Washington state is rapidly emerging as a national testbed for health privacy regulation with the My Health, My Data Act, a far‑reaching statute that goes well beyond conventional protections for medical records. Passed in 2023, the law is now under intense review by privacy lawyers, regulators and in‑house compliance teams because it targets the collection, use, disclosure and sale of consumer health data by a wide array of organizations – including many that have never been subject to HIPAA or other traditional health privacy regimes.
From period tracking tools and mental health apps to fitness wearables, pharmacy loyalty programs and search engines, the act is designed to regulate how health-related information is handled across the digital ecosystem. As of 2024, multiple states are considering similar “consumer health data” bills, and federal policymakers are watching closely to see whether Washington’s model becomes the new baseline – or a warning sign – for health privacy in the United States.
Below is a deeper look at the scope and impact of Washington’s My Health, My Data Act, the compliance obligations it creates, the litigation risk it introduces, and the practical steps organizations can take now to prepare.
1. How Far Does Washington’s My Health, My Data Act Reach?
1.1 A Shift From Traditional Health Care to the Entire Data Economy
Traditional health privacy frameworks, like HIPAA, primarily regulate covered entities such as hospitals, health plans and certain service providers. Washington’s My Health, My Data Act takes a very different approach: it focuses on who touches Washington consumers and what kind of data they process, rather than on whether they are part of the health care system.
Any organization that conducts business in Washington, or targets products and services to Washington residents, and processes consumer health data may fall within the law’s scope. This can include:
- Hospitals, clinics and telehealth services
- Wellness, meditation, and mental health apps
- Fertility and menstrual cycle tracking platforms
- Wearables manufacturers and connected device makers
- Ad tech intermediaries, analytics providers and data brokers
- Retailers running in‑store analytics or loyalty programs that generate health inferences
The trigger is the consumer relationship, not where the company is incorporated or headquartered. A startup based in another state (or even another country) may still have obligations if Washington residents use its services or visit its website.
1.2 What Counts as “Consumer Health Data”?
A central reason the act is so consequential is its expansive definition of consumer health data. The law covers information that:
- Identifies or can reasonably be linked to an individual, and
- Relates to the person’s physical or mental health, diagnosis, treatment, health status, or inferences about health.
This means that data does not have to be a formal medical record to trigger obligations. Examples include:
- Heart rate or step counts captured by a wearable
- Fertility predictions generated by an app
- Purchase histories used to infer pregnancy, chronic illness, or mental health status
- Location data showing visits to clinics, pharmacies, counseling centers or reproductive health facilities
Because of these broad definitions, marketers, analytics providers, and platforms that profile users – even if they never see a medical chart – may now be regulated as handlers of consumer health data.
Illustrative coverage snapshot:
- Covered: Digital health platforms, fitness and period tracking apps, telehealth providers, data brokers monetizing health‑related segments
- Covered: Employers running wellness or health programs for Washington-based employees
- Likely covered: Retailers and online platforms that infer health traits from purchases, behaviors, profiles or geolocation
- Generally excluded: HIPAA-covered entities and HIPAA-regulated data, to the extent those activities are already governed by federal law
1.3 Types of Organizations and Relative Risk
The act places different actors into varying risk categories, based on how core health data is to their business model:
| Actor | Role Under the Act | Risk Level |
|---|---|---|
| Fertility tracking app | Primary data controller | High |
| Ad tech network | Processor and profiler | High |
| Wearable device maker | Collector and sharer | Medium |
| Brick-and-mortar retailer | Incidental collector | Variable |
High‑risk entities are those whose products are built on continuous health data flows or sensitive inferences, while “incidental” collectors may still face risk when health-related analytics or targeting are layered onto seemingly routine activities.
2. Core Compliance Duties for Businesses Handling Consumer Health Data
2.1 Consent as a Cornerstone Requirement
Under Washington’s My Health, My Data Act, consent is no longer a box‑ticking exercise buried in lengthy terms of service. Organizations must obtain clear, informed, opt‑in consent before:
- Collecting consumer health data
- Using that data for a new or secondary purpose
- Sharing or selling it to third parties
Different purposes require separate consents. For example:
- One consent for providing a wellness service
- A distinct consent for using the same data for targeted advertising
- Another for selling data segments to third-party brokers
Consumers must be able to revoke consent easily, and revocation should be as simple as giving consent in the first place.
