Breaking Down the Washington State My Health, My Data Act With Mike Hintze

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hello, Justin Daniels here I am a corporate m&a and tech transaction Shareholder at the law firm Baker Donelson. As part of my tech practice. I am very passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 1:01

And this episode is brought to you by there was no ding there. Well Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our best selling book data reimagined building trust one bite at a time, visit red clover advisors.com. Well, I am so excited for today’s discussion. I’ve been so excited since we have put this on the schedule. And Are you as excited as me? Are you ever not excited? I am not. There are times where I’m not excited. It does actually happen. But I’m really excited. Because this is such an important topic. And it’s so confusing. And everyone’s gonna have to wait because we are talking to Mike Hintze, who is a recognized leader in privacy and data protection, law policy and strategy. With more than 25 years of experience and privacy and data protection. Mike emphasizes pragmatic and actionable advice that enables his clients to meet their objectives while complying with the law and managing risk. Mike also teaches privacy law at the University of Washington School of Law and as a senior fellow with The Future of Privacy Forum. And today, we are going to dig into the Washington My Health, My Data Act, which is a fun and fascinating law. So Mike, welcome to the show, or as Justin sometimes says the mayhem. Thank you. I’m happy to be here. That’s where you start. Justin.

Justin Daniels 2:52

I see. I think you’ve had too much espresso.

Jodi Daniels 2:54

I didn’t have any espresso. It’s just one little tiny cup of coffee.

Justin Daniels 3:02

So Mike, talk to us a little bit about your personal career journey and how you got to your privacy work today.

Mike Hintze 3:09

All right, well, I mean, it goes back many, many years. After I graduated from law school, where there were no classes and privacy law, I did a clerkship and then I ended up at a DC based law firm in their international trade group. And I ended up exporting controls on encryption technology, which required export licenses way, way back in the mid 90s. And that got me into sort of the tech world. And I was working with a bunch of startup Silicon Valley companies like Sun Microsystems and Netscape and the like. And then I learned that Microsoft was looking for somebody to do their export control work. And so I applied for that job. And having grown up in Seattle, I was very excited about potentially moving back to the Northwest, and I got that job. And then, so that would have been in 98. And three months after I started, the Clinton administration relaxed the export rules on encryption technologies, and my job sort of went away. And my boss said, Well, there’s this new European Directive on privacy, maybe you should start focusing on that, because you know, encryption is about data security, and that’s related to privacy. And I was like, Sure, I’ll run with that. And so I was kind of the first lawyer at Microsoft to be focused kind of full time on privacy. And boy grew and grew from there. And I was at Microsoft for 18 years. I was chief privacy counsel there. And then, you know, after that my or around that time, my wife, who was also a privacy lawyer, we met through privacy started this firm. And I told her, you know, if this thing takes off, I might join you in a couple years. And that’s exactly what happened. And so in 2016, I left Microsoft and joined her. And we’ve been building this practice ever since.

Jodi Daniels 5:15

That’s so fun to hear a privacy connection story like that. I love that.

Justin Daniels 5:22

Like, maybe you need to have your own podcast, if there’s an original idea of the best name for something like that.

Jodi Daniels 5:34

Well, like I shared at the beginning, I’m really excited, because today we’re going to dive into the Washington My Health, My Data Act. And I think one of the very first pieces is to explain who it applies to, and set some kind of ground rules about this law.

Mike Hintze 5:53

Yeah, well, I mean, it’s very, very broad. And we can talk about the breadth in terms of the data it covers, but in terms of the entities that it covers, it can apply well beyond the boundaries of Washington State. It applies to any company that is doing business in Washington and making or developing or making available products or services in Washington. So that could literally be any website or any app that’s available to Washington State residents. And then, in terms of what, you know, consumer data it covers the definition of consumer under this Act includes any person who was a resident of Washington, or whose consumer health data is collected in the state of Washington. But the definition of collected is not what you think the definition of collected includes the word processed. So any data that’s processed in Washington, it becomes within scope of this, and where are two of the largest cloud service providers headquartered in Washington State with large data center footprints in Washington State. So potentially, for a company that’s outside of Washington State, that is collecting information from a person outside of Washington State, but then processes that information in a cloud server located in Washington State, that data is potentially covered by this act. So it can have extremely broad extraterritorial application.

Justin Daniels 7:26

So Mike, as we start to get into this particular law, is there anything about the legislative history that you think is important to talk about, like what you just said, alludes to the fact that the legislature kind of decide as part of this law, some of the big tech companies or big data centers, we want to bring those people to heel? And that’s why the definition seems to be so broad, dragging in our thoughts around that.

