A watered-down substitute advances: Washington privacy legislation update, February 6

Last updated April 20.  See the update log at the bottom.

Washington's short legislative session continues in high gear.  Bills have to make it through multiple committees in either the House or Senate and get a floor vote by March 8, then they've got a month to get through the other chamber.  But the first "cutoff" is February 17, which is generally the last day the committee a bill has initially been assigned to (aka the bill's "policy" committee) can vote to advance it, and there are only a handful of committee meetings between now and them, so time is starting to get tight.

My Health My Data (HB 1155) protects consumer health data – incuding especially urgent as more and more states criminalize abortion and gender-affirming care.  Civil Rights & Judiciary (CR&J) Chair Drew Hansen introduced a substitute version of the bill incorporating many of industry's requests for "improvements" (haha), and on Friday, CR&J advanced the watered-down substitute SHB 1155 on a party-line vote (although one Democrat who described herself as "represnting the tech industry" said she'd vote against it on the floor unless it were further weakened).  The bill now moves to the Rules committee, and from there to the House floor.

Update #1: on March 5, the House passed ESHB 1155 on a party-line vote after adopting an amendment (brought by Rep. Walen, the Democrat who had threatened to vote against it unless it was weakened ) that gutted the private right of action and made it extremely difficult for people to sue tech companies, data brokers, "crisis pregnancy centers", or anybody else if they break the law.  Still, even in it's weakened, watered-down form, it's still a big milestone getting anything through the House.  So congratulations to bill sponsor Rep. Vandana Slatter, and all the privacy advocates who have been supporting the bill!

Up next, the Senate Law & Justice committee, where privacy advocates will be pushing to strengthen the bill – and industry lobbyists will be suggesting more "improvements" (haha).

Update #2 (April 20): The Senate Law & Justice committee restored the per se clause, made some other valuable improvements, rejected most of industry's suggestions for "improvements" (haha), delayed the effective date of most of the bill to March 31 2024.  On April 5, the full Senate passed My Health My Data 27-21, keeping the per se clause and rejecting floor amendments that would have weakened it (although further delaying the effective date for small businesses) – and on April 17, the House concurred and accepted the Senate's version.  The bill's currently on the Gov. Inslee's desk, and he's expected to sign it next week.

Ask and ye shall receive (if you're an industry lobbyist)

"Industry lobbyists ... pushed back strongly against some of the bill's language, claimed the bill as written would cause the sky to fall, and suggested "improvements" (haha) including narrowing the definitions of consumer health data, introducing more loopholes and exemptions, allowing some geofencing as long as it wasn't "precise", and weakening enforcement."

– A very encouraging first step: My Health My Data's first hearing

Supporters of My Health My Data had urged the Civil Rights & Judiciary comittee to advance the bill as quickly as possible, so from that perspective it's very good news that the bill moved forward.  And the substitute bill continues to include important features; the combination of its opt-in requirements and enforcement mechanisms – including a strong private right of action – protect against some of the egregious abuses that happen today.

That said, industry lobbyists got several of the "improvements" (haha)  they asked for in his substitute amendment, so the protections are significantly less than in the original bill.  The new version of My Health My Data:

• no longer prohibits organizations from selling Washingtonians’ health data. Companies now can sell data if they get an "authorization", a much lower level of protection.¹  Prohibiting organizations from selling health data was the #1 bullet on the list in the press release when AG Ferguson, Rep. Slatter, and Sen. Dhingra introduced My Health My Data last fall. Here's how the press release describes the impact of selling health data:

"Period tracking apps can sell sensitive information about a woman’s late period or miscarriage to data brokers. Data brokers can link that information to her data profile, which is essentially for sale on the open market. Law enforcement from states with strict anti-abortion laws or anti-choice advocacy groups can purchase that data profile and use that information to prosecute women who had an abortion or miscarriage in another state."

