My Health My Data in the home stretch: Washington privacy legislation update, April 17
Update: My Health My Data has passed the legislature!
UPDATE: about two hours after I posted this, the House voted to concur with the Senate version of My Health My Data!
"This session ends on Sunday April 23, and privacy legislation has gone down to the wire the last four years. It ain't over 'til it's over!"
– A much more favorable environment, but a lot of complexity: Washington state privacy legislation 2023, January 11
Sure enough, with only a week left in the session, the fate of the consumer health data privacy law My Health My Data (HB 1155) still hasn't been fully decided. My Health My Data protects "consumer health data": data from apps, websites, retailers, advertisers, search engines, wearables like Fitbits, and so-called "crisis pregnancy centers" (CPCs), none of which is covered by HIPAA today. These protections are especially important in a post-Dobbs world, as states including neighboring Idaho criminalize providing, receiving, or helping people seek abortion and gender-affirming care. But industries who make money by exploiting people's data without their consent don't want to be regulated ... and the tech industry is very powerful here in Washington.
Last week, the Senate passed a version1 with some significant improvements over the version the House passed last month – including a "private right of action" allowing people to sue companies and CPCs that break the law, something industry has fought against for years. If House votes to concur, which most people seems to think is very likely, then once the Governor signs the bill, My Health My Data will become law. That would make it the first consumer health data privacy law to pass anywhere in the US, and the first post-Dobbs data privacy law. Given Washington's justifiable reputation as a tech leader, that's likely to influence legislation in other states and federally.
But if there are shenanigans the House votes against concurring, things get complicated – more about that below.
Before we get to the details of My Health My Data, though, let's celebrate a hugely important privacy bill that has passed: the Shield Law, HB 1469. As Nina Shapiro reports in Amid post-Roe landscape, WA lawmakers pass abortion ‘shield law’
The bill, passed by the House in February, prevents abortion-related subpoenas, extradition requests, warrants and other legal mechanisms from getting traction in Washington. It also creates a counterclaim of up to $10,000, plus damages, for those targeted by such legal action. The legislation similarly protects gender-affirming care.
Reproductive rights advocates said the necessity of a shield law became even more apparent after Idaho lawmakers last month passed a bill making it a crime to help minors get abortions without parental consent, such as by driving them to Washington or other states where abortion is legal. The penalty for so-called abortion “trafficking” is two to five years imprisonment.
Congrats to all the advocates who worked to support this bill through the legislature – and to Shield Law sponsors Sen. Yasmin Trudeau (D-Tacoma) and Rep. Drew Hansen (D-Kitsap County)! Sen. Trudeau has a great discussion of the importance of the Shield Law in Can Washington Protect Out-of-State Abortion Rights? on the Indivisible Podcast, and Danni Askini of Gender Justice League has an excellent short thread on Twitter putting the Shield Law in context with other bills passed this session to fight back against the anti-abortion & anti-trans attacks.
Still, as important as the Shield Law is, it's only part of the protections that are needed in a world where Idaho has criminalized abortion and gender-affirming care for minors as well as abortion "trafficking." If Idaho law enforcement (or bounty hunters, who can get up to $20,000 thanks to Idaho's "civil enforcement" provision) can continue to just buy lists of people who visit Planned Parenthood clinics or infer that somebody's pregant based on their purchasing history, they can undercut the Shield Law's protections. So My Health My Data's limits on sharing and selling Washingtonians' health data not already protected by HIPAA – including location data indicating they've visited to a facility offering reproductive, sexual, or gender-affirming care services – are a critical complement to the Shield Law.
Of course protecting people from Idaho who are coming to Washington for abortions and gender-affirming care is important, but you wouldn't want the sky to fall, would you?
"In addition to protecting private health care data not currently covered by HIPAA, ACLU of Washington Technology and Liberty Project Manager Jennifer Lee said the bill "will reduce barriers to abortion and gender-affirming health care access.""