Mike Hintze 7:50

Yeah, I mean, it’s an interesting question. I think one of the factors to keep in mind is that this law emerged in the wake of the Dobbs decision. And in a progressive state like Washington, there was a lot of concern about the threats to reproductive healthcare and other sensitive healthcare environments where the data is not protected by HIPAA. And because reproductive healthcare, gender affirming care, other healthcare procedures are under threat in certain parts of the United States, I think there was an intentional desire to have this law be as broad as it can be in terms of its application. And so attempts to try to scale it back both in terms of the geographic impact it could have, or the scope of the data that could cover were not very successful during the legislative session in which this was passed.

Jodi Daniels 8:59

Speaking of being really broad, intentionally, the definition of consumer health data is also really broad. And I was hoping that you could share a little bit more about what that definition may include. Yeah,

Mike Hintze 9:14

it includes just about everything. So it’s got two parts to it. Its consumer health data is defined in the first part in a general sense. Data that is linked or reasonably linkable to a consumer that identifies the consumer’s past present or future physical or mental health status. But then there’s a second part of the definition that says For purposes of this definition, physical or mental health status includes but is not limited to, and then there’s a long laundry list of things that are, you know, by definition included within this and some of them are incredibly broad. The term bodily functions is in there which could include things like, you know, dyed estrogen, which could be about, you know, what you eat and the like. But the broadest one is potentially, I’ll just read it here, data that identifies a consumer seeking healthcare services. And in turn, the term healthcare services is defined as any service provided to a person to assess, measure, improve or learn about a person’s health. So you can imagine a gym certainly provides services to help somebody improve their health, and internet search engine provides a service that allows people to learn about health. A grocery store that’s providing nutrition tips could be viewed as providing a service that allows people to learn about or improve their health. So you can imagine that this could be interpreted in a very broad way. And there’s other parts of the definition and includes biometric data, biometric data is defined very broadly to include the imagery of a virus, RetinA, fingerprint, face, and etc, from which an identifier a template can be extracted. Not that it is but can be some potentially, a sufficiently clear image of the human face is biometric data and therefore consumer health data under this law. And there’s a number of other examples where you can, you know, imagine that this could be interpreted and applied incredibly broadly. And, you know, we’ll get to enforcement, I’m sure. But there’s a private right of action here. So the incentives for the plaintiffs bar to look at this incredibly broad definition and try to apply it in a broad set of cases to a broad set of data is, you know, there’s a lot of incentive to do that.

Jodi Daniels 11:43

One of the other pieces that’s also important is that I feel like might help companies here. Is there some provisions for small companies and an effective date and larger companies? Can you share a little bit of what small is under this?

Mike Hintze 11:59

This law? Yeah, there is a definition of, of small business. It’s defined by the number of records that that one processes, I think there’s a revenue threshold. But all of the substantive requirements are exactly the same. There is no relief in terms of the subsequent requirements for small businesses, the only thing that’s different is it pushes the effective date out three months, most of this law comes into effect March 31. For most businesses, unless it’s a small business, in which case it comes into effect June 30 of this year. Okay.

Jodi Daniels 12:38

I have like 4,000 more questions. But Justin, you might have some too.

Justin Daniels 12:46

So can you talk a little bit about what’s some of the special requirements under this law as it relates to a privacy notice?

Mike Hintze 12:53

Yeah, that’s an interesting question, because the Attorney General has issued some guidance, and they updated it just earlier this week related to privacy notice, which I’ll get to. So this lot if you’re collecting consumer health data, and again, we talked about how incredibly broad that definition is. So you know, potentially capturing anything having to do with health or wellness or fitness and nutrition are the like, the law suggest that I suggest says that there shouldn’t be a consumer and health data privacy policy. And this consumer health data privacy policy, has certain specified things that must be in it. A lot of those things are probably covered in the company’s general privacy policy already. But this consumer health data privacy policy needs to contain those and things that are more specific to the consumer health data that the company is collecting. And then there’s a number of requirements that are relatively new, like you need to have a specific list of every affiliate with when with which, with which consumer health data would be shared, which is, you know, unusual and not typical, and what would be in a privacy notice. And then it says that there needs to be a link to this consumer health data privacy policy from the company’s homepage. And here’s another example where they use a word that isn’t what you think it means, because homepage is defined as any page of a website on which personal information is collected, not limited to consumer health data, any page on which personal information is collected, and personal information includes IP address. And because that’s kind of how the internet works. That means every single page of a website needs to have the link to this consumer health data privacy policy. Now a lot of companies were looking at this and saying okay, well there needs to be this consumer health data privacy policy. Most of what has to be in this is already in my privacy notice. Can I just make this a separate section of my privacy notice, can I have a few extra things to my privacy notice? And then linked to that? Does this requirement about a link truly mean a separate link? Or can I leverage the privacy link that’s already there, and then maybe deep link within my privacy notice to the relevant information, while the Attorney General updated their FAQ earlier this week and said, No, no, it’s a separate link. And this has to be a separate document that has just the things that are required for this consumer health data privacy policy, and nothing else. So welcome to another privacy footer link.

