Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Adding to the growing list of heightened privacy and data protection requirements imposed on consumer health data and other categories of sensitive personal data, the Washington Attorney General recently updated its guidance on Washington’s My Health My Data Act’s notice requirements, explicitly requiring a standalone consumer health data privacy policy with its own link on websites and mobile apps.
Regulators and legislators are increasingly pursuing additional privacy and other protections for sensitive data, including consumer health data. Since Washington’s passage of its My Health My Data Act on April 27, 2023, Nevada also passed a consumer health data privacy law, and Connecticut amended its consumer data privacy act to impose similar transparency requirements and restrictions on the use and disclosure of consumer health data. Already this year, Vermont has proposed Vermont Senate Bill 173, which is largely aligned with the Washington law, and the Washington Attorney General’s Office updated its guidance on the notice requirement under Washington’s law (the “Guidance”). Washington’s requirements become effective on March 31, 2024, and violations of the Act are considered violations of the Washington Consumer Protection Act, which is enforceable by the Attorney General and private action.
Washington’s My Health My Data Act requires that a regulated entity or small business maintain and prominently post on its homepage a consumer health data privacy policy that “clearly and conspicuously discloses” certain information about the consumer health data processed. This includes: (1) the categories of consumer health data collected and the purpose of such collection, including how such data will be used; (2) the categories of sources from which consumer health data is collected; (3) the categories of consumer health data shared; (4) the categories of third parties and affiliates with whom consumer health data is shared; and (5) how consumers can exercise their rights under the law. The Guidance clarifies that this consumer health data privacy policy must be a standalone policy as it “may not contain additional information not required” by the Act.
To compare, laws governing consumer health data in Connecticut and Nevada require clear disclosure of information about the consumer health data processed in a privacy policy. But these laws do not expressly require a separate privacy policy for consumer health data, and their definitions and content requirements differ. For example, Nevada’s law requires the consumer health data privacy policy to disclose third-party tracking on the regulated entity’s website and online services, and Connecticut’s law requires inclusion of an active email address or other online contact mechanism. Because Connecticut’s and Nevada’s laws require different disclosures and may have a different scope than those required in Washington’s law, entities subject to these laws will need to carefully evaluate what state consumer health privacy laws apply to their activities and develop the appropriate privacy policies—which may now include a standalone Washington consumer health data privacy policy.
Washington’s My Health My Data Act requires that a link to the consumer health data privacy policy appear: (1) on the introductory page of a website and any webpage where personal information is collected; and (2) on a mobile app’s platform or download page and as a link within the app (e.g., on an “about” or “settings” page). According to the Guidance, these must be “separate and distinct” links to the Washington consumer health data privacy policy.
Although Nevada’s law requires regulated entities to post a link to a consumer health data privacy policy on its “main” website, neither Connecticut nor Nevada’s laws expressly require their notice to be made available from a “separate and distinct” link.
It appears the Washington Attorney General expects entities subject to Washington’s My Health My Data Act to develop and post a separate, Washington-only consumer health data privacy policy with distinct links to this policy on their websites and mobile apps by March 31, 2024. Companies will need to evaluate whether and how Washington’s My Health My Data Act applies to their operations and implement compliance measures, including publicly facing policies, accordingly.
Authored by Mark Brennan, Marcy Wilder, Alyssa Golay, and Paige Papandrea.