UPDATE: about two hours after I posted this, the House voted to concur with the Senate version of My Health My Data!
“This session ends on Sunday April 23, and privacy legislation has gone down to the wire the last four years. It ain’t over ’til it’s over!”
– A much more favorable environment, but a lot of complexity: Washington state privacy legislation 2023, January 11
Sure enough, with only a week left in the session, the fate of the consumer health data privacy law My Health My Data (HB 1155) still hasn’t been fully decided. My Health My Data protects “consumer health data”: data from apps, websites, retailers, advertisers, search engines, wearables like Fitbits, and so-called “crisis pregnancy centers” (CPCs), none of which is covered by HIPAA today. These protections are especially important in a post-Dobbs world, as states including neighboring Idaho criminalize providing, receiving, or helping people seek abortion and gender-affirming care. But industries who make money by exploiting people’s data without their consent don’t want to be regulated … and the tech industry is very powerful here in Washington.
Last week, the Senate passed a version1 with some significant improvements over the version the House passed last month – including a “private right of action” allowing people to sue companies and CPCs that break the law, something industry has fought against for years. If House votes to concur, which most people seems to think is very likely, then once the Governor signs the bill, My Health My Data will become law. That would make it the first consumer health data privacy law to pass anywhere in the US, and the first post-Dobbs data privacy law. Given Washington’s justifiable reputation as a tech leader, that’s likely to influence legislation in other states and federally.
But if there are shenanigans the House votes against concurring,
Image credit: photo of Washington State Capitol by Al Toney, via Wikipedia Commons. licensed under the Creative CommonsAttribution-Share Alike 4.0 International license. 1 rather confusingly, both the Senate and the House version are referred to as ESHB 1155; the acronym stands for engrossed substitute House bill 1155, and “engrossed” means that the substitute bill the Civil Rights & Judiciary committee advanced has been further amended. The legislature’s bill page links to the Senate version as 1155-S.E AMS ENGR S2826., and to the House version as the Engrossed Substitute. But wait, there’s more: the interim “striker” version advanced by the Law & Justice committee is also referred to as ESHB 1155 and linked to as 1155-S.E AMS LAW S2558.1; and there was also a floor striker from Senator Dhingra. Yeesh. For simplicity, I’ll refer to them as the Senate version and House version. 2 And I wouldn’t be surprised if this underestimates the actual support. The question NPI asked combined several different aspects of the bill so was remarkably long: Do you strongly support, somewhat support, somewhat oppose, or strongly oppose blocking health tracking apps and advertisers from collecting and selling Washingtonians’ health data without their consent, barring location-specific targeting of people who visit reproductive and gender affirming healthcare facilities, and requiring companies to maintain and publish a privacy policy for people’s health data? When I was summarizing the results to a friend, I described it as “76% support, and everybody else fell to sleep before the end of the question.” 3 2020’s A bad day for a bad privacy bill, a good day for privacy describes how the Senate version of the Bad WPA) didn’t even have a per se clause for Attorney General enforcement – so the bill was literally unenforceable. Microsoft’s blog post touted the bill’s “strong enforcement” and Future of Privacy Forum’s post inaccurately claimed the AG could enforce it 😂 😂 😂 ] After spirited discussion and a great floor debate, the 2020 session ended with the bill dying in reconciliation after the House added a per se clause for the AG and a private right of action and tech refused any compromises. Good times. 4 Along with a strengthening amendment: Sen. Keith Wagoner (Skagit and Snohomish Counties) proposing extending My Health My Data’s protections to data held by government agencies. Wagoner’s amendment addressed the tribal sovereignty issues Rep. Tarra Simmons (D-Kitsap County) had pointed out with a simliar House amendment, but didn’t address the issue that My Health My Data’s enforcement is via the CPA and the CPA doesn’t apply to government agencies. Chair Dhingra supported the idea in principle, but suggested that it needs to be addressed to another bill that has more comprehensive protections, and expressed hope that legislators from both parties will work on it in the interim. Let’s hope that happens! And it’s worth mentioning that the People’s Privacy Act (sponsored by Rep. Shelley Kloba (D-Kirkland) and Sen. Bob. Hasegawa (D-Seattle)) does cover data held by government agencies, and has bipartisan sponsorship … so once again, as the session draw to a close, the People’s Privacy Act is closer to a hearing than it’s ever been!
Notes