Jodi Daniels 15:38

It seems like, you know, as you shared, many companies will have some of that information in the other place, it does seem like it’s going to end up being a little bit duplicative for the average reader.

Mike Hintze 15:50

That’s the thing. That’s frustrating. I mean, I think, you know, I get why laws are written in this way that it says, Well, here’s the things we think are the most important, there should be a document that just has that and a bunch of other stuff that’s going to be distracting. But the end result is that you know, websites, now we’re going to have a link for a general privacy notice, they might have a link for a cookie notice, they might have a link for California specific and certainly for the California, you know, opt-outs and privacy choices that are required. And now this Washington law consumer that’s looking at this and says I just want to know, what data is collected, you know, which of these five links to I go to? And it’s, you know, it’s not consumer friendly. And it’s not business friendly. So that’s why I find it really frustrating.

Jodi Daniels 16:39

I would agree with that theory, it’s a frustration, you’re gonna share your frustration,

Justin Daniels 16:44

I’m gonna say it’s defeating the whole purpose of why you have to notice there to make it understandable by the consumer. But if there’s five different lengths, it’s pick your own adventure and defeats the whole purpose of the law.

Jodi Daniels 16:54

Yeah. So one of the other interesting provisions is around geofencing. And that there are some specific geofencing criteria and under a variety of scenarios. And so Mike, I was hoping you could share a little bit more about that as well.

Mike Hintze 17:12

Yeah, and under this law, there’s a prohibition on certain uses of geofencing. And I want to emphasize this is a prohibition — consent cannot overcome this, you just cannot do it. So they’re prohibited using a geofence, which is defined as using location information to create a virtual perimeter around a physical location. It prohibits using a geofence, around locations that provide in person healthcare services. And we already talked about how broad that definition of healthcare services is. So any any location that provides in person healthcare services, putting a geofence around that, where the geofence is used to identify or track consumers seeking healthcare services, again, very broad, collect consumer health data, again, very broad, or send notifications, messages or advertisements to consumers related to consumer health data or healthcare services. So for example, if you have a, you know, a facility that’s a retailer with a pharmacy in it clearly that retailers providing healthcare services. So if you use location based information to show an ad to somebody coming into that location that says, hey, we’ve got 20% off of your purchases today, is that prohibited? Well, it’s a little bit unclear, you know, I would argue no, because that 20% off is not specific to healthcare data, or healthcare services, right. And you could be using it to buy gum, or some other product. But if the facility is more specific to healthcare, and the advertisement is around something that couldn’t be viewed as a healthcare service, or that 20% off because of the specificity of the location, is inevitably going to be used for healthcare services. That seems like it might be prohibited. Again, and also, you know, you might be collecting information like, you know, this this person or this IP address, walked into this facility today, if it’s a general facility, and you know, there might be non-health products or services and health products or services, that’s probably okay because not collecting, you know, health, consumer health data. But again, if the facility is specific enough, the mere entry into that could be considered healthcare data, because it indicates somebody is trying to obtain a healthcare service or healthcare product.

Jodi Daniels 19:50

So it seems like a yoga studio, a health, fitness place, a physical therapy kind of place might be one of those where consents that we’re going to talk about next would not work. And you just could not do any type of advertising in those places based on location based on entering that perimeter.

Mike Hintze 20:11

Yeah.

Jodi Daniels 20:13

Okay. So let’s move to consent, because that’s another interesting area where there’s some really specific special provisions. And, you know, there’s opt in consents and requirements. And so what I was hoping here is you can share, just like you’ve done a little bit of that definition, and perhaps some examples or scenarios where it would be okay to use consents, and where they probably might not need it.

