Washington Governor Jay Inslee signed into law on Thursday the “My Health, My Data Act,” which aims to protect customer health data on third-party apps, especially those used for reproductive health tracking.
The law expands privacy protections associated with collecting, sharing, and selling health data of consumers.
In a statement, Inslee noted that some apps can track and share a user’s health data, and that the new protections are “more necessary with the attack on abortion care” in other states.
The Washington legislation specifically requires that apps obtain explicit consent from users before sharing or selling their data and it requires that companies delete a user’s data if requested.
The law was praised by privacy advocates and reproductive health organizations alike. However, some are calling for additional measures to be taken to protect consumer privacy in Washington state and across the country.
Lisa McCormick, a consumer privacy advocate and Democratic strategist, called for additional state measures modeled on the legislation or a federal law to protect customer privacy.
“As technology advances, it’s important that we keep up with the times and ensure that our privacy protections are robust and comprehensive,” McCormick said. “The My Health, My Data Act is a great step forward, but there is more work to be done to protect consumers from having their sensitive health data misused or exploited.”
McCormick added that “while states like Washington are taking action to protect consumer privacy, we need a national framework that sets baseline standards for data privacy and protection. Consumers shouldn’t have to navigate a patchwork of state laws to ensure their privacy is protected. It’s time for Congress to act.”
As concerns over data privacy and security continue to mount, it is likely that we will see more states taking action to protect consumers.
Without action by the U.S. Congress, state legislators across the country have been crafting bills to establish new privacy protections for their constituents amid growing concerns about how companies collect, use and sell consumer data.
As of early 2023, five states had consumer data privacy laws in place, often mirroring each other in many ways in order to avoid a “patchwork” of laws and definitions.
As such measures have enough substantive differences to get the label of “business friendly” or “consumer friendly,” congressional leaders came close in 2022 to agreeing on a comprehensive federal law.
David Stauss, a leading national expert on states’ work on consumer data privacy, agrees that all of this work of states is shaping the direction of federal policy. He points to laws taking effect this year in the “3 C” states (California, Colorado and Connecticut) as examples.
“Everybody realizes that a 50-state approach to privacy law would be a mess,” says Stauss, a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. “What I think the advantage of the state approach right now is it allows things to be tried, rules to be proposed and changed. Also, it ingrains certain concepts and sets floors [on privacy rights] for what will happen at the federal level.”
“I expect that whatever I get passed here in Minnesota is eventually going to be preempted by federal legislation,” says Rep. Steve Elkins, whose long professional background in data management and information technology made him a natural fit to be a point person on the issue. “But I also expect the legislation that we’re passing in the states is going to have a heavy influence on what Congress eventually does.
“They need to have things like the right to have an opt-out of having your data sold,” he says. “The right to know what data a company has about you. The right to correct inaccuracies in that data. The right to question decisions that have been made about you based on that data.”