In 2008, the Illinois legislature passed the Illinois Biometric Information Privacy Act. The first privacy act in the nation — enacted less than a year after the smartphone was invented — was intended to provide protections for Illinois consumers with regard to their biometric information. Yet, as the online ecosystem evolved, the bill quickly became outdated in its overbroad definitions and creaky operational mandates.
That a statute regulating technology became outdated is hardly surprising, but BIPA also contained an extremely punitive private right of action that, combined with court decisions such as the recent Cothron v. White Castle case, which strain the bounds of logic, has turned the statute into the single most toxic privacy statute in the nation.
In the 15 years since its passage, not a single state has replicated BIPA. But last week, Governor Jay Inslee, D-Wash., signed the My Health My Data Act, which in many ways lays the groundwork for a similar outcome to Illinois — overbroad definitions and confusing operational provisions overlaid with an incendiary private right of action that ensures Washington state will quickly become the new home for trial lawyers as they look to open a new spigot in punitive class action lawsuits.
When drafts of the MHMDA began circulating in October 2022, the business community responded by immediately communicating to the sponsors and key legislators that it understood the gravity of the issue at hand – individuals' personal health data could be weaponized in a post-Dobbs landscape – and signaled its intent to work on the legislation without altering its intent. Unfortunately, the business community's goodwill and hundreds of hours of effort was for naught.
From a compliance standpoint, several significant issues stand out and are sure to be problematic as companies work to design bespoke compliance programs just for Washington's law.
While compliance problems are front of mind for many of us, we must also be careful not to lose sight of how this will impact consumers – specifically women with sensitive health data concerning reproductive health care and individuals seeking gender-affirming treatment. The business community repeatedly warned the legislature about the ultimate impact of this bill: it will require so many opt-in notifications for everyday activities that those opt-in notifications for collecting or sharing truly sensitive data — data regarding reproductive care or gender-affirming care — will be lost in the shuffle. What should be a clear and conspicuous alert, signaling the consumer to stop and think about whether they are comfortable having such data collected, will be obfuscated. In short: MHMDA will be a true test of "consent fatigue."
"Consumer health data" covers data that could be used as health data, even if the company is not using it as health data.
The definition of CHD has been concerning since day one. Its overbreadth was clearly evident in the way it was structured to apply to data that could be, but was not presently, used as health data.
In Illinois, one of BIPA's single greatest weaknesses is that it applies to data that does not actually identify a person. Virtual try-on features or social media filters that measure face geometry but do not identify an individual fall within the expansive bounds of the definition. Here, we see a similar issue.
The business community has been concerned about this, both because the overbreadth will likely end up confusing consumers about what is actually done with their data and because businesses may find themselves subject to this law even if they are not using personal data in an explicitly health-related context.
Unfortunately, amendments that would have clarified this definition by adding the phrase "personal information that is linked or reasonably linkable to a consumer and that the regulated entity uses to identify" the consumer's health status were not adopted in either chamber.
While there are opt-in requirements for the "collection" of CHD, the definition of "collection" is any processing in any manner.
Another component to the bill that may have significant effects on the everyday application to consumers – and contribute to the consent fatigue likely coming their way – is the definition of "collect." In this case it not only means what we would think of as collecting data, but also to "otherwise process consumer health data in any manner." The standard definition of process, "any operation or set of operations performed" on CHD, when combined with the definition of collect, means opt-in consent notifications may be required when "any operation" is performed on the wide swath of data classified as CHD.
Again, we see the parallels to BIPA. In BIPA, in part due to its age, there is no distinction between consumer-facing entities, "controllers" in most other privacy laws, and back-end vendors, "processors," meaning compliance can be nearly impossible for entities required to obtain consent from the consumer but never actually interact with them. In the MHMDA, companies may be faced with the compliance dilemma of obtaining consent not just for the collection of CHD, but for the "collection" of CHD, which could include deletion, storage or any other host of activities that fall under the umbrella of "processing."
This means consumers will be asked for consent multiple times to process the same types of data. Multiply this across the various websites we all use on a daily basis and one begins to see how frustrating the MHMDA will likely be for consumers and businesses alike. It is not hyperbolic to suggest the MHMDA will fundamentally change the way consumers experience online life in Washington state.
The private right of action requires compliance being viewed through litigation eyes
The MHMDA contains an extremely broad private right of action, unlike any other privacy law in the country besides BIPA. In Illinois, we have seen the consequences this has wrought, with more than 1,000 class action lawsuits in the last five years and only a single case going to trial. In other words, the clear outcome of the PRA has been to encourage frivolous lawsuits that bear very little, if any, connection to actually safeguarding or providing greater control over consumers' biometric privacy.
My fear is that Washington state is about to embark upon the same journey as Illinois, with devastating consequences to consumers' and businesses' willingness to operate within the state.
In providing a PRA, Washington's consumer protection statute sets forth criteria that a plaintiff must allege before being able to bring a claim, including that the alleged violation of a statute is not reasonable in relation to the development and preservation of business, is an unfair or deceptive act in trade or commerce and is an unfair method of competition. However, the MHMDA's PRA states any violation of the statute is a violation of these two elements, meaning plaintiffs, or class action attorneys more realistically, do not have to prove these elements.
In Illinois, we have seen lawsuits occur for any number of technical reasons that did not cause actual harm to the consumer. We are likely to see the same pattern begin in Washington.
Moreover, as with BIPA, companies cannot be blamed for interpreting the MHMDA from the most cynical, absurd angles. Not doing so could result in hundreds of thousands, if not millions, of dollars spent on frivolous litigation for perhaps a morsel of personal data unintentionally omitted from a deletion request or a technical glitch that causes an access request link to be inoperative for a matter of days. The fear is not hypothetical. We have watched it unfold over the past 15 years in Illinois.
At the beginning of the process, the business community was told this bill was primarily to protect the reproductive privacy of women, as well as the privacy of gender-affirming care. The MHMDA is more accurately described as an omnibus privacy bill that lacks most of the careful balancing we have seen in states that have adopted clearer, more comprehensive laws. Combined with a dangerous PRA, the MHMDA is likely to go into effect as a bill that will frustrate consumers, obfuscate opt-in notifications for truly sensitive data, and result in the degradation of the everyday services and online experiences that consumers expect.
Andrew Kingman is the president of Mariner Strategies LLC and works with various state lawmakers across the country on drafting state privacy legislation.
