April 28, 2023

Issue 19: Washington whips up a d00zy

Oh hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you.

Washington's new health law the 'most consequential' law since CCPA

What’s fun about writing this little love letter to y’all on the regular is there’s rarely a week where I’m like, “Gah, what am I going to write about? There’s just nothing sexy happening.” Lucky for me, Privacyland is most often lit up by some gobsmacking development, and this week is no different.

As you’ve likely heard, Washington State passed a privacy law. And while the impetus for the bill was to cover gaps in HIPAA, the Dobbs v. Jackson decision lit a fire under regulators' seats and put remedying the problem on a fast-track that never slowed. But Privacyland’s red-siren reaction is re: the “My Health, My Data Act” goes far beyond protecting what we typically think of as “health data” to protect even inferences about health data. Don't you even THINK about the health data! It's captured! (Kidding)

On this week’s episode of The Privacy Beat Podcast, I chatted with Mike Hintze for a deep dive into what this law means. Check that out. But here are some of the main highlights from that chat on why Washington’s new law is such a trip, so you can sound smart wherever you go.

Here’s the deal: Most of the state laws we’ve seen come down the pike so far have followed a particular model established by an earlier state, whether that be the GDPR, or CCPA, or Virginia. But Mike says this one is “completely different in a lot of ways” and “goes well beyond what any other privacy law has done.”

That’s because it’s super broad.

Definitions as wide as the day is long

MHMD's definitions of what’s considered consumer health data mean that “almost any kind of personal information” that could ultimately reveal something about somebody’s health could potentially be covered.

Personal information is defined as “information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer.” Also, as the Future of Privacy Forum notes in its brief on this, the definition of “consumer health data” includes physical and mental health ‘status,’ which is broader than most states’ protections for health “condition” and “diagnosis” data.

Who wants my smell data?

Also new to the scene: MHMD covers things like bodily-function data. What does that mean? I have no idea. It reminds me of when CCPA threw in a ‘lil provision on “olfactory” data. I still have no idea who’s collecting my smell data, but I guess I hope it’s helpful to them in some way?

It also covers, in its scope, any information about a person trying to receive a healthcare service. And healthcare service is defined as any service that allows a consumer to improve or even learn about their health. Mike says that’s pretty ambiguous. Like, okay, so my Internet search “Is this mole going to kill me” would likely be covered. But what if I go into a shop and buy running shoes, is that a healthcare service?

“Arguably, yes, given how these definitions are drafted,” Mike says. His concern about this, as co-founder of a law firm that advises companies on privacy compliance, is that creative plaintiffs' lawyers “can argue that almost anything will fit into that law.”

You gotta keep the consent – but you also gotta delete the consent

Here’s the other big deal (I mean there are several but I’m going to brevity here, you don’t have time to wade through the weeds): The deletion requirements seem to conflict with the consent requirements. The My Health My Data Act allows data subject rights that “go further than any other existing law in any jurisdiction, including a deletion right with virtually no exceptions.”

Under the Washington law, you have to get separate consent for collection and sale or sharing of consumer health data, which means Washington goes further than the CCPA's opt-out regime. Relatedly and importantly, the definition of sale in Washington is similar to the CCPA. What's that mean? Well, the regulators will possibly nail you for practices a lot of businesses — for better or worse — consider standard operating procedures (see, the Sephora case). Hintze said Washington captures "nearly all third-party online targeted advertising," and that, in effect, the law is a prohibition on targeted ads, period.

Hear me out before I say this, I’m not calling for a ban on targeted advertising full stop. Do I like relevant ads? Sure. Do I enjoy access to content for which I give up some data? Definitely. But do I think we’ve got a lot of work to do to give consumers a fair deal on what they’re giving up? So much yes.

How did Washington pass an industry-unfriendly bill?

It’s crazy cool that a bill with potential wild implications for industry got through two chambers! I get that industry folks and those representing them hate it. But given the shady data broker industry, and given Washington’s past struggles trying to get a bill across the finish line, and given the past power industry has had knocking down consumer-leaning bills in the past: I’m impressed.

Mike (who wasn't arguing the merits of targeted advertising at this point in our conversation, but simply addressing the operational complexities) is less impressed.

“It's an incredibly broad application of consent, broader than really any other law. GDPR has lots of options other than consent, particularly where there's a legitimate interest, which covers a lot of those sort of routine, benign operational purposes," he said. "This consent for any collection beyond which is necessary to provide a consumer-requested product or service is incredibly broad and will apply to a lot of routine operational uses of personal data. And you need affirmative specific consent for every one of those."

Deletion rights kinda messed up?

He also notes a complication: The consumer's deletion right goes way beyond any other privacy law, and there are no exceptions for it. Except that the law does require you retain consent records for six years. So this situation presents itself: A consumer gives consent, you gotta save it for six years under this law. But later that same consumer asks you to delete their data. Then what do you do? You’ve got to violate one of the MHMD Act's provisions.

Oh, and that's the other thing. It's got a privacy right of action attached to it. We're seeing a whole lot of BIPA litigation in this space, and those statutory damages stack up. You'll recall we talked about concerns that BIPA is becoming a plaintiff's attorney's dream, particularly given the most recent case in which a former employee of White Castle sued it for each time it took her fingerprint scan when she clocked in — each time. That's a new precedent for BIPA cases; that the harm occurred not once, but repeatedly.

Anyway, there’s a whole lot more to this thing Washington thing. I highly recommend listening to this week’s episode for a full debrief. You can learn law while you chop veggies or workout! Amazing. What a time to be alive.

Oh, right, and: Tennessee and Montana both passed privacy laws. But they're not as exciting as Washington, so, meh.

Hot take of the week:

Recent podcast episodes from me to you

See you two weeks from now. Thanks for reading, loves! Please share it if you liked it! ♥️