• no longer prohibits using location data to target ads at people visiting reproductive and gender affirming health care facilities. The definition of "geofencing" is now limited to "a virtual boundary that is 2,000 feet or less from the perimeter of the physical location", which opens up several opportunities for anti-abortion groups to  target ads at women visiting clinics.²
• now only explicitly protects location data indicating a consumer's attempt to acquire or receive health services or supplies if it's "precise" (defined as "directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet").  This could potentially create loopholes letting for vigilantes and law enforcement in states the criminalize abortion or gender-affirming care buy people's imprecise location data and combine it with other information (including "de-identified" location data, which is exempt from My Health My Data) to build up a clearer picture of somebody's movements.
• has a lot more loopholes and exemptions For example data brokers, "crisis pregnancy centers", and other businesses are allowed to collect, use, and disclose health data without asking consent as long as it's to "prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; or investigate, report, or prosecute those responsible for any such action."  That's good news for law enforcement in states where abortion is illegal activity – but bad news for people seeing reproductive health care.    There's also a much longer list of exemptions for existing laws on human research and hospital quality programs that have privacy requirements (or requirements that could conflict with privacy); depending on the specifics of those bills these could be necessary carveouts, or could be loopholes undercutting the principle that (where feasible) My Healh My Data should be a floor not a ceiling.
• no longer requires policies to include the specific types of health data collected and shared, the specific sources, and the specific third parties data is shared with.  Instead, privacy policies only have to include the categories.  This means there's no way to know just from a privacy policy whether a company shares information with third parties who are unregulated entities (who could then do whatever they want with it, including selling it to bounty hunters or law enforcement).  Instead, you have to wait for your data to be shared with third parties, then make an access request and wait for however long it takes to process it ... and then make similar access requests from any third parties.  By the time you figure out that your data has gone to an unregulated entity, it's too late.

There are plenty of other changes as well.³  Almost none of them strengthen consumer protection – and even the ones that do are a bit of a mixed bag.  For example, the right to confirm whether an company is collecting, using, or sharing data now includes a list of all third parties and affiliates (although not processors) the data has been shared with or sold to. That's good!  Balanced against this, though, the list of third parties and affiliates that companies share information with is no longer requied in the privacy policy; companies now have longer to respond to requests for information; and companies are allowed to charge if you make more than two requests a year.

A potentially tricky situation

"Of course, if legislators take lobbyists' suggestions and water My Health My Data down, then it won't protect health data, pregnant people, or gender-affirming care."

– A very encouraging first step

Despite all the watering down, industry still isn't satisfied. Amendments to remove the requirement for authorization for selling health data and any restrictions on geofencing, weaken enforcement by removing the per se clause, and give companies a get-out-of-jail free card (the so-called "right to cure") were voted down on Friday but will no doubt be back.  

Still, industry lobbyists are probably quite pleased with the results so far.  Going forward, their goal will be to keep most of the discussion going forward focused on their suggestions for additional "improvements" (haha), trying to force the legislature to choose between passing a bill that doesn't protect Washingtonians ... and not passing anything at all.  Good news for industry either way!

By contrast, Chair Hansen has potentially created a very tricky situation for Democrats in the legislature (and AG Ferguson and Gov. Inslee as well, for that matter). Despite the promising start from Rep. Slatter and Sen. Dhingra, it's not clear that My Health My Data is still on track to deliver on their commitment to protect health data, pregnant people, and gender-affirming care.  Worse, the optics of the cis male chair of the Civil Rights committee not allowing four women and a trans femme person (several of whom have very relevant experience in the tech industry) to speak at the hearing, and then giving away so many of these protections to make industry happy are ... not great.

Of course, Democrats have majorities in both chambers.  So they have the votes to restore these protections (via floor amendments in the House, at the Senate Law & Justice committee, or on the Senate floor) if they want to.  After making reproductive freedom a big part of their campaign platform, hopefully Democrats will realize how bad it would be politically to let industry continue to exploit pregnant people's data at the expense of their safety.

But then again the tech industry is very influential here in Washington.  So, we shall see.

Notes

¹ Prohibiting selling health data (but not other kinds of data) is a content-based restriction, which means it would face strict scrutiny from a constitutional perspective, and in  Sorrell vs IMS Health Inc (2011), the Supreme Court overturned Vermont's Prescription Confidentiality Law on First Amendment grounds.  Content-based restrictions can survive strict scrutiny if they are narrowly tailored to serve a compelling interest and are the least restrictive means available to achieve that purpose; for example, state legislation of non-consensual intimate images, which is also content-based, has survived constitutional  challenges. However, HIPAA allows sales of protected health information with an authorization, so an outright prohibition might fail the least restrictive means test.

