Signed by Governor Jay Inslee

Vote Smart's Synopsis:

Vote to concur with senate amendments and pass a bill that prohibits the sale of consumer health data collected by apps and websites not covered by HIPAA.

Highlights:

• Defines biometric data to mean data that is generated from the measurement or technological processing of an individual’s characteristics and that identifies a consumer (Sec. 3).

• Defines consumer health data to mean personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status (Sec. 3).

• Defines deidentified data to mean data that cannot reasonably be used to infer information about, or otherwise linked to, an identified or identifiable consumer, or a device linked to such consumer (Sec. 3).

• Defines gender-affirming care information to mean personal information relating to seeking or obtaining gender-affirming care services (Sec. 3).

• Defines genetic data to mean any data that concerns a consumer’s genetic characteristics (Sec. 3).

• Defines personal information to mean information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer (Sec. 3).

• Defines precise location information to mean information derived from technology that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet (Sec. 3).

• Defines publicly available information to mean information that is lawfully made available through government records or widely distributed media and a regulated entity or small business has a reasonable basis to believe a consumer has lawfully made available to the general public (Sec. 3).

• Defines reproductive or sexual health information to mean personal information relating to seeking or obtaining reproductive or sexual health services (Sec. 3).

• Requires that beginning March 31, 2024, a regulated entity or small business maintain a consumer health data privacy policy that clearly discloses (Sec. 4):

• The categories of consumer health data collected and the purpose for collection;

• The categories of sources used to collect consumer health data;

• A list of categories categories of third parties and affiliates the entity or business shares consumer health data with;

• How a consumer can exercise their rights provided in this Act.

• Requires that a regulated entity and small business publish a link to its consumer health data privacy policy on its homepage (Sec. 4).

• Prohibits a regulated entity and small business from collecting, using, or sharing additional categories of data not disclosed in the privacy policy without obtaining consumer consent(Sec. 4).

• Prohibits regulated entities and small businesses to collecting and sharing consumer health data except (Sec. 5):

• With consent from the consumer;

• To the extent necessary to provide a product or service the consumer has requested from such entity or business.

• Requires consent to be collected prior ro data collecting or sharing and the request for consent must clearly disclose (Sec. 5):

• The categories of consumer health data collected and the purpose for collection;

• The categories of sources used to collect consumer health data;

• A list of categories categories of third parties and affiliates the entity or business shares consumer health data with;

• How a consumer can exercise their rights provided in this Act.

• Prohibits a regulated entity or small business from discriminating against a consumer for exercising any rights included in this chapter (Sec. 5).

• Establishes the right to consumers to confirm whether a regulated entity or small business is collecting, sharing, or selling consumer health data concerning the consumer and to access such data, starting March 31, 2024 (Sec. 6).

• Establishes consumers the right to withdraw consent from the regulated entity or small business's collection and sharing of consumer health data concerning the consumer (Sec. 6).

• Establishes consumers the right to have their health data deleted (Sec. 6).

• Requires that when a regulated entity or small business receives a request to delete consumer health data, they must (Sec. 6):

• Delete consumer health data from their records;

• Notify all third parties with who they shared consumer health data with.

• Requires that all third parties honor the consumer’s deletion request and delete the consumer health data from its records (Sec. 6).

• Prohibits regulated entities and small businesses from requiring a consumer to create a new account in order to exercise their rights in this chapter, but may require the consumer to use an existing account (Sec. 6).

• Exempts regulated entities and small businesses from complying with data deletion if they are unable to authenticate the request using commercially reasonable efforts and can request that the consumer provide additional information reasonably necessary to authenticate the request (Sec. 6).

• Requires that the regulated entity of small business comply with the consumer’s request to delete their data within 45 days of receiving the request but allows one extension when necessary (Sec. 6).

• Requires that regulated entities and small businesses restrict employee access to consumer health data to only those which access is necessary to further the purposes the consumer provided consent for or where necessary to provide a product or service (Sec. 7).

• Requires regulated entities to establish and implement administrative, technical, and physical data security practices (Sec. 7).

• Authorizes a processor to process consumer health data in accordance with a contract between the processor and the regulated entity or small business (Sec. 8).

• Prohibits any person from selling consumer health data without valid authorization from the consumer (Sec. 8).