– Washington state on track to pass broad-based health data privacy law, Jennifer Bryant, International Association of Privacy Professionals (IAPP) Privacy Explorer, April 14
That's a good thing in my books. And tech companies and their lobbyists say they agree. After all, protecting reproductive rights is enormously popular in Washington state; Northwest Progressive Institute (NPI) reports that more than three-fourths of Washington voters support My Health, My Data's protections.2 Not only that, many tech companies position themselves as LGBTQ+-friendly and supportive of pregnant people. So when lobbyists and other tech industry representatives talk about My Health My Data they consistently say they support the bill's goals.
Despite saying they supporting My Health My Data's goals, lobbyists and other tech industry representatives just as consistently push back against the bill's actual protections. For example, in the IAPP article and other blog posts, Future of Privacy Forum Senior Fellow (and former Microsoft Chief Privacy Counsel) Mike Hintze, State Privacy and Security Coalition lobbyist Andrew Kingman, and executives at tech startups who currently rely on using customer data without consent all express concern that My Health My Data is "broader and more onerous than HIPAA", "overly broad", "extremely broad" ... hey wait a second, I'm noticing a pattern here.
But that's not all, according to these totally unbiased experts. My Health My Data creates "unprecedented obligations"! It's "extreme"! It's "vague"! It could have "potentially negative impacts to health-related research and innovation"! Its "overbreadth may well mean that notifications for collecting and sharing truly sensitive reproductive health and gender-affirming care data get lost in the shuffle of opt-in notifications for innocuous, everyday transactions."
And if that's not enough, industry representatives warn, the private right of action in the Senate version of My Health My Data (allowing people to sue companies and CPCs when they break the law) will surely cause the sky to fall. OR WORSE!!!!!!
You wouldn't want the sky to fall, would you?
The Future of Privacy Forum receives money from Amazon, Apple, Google, Facebook, and Microsoft, as well as industry groups like the Interactive Advertising Bureau and DLA Piper, the law firm behind the State Privacy and Security Coalition.
– Tech Industry Groups Are Watering Down Attempts at Privacy Regulation, One State at a Time, by Todd Feathers and Alfred Ng on The Markup (2022)
The private right of action, the per se clause and why it matters
With that as background, let's look at the private right of action per se clause in My Health My Data. Here's Section 11 of the Senate version of the bill:
"A violation of this chapter is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW."
It doesn't look like that big a deal, does it? It simply says that violating My Helath My Data is treated as a "per se" violation of the state consumer protection act, which allows the AG to investigate – and individuals to sue. In the video, Sen. Trudeau points out that there's already a per se clause in over 133 statutes in law.
As Legal Voice's excellent short analysis discusses, though, the per se clause provides critical protenctions for people seeking abortion care. Suppose "Jane" accidentally ends up at a CPC, who gathers her name, address, medical history, creates a profile in their database with her information, and shares it with their network of CPCs nationwide without getting Jane's consent. With a private right of action, Jane can use the Consumer Protection Act to sue the CPC to get them to stop sharing her info and possibly get compensation for the harm she endured.
But if there’s no “per se” violation, Jane would face a very difficult legal process. From the Legal Voice analysis:
She would have to prove that the fake clinic engages in trade and commerce - which can be a difficult argument as they often lure people in with promises of free diapers, formulas, and fake ultrasounds.
She would also have to prove that it is against the public interest for them to continue storing and selling or sharing people’s health data without her affirmative consent. This requires establishing a pattern of conduct - something that can be especially difficult for individual plaintiffs.
The Washington Supreme Court has acknowledged that this is a high burden for a private plaintiff - in this case, it could deter Jane from seeking any sort of compensation for the distress she suffered, or the CPC from any significant consequences for the misuse of her health information.
The Attorney General’s Office would not be able to take on Jane’s case because they do not represent private individuals. They would have to wait until they received multiple complaints - which could take years. Meanwhile, Jane would have no meaningful access to a remedy.
