New Washington consumer health privacy policy guidance could complicate broader compliance efforts Hogan Lovells

New Washington consumer health privacy policy guidance could complicate broader compliance efforts Hogan Lovells


Regulators and lawmakers are increasingly seeking additional privacy and other protections for sensitive data, including consumer health data. Since Washington passed the My Health My Data Act on April 27, 2023, Nevada Also passed the Consumer Health Data Privacy Act, and Connecticut Amends the Consumer Data Privacy Act to impose similar transparency requirements and restrictions on the use and disclosure of consumer health data.This year, Vermont has proposed Vermont Senate Bill 173which is largely consistent with Washington lawand washington attorney general The office updated it guide Notice Requirements Under Washington Law (the “Guidelines”). Washington’s requirement takes effect on March 31, 2024, and Violations of this law are considered violations of the Washington Consumer Protection Act, which are enforced by the Attorney General and private lawsuits.


An independent consumer health data privacy policy that meets Washington requirements only.

Washington State’s My Health My Data Act requires regulated entities or small businesses to maintain and Prominently publish a consumer health data privacy policy on its home page that “clearly and conspicuously discloses” certain information about the consumer health data processed. This includes: (1) the categories of consumer health data collected and the purposes for which they are collected, including how the data is used; (2) the categories of sources from which consumer health data is collected; (3) the categories of consumer health data shared; (4) ) Categories of third parties and affiliates with which consumers’ health data are shared; (5) How consumers can exercise their rights in accordance with the law. The guidance clarifies that this consumer health data privacy policy must be a stand-alone policy because it “may not contain other information not required by the Act.”

In contrast, Connecticut and Nevada laws governing consumer health data require explicit disclosure of information about consumer health data processed in privacy policies. But these laws do not explicitly require separate privacy policies for consumer health data, and their definitions and content requirements vary. For example, Nevada law requires consumer health data privacy policies to disclose third-party tracking on regulated entities’ websites and online services, and Connecticut law requires the inclusion of a valid email address or other online contact mechanism. Because the disclosures required by the laws of Connecticut and Nevada are different and may be different in scope than those required by the laws of the State of Washington. lawentities subject to these laws will need to carefully evaluate which state consumer health privacy laws apply to their activities and develop appropriate privacy policies—which may now include a separate Washington consumer health data privacy policy.


There are separate and distinct links on certain pages of the website and mobile application.

Washington’s My Health My Data Act Require a link to the Consumer Health Data Privacy Policy to appear: (1) on the website’s introductory page and any pages where personal information is collected; (2) on the mobile application’s platform or download page and as an in-app Link (for example, on the About or Settings page). According to the guidance, these must be “separate and distinct” links from Washington’s Consumer Health Data Privacy Policy.

Although Nevada law requires regulated entities to post a link to their consumer health data privacy policy on their “main” website, neither Connecticut nor Nevada law expressly requires notice to be provided via a “separate and distinct” link.


Next step

Washington attorney general appears to want entities sanctioned by Washington The My Health My Data Act will develop and publish a separate, Washington State-only consumer health data privacy policy by March 31, 2024, and provide a link to it on its website and mobile applications Explicit link to policy. Companies will need to evaluate whether and how Washington State’s My Health My Data use data law applies to their operations and implement compliance measures accordingly, including public-facing policies.

Leave a Comment

Your email address will not be published. Required fields are marked *