The Office of the Attorney General of Washington (the “AG”) has updated the Frequently Asked Questions (the “FAQs”) for the Washington My Health My Data Act (the “Act” or “Washington Act”) to provide guidance on the AG’s position concerning whether businesses must publish standalone consumer health data privacy policies under the Act. The update, first posted on January 11, 2023, states that (i) businesses must maintain a “separate and distinct link” to their consumer health data privacy policies and (ii) consumer health data privacy policies may not contain any information not required under the Act.
The Act states that businesses subject to the Act must maintain consumer health data privacy policies that clearly and conspicuously disclose how they use consumer health data and what rights consumers have under the Act. There has been some confusion about whether businesses may satisfy this obligation by incorporating disclosures required under the Act into their general privacy policies.
Implications on Businesses Subject to the Act and Nevada’s SB370
The updated FAQs indicate businesses must maintain consumer health data privacy policies that only contain disclosures specific to the Act. Accordingly, businesses subject to both the Act and Nevada’s Senate Bill 370 (“SB370”) may have a burdensome obligation to prepare, publish, and maintain separate Washington- and Nevada-specific consumer health data privacy policies.
- Whether a third party may collect consumer health data over time and across different Internet websites or online services; and
As a result, businesses subject to the Washington Act and Nevada’s SB370 may need to post Washington-specific consumer health data privacy policies separate from consumer health data privacy policies designed to comply with SB370.
The updated FAQs come as an addition to the original FAQs the AG published in June 2023, which addressed notable ambiguities in the Act including the Act’s effective dates, the scope of consumer health data, and how businesses may reconcile their obligation to retain consumer authorizations to sell, and comply with consumer requests to delete, consumer health data. Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to provide updates on the Act and other health data privacy laws. Please contact us if you have any questions.