as that related to reproductive health, pregnancy termination, or terminal illnesses, are clearly of particular concern based on MHMD’s underlying intent and deserve priority consideration for companies implementing their compliance programs. For NAI members, this type of information has long been considered sensitive under the NAI Code of Conduct and consequently, classifying this type of information and either avoiding it or seeking consent for its use should not impact their business practices in a significant way. However, as noted above, there is still some CHD “gray area” where companies may come to different conclusions before courts or the Attorney General weigh in on the meaning of the law. Instead of devoting time to debating whether band aids should be classified as CHD, it may be helpful to consider the inherent “sensitivity” of data one is handling and set immediate priorities accordingly. The relative sensitivity of different types of CHD doesn’t change whether it’s covered by MHMD, but considering the sensitivity of potential CHD may be helpful for prioritizing resources.
- Emphasize Best Efforts
With many new laws governing the use of personal information, regulators have indicated that to some extent, they understand there is a necessary learning curve associated with novel legal requirements, and that reaching 100 percent compliance will take time and educational efforts. This is especially true with MHMD – due to its open-ended definitions, covered businesses must develop their own internal procedures, processes, and interpretation of definitions as applied to their individual business models. MHMD’s private right of action complicates this further, adding another layer to a covered entity’s compliance analysis. As enforcement and private suits likely ramp up after the law takes effect, companies should thoroughly evaluate their own data collection and handling practices, work to understand the different technologies they are using and where they are using them, revise data sharing contracts in accordance with state and federal requirements, and seek partnerships with other companies making good faith efforts to comply with relevant laws and practicing good data stewardship. Don’t let perfect be the enemy of good!
The NAI also works closely with members and provides valuable insights and resources to support compliance with MHMD and other laws that define and impose new requirements for processing different kinds of sensitive or health data. To this end, the NAI has already published a number of resources that may be of interest to companies looking to assess liability and establish a compliance plan, including our Demographic Health Advertising Best Practices, and our Sensitive Health Data Legal and Regulatory Analysis. The NAI looks forward to working with members and regulators to make health-related digital advertising safe, while preserving valuable practices that benefit consumers and industry.