Washington has adopted a first-of-its-kind state law with sweeping safeguards for consumer health data collected by companies from telehealth platforms to period-tracking apps, as well as location records that could reveal visits to abortion clinics and other health-care facilities.
Washington’s new privacy law seeks to protect consumer location data, and restrict the gathering and sharing of health data for advertisements or other purposes without proper permission from consumers. It also gives consumers privacy rights over personal health data that companies collect about them, including the ability to ask for its erasure.
Companies that breach the law’s provisions could face enforcement actions and penalties of up to $7,500 per violation from the Washington attorney general, who supported the legislation. The law allows for private lawsuits from consumers too, making it one of only a few data privacy mandates in the US that includes a so-called private right of action.
Business groups like TechNet, whose members include
“It’s much broader than its original intent,” said Kelly Fukai, vice president of government and community affairs at the Washington Technology Industry Association. Fukai said there’s not enough clarity yet on which businesses must comply with the new law or how it will be implemented.
Privacy and civil liberties advocates have warned that investigators in states limiting abortion could seek to leverage information from apps, online searches, or location records.
Federal law directs health-care providers and insurers to safeguard the privacy and security of personal data.
But this decades-old coverage under the Health Insurance Portability and Accountability Act, known as HIPAA, generally doesn’t extend to apps and websites that consumers can use to monitor their fertility, their fitness, or their sleep.
“This fills that gap left open by HIPAA and seeks to ensure that people’s health information is private,” Jennifer Lee, manager of the American Civil Liberties Union of Washington’s technology and liberty project, said of the state law.
The ACLU of Washington backed the Evergreen State’s new health data protections, calling them a critical step toward reducing barriers to abortion and gender-affirming care. Information like a consumer’s location could be used to target patients visiting abortion clinics with anti-abortion ads, Lee said.
Data-sharing concerns have led state and federal regulators that carry out consumer protection laws to bring enforcement actions against period-tracking apps from Glow Inc. and Flo Health Inc., Teladoc Health Inc.'s online mental health platform BetterHelp, and GoodRx Holdings Inc.'s online platform for prescription drug discounts and other health services. Companies like these are likely to fall under the scope of Washington’s health privacy law.
But aside from such obvious examples, “there’s a long tail of non-obvious entities that could be touched by this,” said Mike Hintze, a member partner at law firm Hintze Law PLLC who was previously chief privacy counsel at
The law’s language leaves open questions about whether or how it applies to retailers that sell products related to wellness, fitness, or nutrition, Hintze said.
Its requirements are slated to go into effect March 31, 2024, with an enforcement delay until June 30 of that year for small businesses.
Washington State Rep. Vandana Slatter, a Democrat representing Bellevue, introduced the consumer health privacy measure.
Another bill that Washington’s governor signed Thursday shields abortion providers and patients from investigations by other states that have moved to criminalize or impose civil liability for reproductive care. Inslee previously directed state law enforcement to refuse out-of-state investigative requests related to abortion.
To contact the reporter on this story:
To contact the editor responsible for this story: