Washington

    •  

Code/Regulations

My Health My Data Act

Effective Date: March 31, 2024 (June 30, 2024, for small businesses; July 22, 2023 for geofencing prohibitions)

Details

Application Threshold

Entities ("Regulated Entities") that conduct business in Washington, or that "produce" or "provide" products or services targeted to consumers in Washington, and that determine the purpose and means of collecting or using consumer health data. This includes "small businesses," which are regulated entities that:

(a) collect, process, sell, or share the consumer health data of fewer than 100,000 consumers in a calendar year; or
(b) derive less than 50 percent of gross revenue from collecting, processing, selling, or sharing consumer health data, and control, process, sell, or share the consumer health data of fewer than 25,000 consumers.

Definition of Consumer Health Data

"Consumer health data" (CHD) is broadly defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. The Act includes a long, non-exhaustive list of data elements that comprise CHD and covers some information that is not typically thought of as health-related. There are numerous exclusions for certain types of data.

Unlike other state privacy laws that protect that state's residents, the Act defines "consumers" broadly to include not just Washington residents but also any natural person whose CHD is "collected" in Washington.

Definition of "Sale"

Exchange of consumer health data for monetary or other valuable consideration.

Data Protection Assessments

No

Opt-In Consent Required for Processing Sensitive Data

Yes; consent for processing is required for processing of any CHD unless it is necessary to provide a product or service the consumer requested.

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes, for access and deletion.

Consumer Rights to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads

The Act does not separately address or define targeted advertising, disclosures of CHD for targeted advertising as "sales."

Applicable to Employee Data and Business Contact Data

No

Enforcement Authority

Violations of the law are considered unfair or deceptive trade practices subject to enforcement under the Washington's Consumer Protection Act. As a result, the state attorney general may investigate alleged violations and bring enforcement actions.

Statutory Penalties

Litigants may recover attorneys' fees and treble damages up to $25,000.

Private Right of Action

Yes

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.