Landmark Washington Health Data Privacy Law Creates Suit Risks

Businesses dealing with health-related data in Washington state will be subject to new litigation and enforcement risks next week, as a far-reaching health privacy law takes effect.

The state’s My Health My Data Act—enacted in April 2023 in reaction to the US Supreme Court’s decision overturning a federal right to abortion—guarantees Washington residents some of the broadest health information privacy protections in the nation. It’s also generated cross-industry fears that companies, many of which may not have previously considered themselves as dealing in health data, will face a groundswell of costly legal action over alleged violations.

The law’s general enforcement provisions kick in March 31, allowing the state attorney general to bring enforcement actions and individuals to bring suit against alleged violators seeking as much as $25,000 per plaintiff in damages. That private right of action could lead to a flood of cases, similar to what happened in Illinois in the wake of its 2008 Biometric Information Privacy Act, attorneys said.

“It wouldn’t surprise me just to see some of these firms that have been active in BIPA and other areas where there’s been a wave of class action privacy litigation sending out hundreds of demand letters, if not more, just to see which companies might be willing to send a check just to make the thing go away,” said Mike Hintze, a privacy compliance partner at Hintze Law PLLC.

The law prohibits covered entities from collecting or selling health data that can be tied to an individual without that person’s express consent. One provision, shielding location data from collection near places like abortion clinics, has been in effect since July 2023.

The law’s protections extend beyond the federal guarantees in the 1996 Health Insurance Portability and Accountability Act to include information that could be used to infer an individual’s health status. This could include information such as “purchases of toiletries,” according to guidance published by the state’s attorney general.

Defense attorneys, however, were quick to note that the plaintiff’s bar isn’t obligated to hew to that guidance and will probably push for an even broader reading of the law.

“I expect we will see lawsuits based on the words of the statutes that say things different from that attorney general guidance,” said Kirk Nahra, a partner at Wilmer Cutler Pickering Hale and Dorr LLP.

Only large businesses face the risk of enforcement or litigation, for now. Small businesses—defined as those processing the health data of fewer than 100,000 consumers per year or making less than half of their revenue from collecting such information—have until June 30 to comply before the law takes full effect.

Retailers in the state will likely abandon many data-collection practices—which could negatively affect customer service—rather than figure out how to comply with the law’s still untested limits, said Mark Johnson, the Washington Retail Association’s senior vice president of policy and government affairs.

“We think it’s an absolute dumpster fire and that it was a mistake, and that it was poorly written, and it’ll be hard to adhere to,” Johnson said. “With the provisions that are so incredibly vague, you’ll ask five attorneys what it means and it means five different things to them, and five judges will think five different things as well.”

Litigation Outlook

Data brokers and other entities that don’t obtain express consumer consent to aggregate health data are among the likeliest candidates for lawsuits under the Washington statute, predicted Eli Wade-Scott, an Edelson PC partner representing plaintiffs in BIPA and other privacy class actions.

The targeted-advertising industry, in particular, could be hard hit, attorneys said. “There may not be any viable or realistic way to comply with the law for internet advertising,” Nahra said.

Like the California law, Washington’s could also provide a new vehicle for lawsuits over website visitor-tracking pixels. Many pixel-related cases have targeted hospitals and other medical providers, alleging they shared sensitive personal data.

But companies with business models that inherently require health data collection and “are cards-up about it” aren’t as likely to get caught up in immediate litigation, Wade-Scott said, adding, “You’re not going to see a suit from us on April 1.”

“Hearing from ‘big tech’ and the defense bar that the sky is falling whenever there’s new privacy legislation is kind of routine at this point,” he said. “I think they’re running the same playbook we see every time there’s new legislation—it’s pretty irresponsible.”

Robert Tauler, a plaintiffs’ attorney at Tauler Smith LLP in California who specializes in privacy law, agreed. The Washington law requires plaintiffs to prove they suffered an injury tied to their data being shared—a high threshold—unlike BIPA, he noted.

“The defense bar is wise to sound the alarm,” Tauler said. “But this is a fire drill.”

Cases brought under the Washington law will be more challenging to litigate than actions brought under statutes like Illinois’ BIPA that require plaintiffs prove only statutory violations, not actual injury, Hintze said.

That dynamic may make companies less willing to pay early settlements in favor of fighting claims out in court.

Litigation may also better refine the law’s scope through court decisions, similar to how lawsuits under California’s Invasion of Privacy Act have played out, said Wynter Deagle, a defense attorney at Sheppard, Mullin, Richter & Hampton LLP.

“There is a lot of opportunity for this to be refined and defined through litigation,” including what meets the definition of consumer health data, Deagle said.

Compliance Concerns

The law’s wide reach will require many companies doing business in Washington state to think about their consent policies for the first time, attorneys said.

“It’s not a matter of getting a different kind of consent—it’s about getting consent at all. A lot of companies are getting data they have never had to get consent for before,” said Julie Rubash, chief privacy officer and general counsel at Sourcepoint, a data-privacy technology company that offers a consent-management platform.

“If they haven’t been doing business in California or Colorado or covered by HIPAA, they haven’t thought about it before,” Deagle said.

Many companies will have to go beyond drafting new privacy policies and completely rethink how they handle the newly defined sensitive data, said Deagle. For most companies, “this not going to be a check-the-box exercise,” she said.

Some companies have taken to avoiding collection of sensitive data altogether. Both recent Federal Trade Commission enforcement actions and state laws like Washington’s have driven increased business to Gravy Analytics’ PrivacyCheck offering, which identifies location data generated at sensitive places so companies can choose to remove that data, according to Jason Sarfarti, the company’s chief privacy officer and vice president of legal.

“The calculus for our customers is, ‘We need to at least tell our stakeholders we’re doing something,’” said Sarfarti.

Companies have varied in their approach as the My Health My Data enforcement effective date approaches, lawyers said. Some have revisited their entire data collection and use lifecycle, while others have prioritized limiting their greatest areas of potential risk.

Some of Hintze’s clients are even checking whether their cloud service providers and other vendors operate in Washington. One has added a new question to its due diligence forms asking whether contractors have any data centers located in the state, he said.

Microsoft Corp., which has its headquarters near Seattle and operates several data centers in the state, declined to comment for this story but directed Bloomberg Law to its Washington-specific health-privacy policy.

Looking Forward

The law is likely the leading-edge of a change in how regulators think about sensitive data, and specifically how it’s used for targeted advertising, plaintiffs’ and defense attorneys agreed.

Connecticut amended its privacy law with similar health provisions last year, and Nevada lawmakers have introduced legislation similar to the My Health My Data Act. Other states will likely be looking at how implementing Washington’s law plays out—including any unintended consequences—before moving ahead.

“If we fast forward six months from now and we in fact have what many people think is going to be a is a worst-case scenario with lawsuits all over the place—I don’t know if that’s what the legislature really intended,” Nahra said.