Of course CPCs aren't the only ones who can be sued under the per se clause. So can data brokers, tech companies, retailers, or anybody else who breaks the law and collects, shares, or sells people's data without consent. As Sen. Trudeau says, the per se clause is a fundamental piece of consumer protection law. But tech lobbyists have been successful at keeping private rights of action out of state state privacy laws for the last 15 years, and they like it that way. Sen. Trudeau adds:
"I will just be totally candid: I think tech companies want to set a precedent through this bill."
Yeah really. Washington privacy legislation has been a precedent for other states in the past: even though the Bad Washington Privacy Act (Bad WPA) repeatedly failed to pass here, an Amazon lobbyist gave it to a Virginia state legislator and because the basis of their state privacy law – which doesn't have a private right of action.3 Since then, the Bad WPA has also been the basis of Colorado's and Connecticut's laws, and Utah has passed an even weaker law ... none of which have a private right of action. Tech wants to keep playing by their own rules, and if they can block the per se clause here that'll give them advantage in other states and federally.
Then again, if Washington passes a health data privacy bill with a strong private right of action, that will reinforce the push for strong privacy legislation – and the broader fighting to hold tech accountable – in other states and in Congress.
And so, here we are
Last week's And you may ask yourself ... well, how did we get here? traced My Health My Data's path of the bill from its introduction last October by Rep. Vandana Slatter (D-Bellevue), Sen. Manka Dhingra (D-Redmond), and Attorney General Bob Ferguson to the eve of the Senate floor vote, so I'll just include a couple of the key points here.
- A House floor amendment from Rep Amy Walen (D-Bellevue) removed the per se clause for lawsuits from individuals
- The Senate Law & Justice committee restored the per se clause, although pushed the effective data for most of the bill's protections back to March 31, 2024 (except for the limitations on geofencing, which still go into effect July 23 2023).
On the Senate floor, Sen. Mark Mullet (D-Issaquah) proposed a series of amendments that would have removed the per se clase for individuals, given companies and CPCs who break the law get-out-of-jail free cards, and significantly narrowed the definition of consumer health data. Fortunately Law & Justice Chair Dhingra, Sen. Trudeau, and Sen. Patty Kuderer (D-Bellevue) had very strong responses in the floor debate to the Mullet's amendments. Republicans supported Mullet's amendments, and proposed other weakening amendments of their own4, but Democrats have enough of a majority that they all failed. Whew.
Instead, the Senate adopted Chair Dhingra's floor striker, which made a smaller change to the definition of consumer health data, delayed the effective date for small businesses for an extra three months, and added a commission to review enforcement – but avoided more extensive changes. After adopting Chair Dhingra's striker, the Senate passed My Health My Data 27-21, with Mullet and all the Republicans voting no.
Now it's up to the House to concur.
It's not surprising that tech's making one more try at sowing fear, uncertainty, and doubt with legislators. After all, they've got a track record of not giving up easily. In 2021, for example, after the House rejected the Bad WPA, former Sen. Reuven Carlyle (D-Amazon) used procedural shenanigans to keep it alive after the cutoff, and then tried to "encourage" legislators to vote for it by threatening to hold funding for eviction protection hostage. It didn't work, but that didn't keep Carlyle from trying more shenanigans last year as part of his last doomed attempt to pass the Bad WPA. That once again didn't work, and Carlyle retired after going 0-for-4 with the Bad WPA, but there are no doubt other legislators who will be happy to do their corporate masters' bidding if told.
Flash forward to 2023 and it's pretty easy to see what tech's strategy is at this point. Legislators are under a lot of pressure to pass something, so if tech can keep the House from concurring, they'll potentially have a lot of leverage. If the House votes not to concur, then the Senate will vote on a version of the bill without the per se clause – and if they vote yes, that's the bill that goes to Gov. Inslee to sign. If not, then it goes to a cross-chamber "reconciliation" committee who will try to come up with a version that can pass both chambers. And if that doesn't happen, then My Health My Data would be dead for the session. So it's no surprise that lobbyists looking to weaken the bill (or perhaps even cause enough chaos that it doesn't pass) are sharpening their talking points and cranking up their PR machines.