Still, even if an outright prohibition would lead to a constitutional challenge, there maybe additional protections to complement the authorization. For example, sale of de-identified data puts some contractual obligations on the purchaser; could a similar approach work for non-deidentified data?

Of course, an even more privacy-protective approach that wouldn't raise the same content-baed issues would be to prohibit all data sales, but given My Health My Data's focus on consumer health data, that's going to have to wait for a comprehensive privacy bill.

² For example, by combining location-based targeting with a radius of 2,500 feet (not considered geofencing under the current definition) with other data; or by combining information from multiple 2500-foot-radius location-based targeting to triangulate a more precise location.

³ Here's a list of the other changes I've found so far, along with some thoughts.

• The definition of consumer health data has changed.  Before it was "relating to" past, present or future mental health, now it's "linkable to or reasonably linkable to and identifying" past, present or future mental health.  
• "Efforts to research or obtain health services or supplies" are no longer considered consumer health data.  This doesn't affect efforts to research or obtain reproductive, sexual, and gender-affirming health services; they're still protected, and the definition of those services includes products and medications.  However, efforts to research or obtain other health services or supplies aren’t protected any longer – for example a search for "dealing with depression", "Alzheimer's support groups", "cancer specialist". That search data could be sold to unregulated entities, who could then use it to infer – and sell – people's health status.
• The definition of "consent" has changed.  Before it was written consent; now it's "agreement", which may include written consent provided by electronic means. The new definition has similar wording to the GDPR and the People's Privacy Act, so maybe this is okay.
• Sleep and exercise data is no longer included under biometrics.  Maybe it's covered elsewhere in the definition of consumer health data (although I'm not sure) ... even if it is, it sure would be good to be explicit about it, otherwise companies can argue that the legislative intent was clearly to remove this protection.
• The definition of "publicly available" data – which is exempt from the law – has expanded.  It now includes information that "a regulated entity has a reasonable basis to believe a consumer has lawfully made available to the general public."  One consequence of this is that information in social media posts (including location) is now exempt from the bill.  The new language is similar to California's CCPA, but that doesn't make it okay!
• Companies get additional time to respond to requests for information – it used to be 30 days, now it's 45 days with an automatic 45 day extension.  Again, the language is similar to California's
• Consumers are only allowed to make two free requests per year to see what information a company has on them.
• Sections 5(1)(b) and 5(2)(b) now allow companies to collect and share health data if it's "necessary" to provide a product or service that's been requested; before, it was "strictly necessary"
• Deletion requests and requests for information now have to be authenticated, and companies are allowed to ignore requests if they can't authenticate them with "commercially reasonable".  If a company doesn't take action on a request, there's now an appeals process.  There was clearly an issue in the original bill: without any requirement for authentication or verification (as it's called in California's CCPA), anybody could request anybody else's data.  However, if the new langauge is badly-worded, it could potentially give companies a way to delay or avoid responding to requests; I haven't looked at it in enough detail to know if there's a problem.
• Companies are allowed to defer deletion on backup materials up to six months. This is different from California's CCPA (which allows companies to defer deletion until the backup is restored or the data is used) but it's not clear to me whether it's better or worse.  

Update log

February 7: improve discussion of geofencing, include quote from press release on impact of data sales, clean up other wording

February 8: remove the bullet point on narrowing the definition of consumer health data, and move the discussion of "efforts to research or obtain health services or supplies" to a footnote.

February 11: add footnote on content-based restrictions

February 20: update footnote on content-based restrictions to include Sorrell, add expansion of publicly available information

March 3: remove updates of People's Privacy Act and ADS bill, discussed in more detail in A much more favorable environment, but a lot of complexity; update footnote on content-based restrictions again; add more detail on the list of changes in footnote, and move the privacy policy change from the footnote into the main text

March 10: add House floor votes; update footnote on consent and sleep data

March 16: minor clarifications in disussion of House floor votes

April 20: update after House concurs; clarify wording in "precise location data" discusssion.