Washington’s My Health My Data Act is a groundbreaking piece of privacy legislation aimed at protecting the sensitive health-related data of Washington residents. The Act goes beyond federal laws like HIPAA by extending data protection to organizations outside the traditional healthcare industry, including businesses that collect health-related information through websites, apps, and other digital platforms.
The Captain Compliance team provides an in depth-guide that breaks down the key provisions of the Act, particularly focusing on its cookie consent requirements, and explains how Captain Compliance and our data privacy software tools and services ensure businesses meet the necessary compliance standards.
1. Key Features of Washington’s My Health My Data Act
1.1. Expanded Scope of Health Data
- The Act covers any information related to a person’s health, physical or mental well-being, and inferred health data. This is broader than traditional health regulations, making many companies responsible for compliance, even if they aren’t healthcare providers.
- Examples of covered data:
- Fitness tracker data (steps, calories)
- Mental health app usage patterns
- Fertility app data
- Sleep tracking information
- Examples of covered data:
1.2. Consent Requirements
- The Act mandates clear and explicit consent from individuals before any health-related data is collected, shared, or sold. This includes:
- Obtaining user consent through clear, non-deceptive means.
- Informing users about what specific data is collected.
- Offering users the right to opt-out at any time, with easy-to-use mechanisms.
1.3. Data Minimization
- Companies must only collect health data that is necessary for their stated purposes and cannot retain the data longer than required.
- For those who adhere to the GDPR data minimization mindset you can apply the same logic here.
1.4. Private Right of Action
- Washington’s My Health My Data Act includes a private right of action, meaning individuals can sue companies for violations. This increases the legal risk for non-compliant companies.
- If you’re not using a privacy software you open your business up to massive risk that can be easily averted.
1.5. Transfer of Data
- If a company wishes to transfer or sell health data, they must gain explicit consent from the user for each transfer, particularly if the data will be sold to a third party.
2. Cookie Consent Requirements Under Washington’s My Health My Data Act
2.1. What Are Cookie Consent Requirements?
Under this Act, any business that collects health-related data through cookies, tracking pixels, or similar technologies is required to obtain explicit consent before collecting such information. This rule applies particularly to cookies that track user behavior or infer health-related data.
2.2. Types of Cookies Regulated by the Act
- Strictly Necessary Cookies: These are essential for the operation of a website, but they do not require consent.
- Performance Cookies: These cookies track how users interact with the website, which could include health-related behavior (e.g., which fitness products a user is looking at).
- Targeting or Advertising Cookies: These cookies, which track user interests, can infer sensitive health information if they are used for health-related products or services.
- Functional Cookies: Cookies that remember user preferences, such as remembering health-related form submissions, may also fall under the Act if they store health data.
2.3. What Businesses Must Do to Comply with Cookie Consent Requirements
- Inform the User: The business must clearly inform users what data the cookies collect, what purpose the data serves, and whether the data is shared or sold.
- Obtain Explicit Consent: Companies must get consent before collecting any health-related data through cookies. The consent must be specific and informed.
- Offer Opt-out Mechanisms: Users must be given the ability to easily opt-out of having their health-related data tracked by cookies.
- Clear Cookie Policies: The cookie policy must be up to date, clearly stating what types of cookies are used, what data is collected, and how users can manage their consent.
- Cookie Expiry and Data Retention: Cookies should have an expiration date and should not store health-related data for longer than necessary.
2.4. Example of Non-Compliance
A wellness website that tracks user sleep patterns without informing users or obtaining their consent before installing performance cookies would be in violation of the Act. Similarly, if a fitness app sells data inferred from user activity without explicit consent, this would breach the Act’s provisions.
3. How Captain Compliance Satisfies the Consent Requirements for My Health My Data Act
Our Cookie Consent Banners from Captain Compliance can resolve your banner fatigue. We also offer a suite of tools that help businesses comply with Washington’s My Health My Data Act. Here’s how our privacy solutions ensure compliance, particularly when it comes to cookie consent:
3.1. Cookie Consent Banner
- Our easy to install and manage consent banner provides customizable cookie banners that are easily integrated into websites. The banner informs users about the use of cookies, clearly states what data will be collected, and gives users the option to accept or decline cookies. This is broken down into 1st party and 3rd party cookies as well as categorized.
- Key Features:
- Granular Consent Options: Users can select which types of cookies they agree to (e.g., performance, functional, targeting) and decline others.
- Clear Explanations: The banner explains in simple terms what data the cookies collect and how it will be used.
- Real-Time Updates: As regulations change, the consent banner can be updated to meet new requirements without downtime.
- Key Features:
3.2. Dynamic Cookie Policy Page
- We offer a dynamic cookie policy page that updates automatically as cookies are added or removed from the site. This ensures that businesses remain compliant as their use of cookies evolves over time. This also will save you thousands from paying a legal team to update manually or even worse forgetting to update and getting fined for non-compliance.
- Key Features:
- Automatic Scanning: The tool automatically scans your website to detect any new cookies and updates the cookie policy accordingly.
- Detailed Classification: Cookies are classified into categories such as strictly necessary, performance, functionality, or targeting, ensuring that users are fully informed.
- Key Features:
3.3. Explicit Consent Collection
- The platform ensures that user consent is collected in adherence with the My Health My Data Act. It records the exact time and date of user consent, allowing businesses to demonstrate compliance during audits or legal challenges.
- Key Features:
- Consent Tracking: Detailed logs of when and how user consent was collected.
- Opt-out Management: We found that its important to make it easy for users to revoke consent, with opt-out options clearly displayed at all times.
- Key Features:
3.4. Compliant Data Retention and Expiry
- Our tools automatically manage cookie expiration and data retention, ensuring that cookies related to health data are not retained longer than necessary.
- Key Features:
- Automated Expiry: Cookies are set to expire after a predefined period, preventing the long-term storage of sensitive health data.
- Data Minimization: The platform ensures that only the minimum necessary data is collected and retained, in line with the Act’s data minimization principles.
- Key Features:
3.5. Customizable Opt-Out Mechanisms
- Businesses using Captain Compliance Data Privacy Software Solutions for MHMDA can offer users simple and effective opt-out mechanisms. These tools make it easy for users to opt out of having their data collected by non-essential cookies, ensuring that businesses meet the My Health My Data Act’s requirement for user control over data collection.
- Key Features:
- Simple Opt-out Buttons: Clear and accessible options for users to manage their cookie preferences.
- Full Transparency: Users are given the ability to opt out at any point, with full transparency about what data is collected and used.
- Key Features:
Washington’s My Health My Data Act represents a significant step forward in data privacy, with stringent requirements around the collection, use, and sharing of health-related data. For businesses, this means carefully managing their cookie policies and ensuring that user consent is obtained and properly documented.
Our team of engineers have built a comprehensive solution to meet the cookie consent requirements of the MHMD Act, from customizable banners to dynamic cookie policy pages, explicit consent tracking, and opt-out mechanisms. With these tools, businesses can stay compliant, reduce legal risks, keep Washington State regulators happy, and build trust with your users by prioritizing data privacy and transparency.