And tech's also playing the long game. If something passes that they don't like, it'll almost certainly get challenged in court. Since the law doesn't go into effect until March 31 2024, they can try to change it next session. For all I know, they have other tricks up their sleeve as well.
Then again privacy advocates and supporters of reproductive right and gender-affirming care are also playing the long game. If shenanigans ensue and tech somehow manages to sabotage the bill, there will be pressure on Gov. Inslee to call a special session. And next session could also offer opportunities to strengthen My Health My Data's protections. Historically, privacy laws haven't gotten strengthened after they've originally been passed ... but that could well change in the unprecedented post-Dobbs world.
So we'll see what happens over the last week of the session. The most likely outcome is that tech's last-ditch efforts fail and the House concurs. Democrats have a big majority in the House, and especially with all the headlines about the threats to medication abortion and Idaho's over-the-top laws, it'll be hard for them to defend a vote against protecting reproductive right. By all accounts, at this point even industry-friendly corporate Democratic legislators are saying they support concurrence. If so, then My Health My Data is very close to becoming law.
Still ... you never know. It ain't over 'til it's over.
UPDATE, 12:15 pm: the House voted 57-40 to concur with the Senate amendment. Gov. Inslee still has to sign the bill, but at least from the legislative perspective: it's over.
Image credit: photo of Washington State Capitol by Al Toney, via Wikipedia Commons. licensed under the Creative CommonsAttribution-Share Alike 4.0 International license.
1 rather confusingly, both the Senate and the House version are referred to as ESHB 1155; the acronym stands for engrossed substitute House bill 1155, and "engrossed" means that the substitute bill the Civil Rights & Judiciary committee advanced has been further amended. The legislature's bill page links to the Senate version as 1155-S.E AMS ENGR S2826., and to the House version as the Engrossed Substitute. But wait, there's more: the interim "striker" version advanced by the Law & Justice committee is also referred to as ESHB 1155 and linked to as 1155-S.E AMS LAW S2558.1; and there was also a floor striker from Senator Dhingra. Yeesh. For simplicity, I'll refer to them as the Senate version and House version.
2 And I wouldn't be surprised if this underestimates the actual support. The question NPI asked combined several different aspects of the bill so was remarkably long:
When I was summarizing the results to a friend, I described it as "76% support, and everybody else fell to sleep before the end of the question."
3 2020's A bad day for a bad privacy bill, a good day for privacy describes how the Senate version of the Bad WPA) didn't even have a per se clause for Attorney General enforcement – so the bill was literally unenforceable. Microsoft's blog post touted the bill's "strong enforcement" and Future of Privacy Forum's post inaccurately claimed the AG could enforce it 😂 😂 😂 ] After spirited discussion and a great floor debate, the 2020 session ended with the bill dying in reconciliation after the House added a per se clause for the AG and a private right of action and tech refused any compromises. Good times.
4 Along with a strengthening amendment: Sen. Keith Wagoner (Skagit and Snohomish Counties) proposing extending My Health My Data's protections to data held by government agencies. Wagoner's amendment addressed the tribal sovereignty issues Rep. Tarra Simmons (D-Kitsap County) had pointed out with a simliar House amendment, but didn't address the issue that My Health My Data's enforcement is via the CPA and the CPA doesn't apply to government agencies. Chair Dhingra supported the idea in principle, but suggested that it needs to be addressed to another bill that has more comprehensive protections, and expressed hope that legislators from both parties will work on it in the interim. Let's hope that happens! And it's worth mentioning that the People's Privacy Act (sponsored by Rep. Shelley Kloba (D-Kirkland) and Sen. Bob. Hasegawa (D-Seattle)) does cover data held by government agencies, and has bipartisan sponsorship ... so once again, as the session draw to a close, the People's Privacy Act is closer to a hearing than it's ever been!