Washington State passes sweeping health data law

The first-of-its-kind law is geared toward protecting personal health info.
article cover

Francis Scialabba

· 6 min read

Washington State has passed a law that will curtail the flow of consumer health data, notably affecting tech companies and advertisers.

The My Health, My Data Act, signed by Gov. Jay Inslee Thursday morning, requires companies to get “unambiguous” consent before they collect health data, which includes everything from health conditions to location information associated with health services. Most of the law takes effect in March 2024.

“This could really, in a way, reset the conversation on privacy, at least as it’s developing at the state level,” according to Keir Lamont, director of the US legislation team at the think tank Future of Privacy Forum, which submitted notes on a prior version of the bill.

The law comes as state and federal legislators seem increasingly interested in privacy laws aimed at the largely unregulated industries of data collection and (*cough, cough*) digital advertising. For some, the Supreme Court’s decision to overturn Roe v. Wade has added to the urgency.

In the absence of a national privacy law, the Federal Trade Commission has taken action against companies it claims have collected and shared sensitive health information, like sensitive location data associated with medical care or reproductive health, or customer health data shared via common advertising tools like tracking pixels.

“With the recent Dobbs decision, with the restriction of access to reproductive healthcare in other states…it became evident that women’s health data needed to be protected—that people who were accessing reproductive care, gender-affirming care, and were seeking it in Washington State needed to be protected,” Washington State Rep. Vandana Slatter, who introduced the bill, told Marketing Brew. “There was a gap in that protection on websites, apps, and searches.”

Hip to it

The Washington State law aims to close the gaps in one of the few federal privacy laws, the Health Insurance Portability and Accountability Act (HIPAA). That law, passed in 1996—more than a decade before the iPhone debuted—protects data and information from people collected by a narrow set of “covered entities,” like doctors, health insurance companies, and dentists.

But HIPAA doesn’t apply to health data collected by non-covered entities, like search history or certain health apps, which can supply a vast system of data brokers and tech companies with personal information, like whether someone has insomnia, cancer, or even heartburn, usually in the name of advertising.

The law specifically mentions ad-tech tools like third-party cookies, IP addresses, and device IDs.

Any company that wants to collect or share health data will be required to get consent, defined in the law as a “clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means.”

If the company wants to sell this data, they must additionally detail the specific data they intend to sell and secure the signature of the consumer.

What constitutes written consent isn’t totally clear, though the law outlines what doesn’t count; for instance, it notes that “acceptance of a general or broad terms of use agreement” would not suffice. “The requirements of this bill are…opt-in consent on steroids,” Mike Hintze, a privacy lawyer who works with both advertisers and healthcare companies, explained. Previously, Hintze worked as chief privacy counsel at Microsoft.

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.

Hintze considers the measures “so onerous” that consumers may not want to go through such a “detailed documentation and signature process,” he said.

Semir Ibrahimovic, a spokesperson for Rep. Slatter, told Marketing Brew that the bill is “not prescriptive in terms of how…[entities] ​​operationalize the two requirements of consent” for collecting data and the valid authorization for selling it.

Drawing lines

The law defines healthcare services as “any service provided to assess, measure, improve, or learn about a person’s health.” It also mentions proxy and inferred data, or educated guesses about consumer behaviors based on non-health-related information. Hintze said that seems open to interpretation. “If I buy Ben and Jerry’s and light bulbs, does that infer that I am an insomniac?…Can you safely conclude that anything is outside of the scope of this bill? I don’t think you can safely assume that,” he said.

“Anything that touches on wellness, nutrition, fitness, anything that could reveal health is covered by this bill,” he told us, later adding “Where do you draw those lines? That is the million-dollar question and that is the question every company’s going to have to struggle with: What’s in and what’s out?”

The impacts on online advertising and the data broker industry could be “pretty profound,” he added.

The law makes it illegal to geofence a “facility that provides healthcare services” or collect location data about anyone visiting a healthcare facility.

However, the law does not apply to what’s called “deidentified data,” or data that can’t be linked to an individual or their device. Washington residents will also be given the right to withdraw their consent at any time and request deletion of their data. It’s also likely they won’t be denied a service if they don’t want to share their data, as the law forbids companies from discriminating against anyone “exercising any rights” included in the law.

Amy Weston, a privacy lawyer who advises startups and has some healthcare clients, told Marketing Brew that none of her clients have asked about My Act, My Data.

“A company who’s already thinking about privacy by design probably has all of this built into their website already,” she said. “So it’s a tweak or two. It’s a headache, but it’s a manageable headache.” 

Weston said she thinks people are likely to consent to sharing data with companies like WeightWatchers and Noom. However, the selling of health data will be disrupted, impacting data brokers.

“It’s that selling piece people will say no to, because they never thought it was happening in the  first place,” she said.

The law could influence other states to speed up their own pieces of legislation. Similar bills have been introduced in New York, Illinois, Massachusetts, and Nevada.

Get marketing news you'll actually want to read

Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.