2.2 Data Minimization and Purpose Limitation
The act embeds principles of data minimization and purpose limitation:
- Only collect the consumer health data that is strictly necessary for the stated service or feature.
- Avoid open‑ended, catch‑all purposes that allow for broad downstream uses.
- Do not repurpose health data for unrelated activities (e.g., cross‑context advertising) without obtaining refreshed, explicit consent.
This applies not only to obvious health providers, but also to:
- Retailers selling health-related products
- Platforms that use geolocation to infer clinic visits
- Employers running wellness challenges, biometric screenings, or fitness incentives
2.3 Transparency, Security and Consumer Rights
Organizations that process consumer health data must update their privacy infrastructure to align with the act’s expectations. Key obligations include:
- Explicit consumer consent for collection, sharing and sale of consumer health data
- Detailed privacy notices that explain:
- What categories of health data are collected
- For what purposes
- With whom data is shared or sold
- How long data is retained
- Operational rights workflows to handle:
- Access requests
- Deletion requests
- Questions about how health data is used
- Enhanced security controls commensurate with the sensitivity of health-related information
- Limits on geofencing and tracking around health facilities, such as reproductive health clinics, mental health offices or addiction treatment centers
Compliance focus areas and consequences of inaction can be summarized as follows:
| Compliance Area | Key Requirement | Risk if Ignored |
|---|---|---|
| Consent | Standalone, opt-in, revocable | Unlawful collection claims |
| Transparency | Plain-language health data notice | Deceptive practice allegations |
| Data Rights | Timely response and verification | Regulatory complaints, disputes |
| Security | Technical and organizational controls | Breaches, statutory damages |
| Geolocation | No covert geofencing around clinics | Enforcement actions, litigation |
3. Enforcement Pressure, Legal Uncertainty and Litigation Trends
3.1 A New Playground for Regulators and Plaintiffs
Because the My Health, My Data Act includes a private right of action, it opens the door not only to regulatory enforcement but also to lawsuits brought by individuals and class action firms. Plaintiffs’ attorneys are already experimenting with novel theories that stretch the statute’s broad definitions.
Investigators and litigators are expected to scrutinize:
- Retailers that infer health conditions from purchase histories or loyalty cards
- Ad-tech vendors using hashed identifiers or device IDs to build health-related profiles
- Websites embedding tracking pixels, SDKs or session replay tools on health-related pages
- Geolocation data that reveals visits to clinics, pharmacies or counseling centers
Practices that once seemed routine – like passing pseudonymous identifiers to analytics platforms – could be framed as unauthorized disclosures or even “sales” of consumer health data.
3.2 Emerging Theories and Litigation Patterns
Early cases and demand letters are likely to revolve around several themes:
- Creative pleading theories arguing that tracking technologies (pixels, beacons, SDKs) amount to unlawful “collection” or sharing of consumer health data without valid consent.
- Bundled claims that combine Washington’s health data rules with broader state consumer protection statutes, amplifying potential liability.
- Cross‑border exposure, where out-of-state or global companies are sued because a Washington resident accessed their digital service.
- Class action dynamics, driven by statutory damages and the expansive definition of “consumer health data,” making it easier to argue that large groups have been similarly affected.
The following table highlights typical litigation vectors and associated risks:
| Litigation Trend | Primary Target | Key Risk |
|---|---|---|
| Pixel and SDK tracking suits | Hospitals, digital health apps | Unauthorized disclosure of visit data |
| Loyalty and coupon programs | Retail pharmacies, grocers | Profiling sensitive conditions from purchases |
| Ad-tech and data brokers | Third-party vendors | Downstream “sale” of health-related segments |
| Dark pattern allegations | Consumer-facing platforms | Invalid consent for data sharing |
With U.S. health data breaches affecting tens of millions of individuals annually according to recent federal breach reports, the combination of heightened public concern and new statutory tools makes the litigation environment particularly active.