Mike Hintze 20:41

Yeah, so there’s a couple of different provisions around consent. The definition of consent is GDPR. Like, it’s based on GDPR language. So the consent has to be specific, unambiguous, informed, etc. So no bundled consent, no, nothing on page 17 of the Terms of Use assessed to be affirmative action that is specific to something. So you need opt-in consent to collect or process or share consumer health data, unless it is necessary to provide the consumer requested product or service. Or there’s one security related exception in the law. So there’s certain security related uses of data that don’t require consent. But beyond that, anything that is beyond what’s necessary to provide the consumer requested product or service would require opt in level consent. And you need a separate consent for collecting or processing the information versus sharing the information. So if you’re collecting it and intend to share it for a purpose, that’s not necessary to provide the consumer request, product or service, you would need two separate opt-in choices there. There’s also a consent provision for doing anything that’s beyond what’s disclosed in the privacy policy. So my advice there is write the privacy policy, that’s broad enough so that that’s not going to be triggered. But though the most significant one, is this thing about consent for anything that’s beyond what’s necessary to provide a consumer requested product or service? And the big question in my mind, there is how strictly we’ll look forward to interpret necessary, are we talking strictly necessary or reasonably necessary? If we’re talking strictly necessary, you can imagine that somebody’s going into a pharmacy and buying cold medicine. And the thing that is strictly necessary is to fulfill that transaction, right? You take the money, you give them the cold medicine, whom you want them done. Can you use the information about that purchase for inventory control? For auditing for tax purposes? Is that strictly necessary to do the thing that the consumer requested? No. Is that reasonably necessary to support the business that enables that transaction to take place? Yes. So I think there’s a big gap there, I think most companies are going to interpret this as reasonably necessary because you have no choice not to write, there’s certain things you just have to do, beyond, you know, strictly fulfilling that transaction or strictly providing that service. So that’s a big, big question. I think, you know, again, private right of action, the plaintiffs bar will be aggressive on this point. But potentially, beyond that. Another interesting issue here that I’ve talked to a number of companies about is, okay, well, what does it mean to provide the product or service that the consumers requested? There’s some personalization that’s inherent in the product that I’m providing, is that strictly necessary? You know, or, you know, can a non personalized version of it be provided and you get consent for personalization? That’s a hard question. You know, I think it kind of comes down to what is the consumer’s reasonable expectation based on how you present the product to them? There’s some products that if you took the personalization away, they’d be crap. They wouldn’t meet what the consumer expects. There’s others where that personalization might be kind of viewed as kind of an extra unnecessary, it’s not really part of what the consumer asked for. So I think each company needs to kind of go through and say, Okay, what can I, you know, comfortably put into this bucket as data processing a data use, that is necessary to fulfill that thing that the consumer asked for right. And then for anything that would meet the definition of sale, and we are talking about a California Consumer Privacy Act, CCPA definition of sale requires not just opt-in consent. It requires an even higher level, it’s referred to as authorization under this statute. And that authorization requires a written and signed document that contains a bunch of specific disclosures that is revocable at anytime by the consumer and is only good for one year. And it’s you know, it’s kind of such a high level, so burdensome that the things that would qualify as a sale of personal data. You know, a lot of companies are just almost doing that as a prohibition because how onerous that authorization requirement is.

Jodi Daniels 25:27

On the idea of necessary — strictly or reasonably, let’s imagine, I’m an e-commerce shop, and I’m supplements. So I’m selling digestion supplements, as we talked about earlier. Well, I’ve come, I’ve put the supplements in the cart, I have to give you my name and my email for the confirmation, email and tracking. And now you process my order you send it to me, so I get it. Well, what often happens is a follow up a survey, leave us a review, here’s 10% off for the next email. Do we now have to have separate consent for marketing? Like we’re seeing it sometimes in other places? Because it might not be reasonably necessary to use my email to follow up on how did I enjoy the product, and please get me to buy more products, it would be necessary to use my data to send me what I bought, right?

Mike Hintze 26:25

I think the data that you’re using for that marketing falls into the bucket of consumer health data, the answer is yes, you do need opt in consent to use that data for a marketing or advertising purpose, because I think it’s pretty clear that the Washington Attorney General and likely the court would view that as a non necessary secondary use of personal data. Now, if they’re using the data, you know, in your example, if you’re sending a 20%, coupon to everybody to buy anything, and it’s not targeted based on the particular type of supplement or, you know, whatever product that they buy, you can make the argument that the mere, you know, email address and bat that they made a purchase at this store is not consumer health data, I think, you know, each company is going to have to look at that. On their own, I think, again, it will come back to how how specialized is, the product is the is the shop, you know, it’s very focused on health data such that you know, anybody who made a purchase there, you can infer something about their health status, that’s likely going to be considered consumer health data. And, you know, when I talk to people, I like to point out that this law is not happening in a vacuum, there are things that are happening at the FTC in terms of their enforcement on health data, things that are happening at HHS with respect to enforcement of HIPAA, that are coming to similar, increasingly aggressive positions on this. So there was an FTC enforcement action against a website that provides mental health counseling, and the FTC took the position that the mere information that this person visited this site is held data, because that high that that site is so specific, you can infer that somebody’s visiting that because they are interested in obtaining mental health services, right. And so in this example of the supplements, is the shop sort of equivalent, like, is this a shop that is, you know, focused on weight loss supplements? Is this a shop that’s focused on something else? Or is it broad enough that you can say, well, the mere fact that they bought something here isn’t to infer you know, anything really about the person. But again, if this is an ad that said, Hey, you bought this supplement, you might be interested in this supplement, I think that’s clearly going to be consumer health data, and a secondary use that would require consent.

