On April 27, 2023, the state of Washington enacted a landmark privateness legislation aimed toward protective the privateness of fitness information now not coated by way of HIPAA. This legislation, named the “My Well being My Knowledge Act,” covers an excessively wide variety of entities, shoppers, and information. It additionally incorporates a non-public proper of motion. Firms will have to quickly start comparing the scope of this legislation and its necessities sooner than it comes into impact March 31, 2024 (for “small companies,” June 30, 2024).

There are lots of nuances and complexities to this legislation that transcend HIPAA or some other current state “complete” privateness legislation. We spotlight probably the most key parts beneath:

• Applicability. Not like different state user privateness regulations, this legislation incorporates no income or quantity of processing thresholds. The legislation applies to “regulated entities” amassing “user fitness information” from “shoppers.” Each and every of those key phrases is outlined widely. Non-governmental entities, together with non-profits, that behavior trade in Washington or produce or supply merchandise or services and products focused to Washington shoppers, and on my own or collectively with others, determines the needs and meanings of amassing, processing, sharing, or promoting user fitness information are in scope.

“Customers” surround Washington citizens in addition to someone whose fitness information is “gathered” in Washington (and “acquire” does now not imply “acquire” within the conventional sense of the phrase). The legislation does now not practice to folks in an employment context or to worker information. The large definition of “user fitness information” contains even information derived from non-health data that can point out a shopper’s try to obtain fitness services and products or provides. There are exceptions for information this is matter to sure enumerated privateness regulations comparable to HIPAA, GLBA, FCRA, FERPA, and current Washington state regulations associated with fitness care and insurance coverage. For extra main points on those key definitions and the scope of the legislation learn our publish right here.

• Understand. Like different privateness regulations, the legislation calls for entities matter to the legislation to have a privateness coverage with sure content material necessities. It continues to be noticed whether or not current website online privateness insurance policies can be utilized, or whether or not a separate understand will probably be required.

• Rights. Whilst the varieties of rights and procedural necessities will probably be normally acquainted to corporations matter to different user privateness regulations, there are particular sides that cross additional than current US privateness regulations. As an example, the main points that will have to be supplied in an get right of entry to request, and the loss of standard exceptions to shoppers’ proper to delete will create burdensome operational demanding situations. For extra main points on user rights requests, learn our publish right here.

• Consent. The legislation calls for opt-in consent for any assortment, use, disclosure, or different processing of knowledge past what’s vital to supply a consumer-requested services or products. There also are necessities for “sharing” (even though the definition does now not monitor CCPA’s definition). As well as, there may be an hard authorization requirement for any “sale” of user fitness information. The large definition of “sale,” coupled with the requirement to have a written and signed authorization for any “gross sales” might have an effect on how corporations have interaction in focused promoting actions. For extra main points at the consent necessities, learn our publish right here.

• Geo-fencing ban. Geo-fencing is to create a digital perimeter for a particular geographic space. The legislation prohibits corporations from the usage of a geofence to spot shoppers, acquire user fitness information, or ship advertisements or notifications based totally a shopper’s proximity to in-person fitness care services and products amenities.

The legislation could also be enforced via a non-public proper of motion, along with enforcement by way of the Washington Lawyer Normal. This legislation suits a rising development against higher scrutiny and protections for fitness information now not coated by way of HIPAA. (See right here for a dialogue at the FTC’s center of attention).