4. Preparing Your Organization for Expanded Health Data Rules
4.1 Build a Holistic Map of Health Data Flows
Privacy and security teams are responding by translating statutory text into concrete operational safeguards. A common starting point is a comprehensive data inventory and mapping exercise that traces how consumer health data:
- Is collected (including inferred or derived data)
- Moves between systems, business units and vendors
- Is used for analytics, personalization, or advertising
- Is stored, retained and ultimately deleted
Organizations are frequently:
- Refreshing and refining data maps to specifically tag consumer health data
- Implementing purpose-based tagging within consent and preference management tools
- Strengthening vendor management so that contracts include clear limitations on secondary use, sale, and re‑identification of health-related information
4.2 Reassess Tracking Technologies and Health-Adjacent Campaigns
Given the statute’s focus on geolocation and sensitive inferences, many organizations are urgently reevaluating their tracking stack:
- Auditing all pixels, SDKs, cookies and session replay tools on sites and apps that may touch health-related journeys
- Disabling, re‑scoping or configuring tools so they do not collect consumer health data absent valid consent
- Segmenting health-related traffic from general analytics data where feasible
Marketing teams are likewise reviewing:
- Health-adjacent campaigns that target users based on behaviors, purchases or demographics that could reasonably relate to health status
- Retargeting and lookalike audience strategies that use health-related segments or inferences
4.3 Update Privacy Notices, Conduct DPIAs and Train Teams
To move from policy to practice, organizations are:
- Refreshing privacy notices and just‑in‑time disclosures so they:
- Explicitly describe consumer health data processing
- Address tracking, geolocation, and health inferences with specific, non‑boilerplate language
- Conducting Data Protection Impact Assessments (DPIAs) or similar risk assessments for:
- New health-related features
- AI‑driven health risk scores or recommendations
- Advanced analytics or cross‑device profiling involving health data
- Rolling out targeted training for:
- Product teams designing health-related experiences
- HR teams managing wellness or benefits data for Washington employees
- Customer support teams handling sensitive consumer interactions
Sample roadmap of priority actions:
- Reassess health-adjacent marketing campaigns for targeting criteria that may fall within the act’s broad definition of consumer health data.
- Update privacy notices and just‑in‑time disclosures to clearly address tracking technologies, location data and health-related inferences.
- Implement DPIAs focused on new health settings, AI tools or analytics models, and document risk mitigation strategies.
- Train product, HR and customer support teams on what qualifies as consumer health data and when to elevate issues to legal or privacy teams.
These steps are often coordinated under a cross‑functional governance structure:
| Priority Area | Action | Owner |
|---|---|---|
| Data Inventory | Flag health-related fields and inferences | Privacy + Data Governance |
| Tracking Tech | Disable or re-scope risky pixels/SDKs | Marketing + IT |
| Vendor Risk | Amend DPAs for health data restrictions | Procurement + Legal |
| Workforce Training | Roll out scenario-based microlearning | Privacy Office |
In parallel, many organizations are treating potential exposures of consumer health data as high‑severity incidents, updating:
- Incident response playbooks
- Forensic investigation procedures
- Notification templates and escalation paths to executives and boards
5. The Bigger Picture: What Washington’s Approach Means for Health Data Privacy
As Washington’s My Health, My Data Act moves from legal text to on‑the‑ground enforcement, it is forcing organizations in and outside the state to rethink their data practices. The law’s:
- Broad definition of consumer health data
- Emphasis on opt‑in consent and geofencing restrictions
- Availability of a private right of action
collectively signal a more assertive approach to regulating sensitive information than what many U.S. companies are used to.
For privacy leaders, the effects extend far beyond Washington’s borders. Any company with digital touchpoints that might reach Washington consumers needs to:
- Revisit data maps and records of processing
- Redesign consent and preference flows
- Tighten contracts with vendors and ad-tech providers
- Monitor guidance, enforcement actions and court decisions that clarify gray areas in the statute
At the same time, policymakers and advocacy groups across the U.S. are closely observing whether Washington’s model improves consumer trust and reduces misuse of sensitive health-related information – and whether it can be replicated in other jurisdictions.
Looking ahead, the act is likely to:
- Test the boundaries between sector‑specific health regulations like HIPAA and broader, cross‑cutting privacy laws
- Influence how “sensitive data” is defined in future state and federal initiatives
- Accelerate the expectation that individuals should have meaningful control over health-related data generated far outside the doctor’s office
What is already clear is that “health data” can no longer be treated as the sole domain of hospitals, clinics and insurers. Consumer health data now touches retailers, platforms, employers, app developers and ad-tech ecosystems. For many of these organizations, complying with Washington’s My Health, My Data Act will require not just minor policy tweaks, but a fundamental redesign of how they collect, analyze, share and secure some of the most intimate information they hold.
