The Office of the Attorney General of Washington (the “AG”) has updated the Frequently Asked Questions (the “FAQs”) for the Washington My Health My Data Act (the “Act” or “Washington Act”) to provide guidance on the AG’s position concerning whether businesses must publish standalone consumer health data privacy policies under the Act. The update, first posted on January 11, 2023, states that (i) businesses must maintain a “separate and distinct link” to their consumer health data privacy policies and (ii) consumer health data privacy policies may not contain any information not required under the Act.
The Requirement to Publish a Consumer Health Data Privacy Policy
The Act states that businesses subject to the Act must maintain consumer health data privacy policies that clearly and conspicuously disclose how they use consumer health data and what rights consumers have under the Act. There has been some confusion about whether businesses may satisfy this obligation by incorporating disclosures required under the Act into their general privacy policies.
The publication of the updated FAQs makes clear the AG’s position that businesses must maintain standalone consumer health data privacy policies that are distinct from their general privacy policies. The updated FAQs state that a business must maintain a separate and distinct link to its consumer health data privacy policy on its homepage and that the privacy policy may not contain any information not required under the Act. This update hence inevitably restricts businesses’ ability to use their general privacy policies that have health-related disclosures to satisfy the Act’s consumer health data privacy policy requirement.
Implications on Businesses Subject to the Act and Nevada’s SB370
The updated FAQs indicate businesses must maintain consumer health data privacy policies that only contain disclosures specific to the Act. Accordingly, businesses subject to both the Act and Nevada’s Senate Bill 370 (“SB370”) may have a burdensome obligation to prepare, publish, and maintain separate Washington- and Nevada-specific consumer health data privacy policies.
SB370 regulates businesses’ collection and use of Nevada consumers’ health data, effective March 31, 2024, and obligates businesses to maintain consumer health data privacy policies. The required privacy policy contents under the Washington Act and SB370 are substantially similar, but SB370 requires that the privacy policies include the following information, which technically are “additional information not required under [the Washington Act]”:
- The process by which the business notifies consumers of material changes to the privacy policy;
- Whether a third party may collect consumer health data over time and across different Internet websites or online services; and
- The effective date of the privacy policy.
As a result, businesses subject to the Washington Act and Nevada’s SB370 may need to post Washington-specific consumer health data privacy policies separate from consumer health data privacy policies designed to comply with SB370.
The updated FAQs come as an addition to the original FAQs the AG published in June 2023, which addressed notable ambiguities in the Act including the Act’s effective dates, the scope of consumer health data, and how businesses may reconcile their obligation to retain consumer authorizations to sell, and comply with consumer requests to delete, consumer health data. Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to provide updates on the Act and other health data privacy laws. Please contact us if you have any questions.