Washington’s Biometric Data Regime Advances Privacy Regulation

On April 27, Washington Governor Jay Inslee signed into law the state’s expansive health privacy law, the My Health My Data Act. Effective March 31, 2024, the MHMDA establishes a comprehensive privacy framework for entities doing business in Washington state that handle consumer health data.

Reflecting a trend by lawmakers to safeguard health-related data not historically protected by laws such as HIPAA, the act was designed to “close an egregious legal loophole that allows non-health care organizations to collect, share or sell private health information.”

The law defines “consumer health data” broadly to include any personal information reasonably linkable to a consumer and identifies the consumer’s past, present, or future physical or mental-health status. Chief among the categories of information under this definition is biometric data, positioning the MHMDA as a de facto biometric information privacy law that imposes obligations beyond Washington’s existing biometric privacy law, RCW 19.375.

The MHMDA’s private right of action, broad scope, and robust requirements for biometric and other health-related data promise to make the law a significant rival to Illinois’ Biometric Information Privacy Act, regarded as the most stringent of the biometric privacy laws in the US.

Further, lack of overlap between the MHMDA and RCW 19.375means businesses that had previously escaped RCW 19.375’s narrower scope will have to revisit their biometric privacy compliance obligations in the coming year to avoid allegations of noncompliance and potential class action lawsuits.

Definition and Scope

The MHMDA defines biometric data broadly as “data generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.” In contrast to RCW 19.375, this definition doesn’t require the use of the data for identifying specific individuals. Rather, under the MHMDA, it is enough that the data can identify a consumer.

The definition of biometric data is broader still as it includes, “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted.” Significantly, inclusion of mere imagery and voice recordings means the act ostensibly regulates the collection of photographs and videos, expanding the definition of biometric data far beyond the scope of other biometric privacy laws such as RCW 19.375, which explicitly excludes photographs, videos, and audio recordings from the definition of biometric data.

Biometric data also encompasses “keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information,” which further extends the act’s reach past other biometric laws that make no mention of such data.

While the MHMDA’s expansive definition of biometric data means the act may implicate a wide variety of processing activities not contemplated by other laws, the act does contain several notable exemptions that should provide Washington businesses some degree of comfort.

Importantly, the MHMDA doesn’t apply to information governed by the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, employee and business representative data, and information used for fraud prevention and other safety purposes.

Key Requirements

The act imposes key requirements on regulated businesses with respect to biometric information (like all consumer health data covered by the law). Many of these requirements should be familiar to entities that already comply with other state privacy laws.

Notice. Businesses must maintain a privacy policy that discloses their collection, use, and disclosure of biometric data, as well as a description of consumers’ rights under the act. Unlike BIPA, the MHMDA does not require that businesses maintain and disclose a retention period with respect to biometric information.

Consumer Rights. Also unlike BIPA, the MHMDA offers consumers the rights to access and delete their data, and to withdraw their consent from the collection or sharing of their information. As a result, businesses that process biometric data will need to ensure they have processes in place to comply with consumer rights requests with respect to their information.

Consent. Similar to BIPA, the act requires that businesses obtain a consumer’s affirmative, specific, informed, and freely-given opt-in consent to collect biometric data, unless the collection is necessary to provide a product or service that the consumer has requested from that entity. Importantly, “collect” is defined broadly to include buying, renting, accessing, retaining, receiving, acquiring, inferring, deriving, or otherwise processing biometric data in any manner.

Regulated entities must obtain a separate consent for sharing data, unless the sharing is necessary for the product or service requested by the consumer, and can’t sell data without separately obtaining “valid authorization signed by the consumer.”

While RCW 19.375 also requires consent, that’s only necessary for a business to “enroll a biometric identifier in a database for a commercial purpose,” where “enroll” narrowly means to “convert [a biometric identifier] into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.” Consequently, the MHMDA requires consent for a broader array of processing activities than the existing Washington law.

The act will be enforced by the Washington Attorney General’s office and through a private right of action by way of the Washington Consumer Protection Act, which applies to any violation of the MHMDA. The act’s broad private right of action is seldom found in other privacy legislation. One of few state laws that does contain a private right of action—Illinois’ BIPA—has spawned significant litigation since its enactment, which suggests that in 2024, businesses regulated by the MHMDA can expect to be the focus of the plaintiffs’ class action bar.

The MHMDA’s broad reach will likely implicate data processing activities of many companies doing business in one of the country’s most populous states. With just less than a year until the law goes into effect, businesses must quickly develop policies and procedures to achieve compliance and avoid significant exposure from the act’s private right of action.