Full Bill Text

Vote Smart's Synopsis:

Vote to pass amend and pass a bill that prohibits the sale of consumer health data collected by apps and websites not covered by HIPAA.

Highlights:

• Defines biometric data to mean data that is generated from the measurement or technological processing of an individual’s characteristics and that identifies a consumer (Sec. 3).

• Defines consumer health data to mean personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status (Sec. 3).

• Defines deidentified data to mean data that cannot reasonably be used to infer information about, or otherwise linked to, an identified or identifiable consumer, or a device linked to such consumer (Sec. 3).

• Defines gender-affirming care information to mean personal information relating to seeking or obtaining gender-affirming care services (Sec. 3).

• Defines genetic data to mean any data that concerns a consumer’s genetic characteristics (Sec. 3).

• Defines personal information to mean information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer (Sec. 3).

• Defines precise location information to mean information derived from technology that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet (Sec. 3).

• Defines publicly available information to mean information that is lawfully made available through government records or widely distributed media and a regulated entity or small business has a reasonable basis to believe a consumer has lawfully made available to the general public (Sec. 3).

• Defines reproductive or sexual health information to mean personal information relating to seeking or obtaining reproductive or sexual health services (Sec. 3).

• Requires that beginning March 31, 2024, a regulated entity or small business maintain a consumer health data privacy policy that clearly discloses (Sec. 4):

• The categories of consumer health data collected and the purpose for collection;

• The categories of sources used to collect consumer health data;

• A list of categories categories of third parties and affiliates the entity or business shares consumer health data with;

• How a consumer can exercise their rights provided in this Act.

• Requires that a regulated entity and small business publish a link to its consumer health data privacy policy on its homepage (Sec. 4).

• Prohibits a regulated entity and small business from collecting, using, or sharing additional categories of data not disclosed in the privacy policy without obtaining consumer consent(Sec. 4).

• Prohibits regulated entities and small businesses to collecting and sharing consumer health data except (Sec. 5):

• With consent from the consumer;

• To the extent necessary to provide a product or service the consumer has requested from such entity or business.

• Requires consent to be collected prior ro data collecting or sharing and the request for consent must clearly disclose (Sec. 5):

• The categories of consumer health data collected and the purpose for collection;

• The categories of sources used to collect consumer health data;

• A list of categories categories of third parties and affiliates the entity or business shares consumer health data with;

• How a consumer can exercise their rights provided in this Act.

• Prohibits a regulated entity or small business from discriminating against a consumer for exercising any rights included in this chapter (Sec. 5).

• Establishes the right to consumers to confirm whether a regulated entity or small business is collecting, sharing, or selling consumer health data concerning the consumer and to access such data, starting March 31, 2024 (Sec. 6).

• Establishes consumers the right to withdraw consent from the regulated entity or small business's collection and sharing of consumer health data concerning the consumer (Sec. 6).

• Establishes consumers the right to have their health data deleted (Sec. 6).

• Requires that when a regulated entity or small business receives a request to delete consumer health data, they must (Sec. 6):

• Delete consumer health data from their records;

• Notify all third parties with who they shared consumer health data with.

• Requires that all third parties honor the consumer’s deletion request and delete the consumer health data from its records (Sec. 6).

• Prohibits regulated entities and small businesses from requiring a consumer to create a new account in order to exercise their rights in this chapter, but may require the consumer to use an existing account (Sec. 6).

• Exempts regulated entities and small businesses from complying with data deletion if they are unable to authenticate the request using commercially reasonable efforts and can request that the consumer provide additional information reasonably necessary to authenticate the request (Sec. 6).

• Requires that the regulated entity of small business comply with the consumer’s request to delete their data within 45 days of receiving the request but allows one extension when necessary (Sec. 6).

• Requires that regulated entities and small businesses restrict employee access to consumer health data to only those which access is necessary to further the purposes the consumer provided consent for or where necessary to provide a product or service (Sec. 7).

• Requires regulated entities to establish and implement administrative, technical, and physical data security practices (Sec. 7).

• Authorizes a processor to process consumer health data in accordance with a contract between the processor and the regulated entity or small business (Sec. 8).

• Prohibits any person from selling consumer health data without valid authorization from the consumer (Sec. 8).

Full Bill Text