Jodi Daniels 29:12

Really appreciate the level of detail. Those examples are very valuable. So thank you.

Justin Daniels 29:20

So — what do companies need to consider when we turn to the topic of individual rights?

Mike Hintze 29:27

Yeah, and the individual rights are in some ways similar to what we see on other laws. There are, you know, rights to access consumer health data and rights to request deletion of consumer health data. And of course, you know, we see these under other state laws, the comprehensive state laws in California and Virginia, Connecticut and on and on and on. But there are some things that are different here like much of this law, it tends to set a higher bar for anything that would fall within the bucket of consumer health data. So, for example, the right to access includes a right to obtain a list of all third parties and affiliates with which the entity has shared or sold the consumer health data. So if you are in the business of collecting data that would be considered consumer health data, you may have to update your processes to track this information such that a list of third parties could be generated. And that list of third parties that the consumer has the right to get asked to include an active email address or other online contact mechanism for every one of those third parties with which the consumer health data has been shared. So access that yeah, broader than what we’ve seen in other laws. The deletion right is even more concerning, because it does not have the exceptions that we see in virtually every other privacy law, around deletion rights. So for example, there is no exception, where there is a conflicting data retention obligation. So this is setting up a conflict of law situation, if you have an obligation to retain data, you know, whether it’s an obligation for legal purposes or, you know, litigation hold on to it or you know, you have some data retention obligation understand some certain regulation, or even when there’s a really compelling need to retain this data for, you know, auditing purposes, etc. There is no exception to deletion, the deletion, right? It’s a nearly absolute right. The only exception is that security exception that I mentioned earlier, if you need to retain data, for certain specified security purposes, that can be an exception to the deletion. Right, but there’s really no other exception.

Justin Daniels 31:59

Well, thank you for that. Given all of your background around privacy, what is your best privacy tip for our audience? EU privacy center for our land, personal privacy? Already? It can be personal or we’ve had, if you have one for business, that works too?

Mike Hintze 32:18

Well, I mean, for personal privacy, you know — that’s, I think that’s a hard question. Because, you know, everybody has different sensitivities around privacy, and, you know, often for very good reasons. And there’s no right answer about when, you know, you’re okay with having data shared or collected and when you’re not. So my personal tip is to just educate yourself, which is not always easy, because you know, the world is increasingly complex. But you know, the right choice for one person is not necessarily the right choice for another person, somebody might see benefits to sharing data in some way where another person who might have different vulnerabilities might see a real risk. So, you know, for educating yourself and for businesses, understand that people have different sensitivities, and different needs, and then different desires with respect to data, and make sure you are designing your products and services to accommodate all of that. Because, you know, it’s a good business decision to be able to offer something that everybody can be comfortable using, and having available privacy choices. And describing those in a way that are understandable and meaningful is the right thing to do from a business perspective as well.

Jodi Daniels 33:44

And when you are not advising clients on how to navigate these very complex privacy laws, what do you like to do for fun?

Mike Hintze 33:55

A lot of different things. My wife and I really enjoy live music, getting out and seeing bands trying to keep up with, you know, what’s new these days, which is not always easy. We kind of kind of lost some steam during COVID. But getting back into it now. And we’re also kind of whiskey connoisseurs who went to Scotland last year and took some courses in whiskey production and you know, learning about the different parts of the production process and how that affects the end flavor and all of that. And so we go to tastings and events on that as well.

Jodi Daniels 34:39

Well, Mike, you’ve shared so much very important information that I know people will find incredibly helpful. If they have more questions or would like to learn more and connect with you. Where should they go?

Mike Hintze 34:53

You can reach me at Mike@hintzelaw.com hintzelaw.com. Feel free to reach out to me anytime. If you’re more interested in more information on this topic, I’ve got a series of blogs on our website at hintzelaw.com on My Health, My Data, I’m happy to chat with anybody about this topic anytime.

Jodi Daniels 35:18

When you follow up. Thank you again. All right, my pleasure.

Intro 35:27

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.