Washington's My Health MY Data Act (MHMDA), signed by Governor Jay Inslee on April 27, 2023, is one of the most significant and innovative state privacy laws in the country. Unlike other state privacy laws, the MHMDA specifically targets consumer health data that falls outside HIPAA's scope β the vast gap of health information collected by apps, wearables, and digital services that aren't healthcare providers. The law has an extraordinarily broad definition of 'consumer health data' that includes any personal information that identifies a consumer's physical or mental health condition, including inferences drawn from non-health data (like location data showing visits to healthcare facilities). Notably, the MHMDA includes a private right of action β consumers can sue violators directly β and prohibits the use of geofences around healthcare facilities to collect consumer data.
Residents of Washington have the following legally enforceable privacy rights under My Health MY Data Act:
Confirm whether a business processes your personal data and obtain a copy in portable format.
Request correction of inaccurate personal data held about you by covered businesses.
Request deletion of personal data you've provided or that has been collected about you.
Receive your personal data in a machine-readable, portable format to transfer to other services.
Prevent businesses from selling your personal data to third parties for commercial purposes.
Stop businesses from using your data to show you personalized ads based on your online behavior.
Opt out of automated decision-making used in significant decisions about credit, employment, or housing.
Businesses cannot penalize you with higher prices or reduced service for exercising your rights.
The MHMDA applies to any legal entity that (1) conducts business in Washington or targets Washington residents, (2) determines the purpose and means of collecting, processing, sharing, or selling consumer health data, and (3) is not a HIPAA-covered entity or business associate. This is one of the broadest scopes of any state health privacy law β there is no revenue threshold or data volume minimum. Small businesses and nonprofits are covered if they collect consumer health data.
Under My Health MY Data Act, the following categories are classified as sensitive personal data and require explicit opt-in consent before processing:
Racial or ethnic origin Β· Religious or philosophical beliefs Β· Mental or physical health diagnoses Β· Sexual orientation or gender identity Β· Citizenship or immigration status Β· Genetic or biometric data uniquely identifying a person Β· Personal data of known minors Β· Precise geolocation data (within 1,750 feet)
Under My Health MY Data Act, businesses must respond to consumer rights requests within 45 days of receipt. This may be extended by an additional 45 days with prior written notice explaining the reason for the delay. Businesses must also establish an internal appeals process for denied requests, with a response due within 60 days.
The Washington Attorney General may enforce the MHMDA and seek civil penalties. More significantly, the MHMDA provides a private right of action β individual consumers may sue violators for injunctive relief and damages. This private right of action, modeled on Illinois' BIPA, makes the MHMDA one of the most powerful consumer health privacy laws in the country and has already generated litigation.
To exercise your rights under My Health MY Data Act, contact the business through their official privacy portal (typically linked at the bottom of their website under "Privacy" or "Your Privacy Rights"). Clearly state:
1. That you are a Washington resident invoking rights under My Health MY Data Act
2. Your full name and contact information linked to your account
3. The specific right you are invoking (access, deletion, opt-out of sale, etc.)
4. The legal deadline for response (45 days)
If the company denies your request, you have the right to appeal. If the company does not respond or appeal fails, you may file a complaint with the Washington Attorney General's office.
| Term | Definition Under My Health MY Data Act |
|---|---|
| Personal Data | Any information linked or reasonably linkable to an identified or identifiable natural person. Does not include de-identified data or publicly available information. |
| Controller | A natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data. |
| Processor | A natural or legal person that processes personal data on behalf of a controller (e.g., a cloud hosting vendor). |
| Sale of Personal Data | The exchange of personal data for monetary or other valuable consideration by the controller to a third party. |
| Targeted Advertising | Displaying ads selected based on personal data obtained from a consumer's activities across non-affiliated websites or applications. |
| Profiling | Automated processing to evaluate, analyze, or predict aspects of a consumer's economic situation, health, personal preferences, behavior, location, or movements. |