Washington’s My Health My Data Act signed into law

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Washington My Health My Data Act Signed

The Washington State Governor officially signed the My Health My Data Act, which will go into effect March 31, 2024.

The law will require obtaining freely given, specific, informed opt-in consent through a clear affirmative act on a purpose-by-purpose basis for the collection, sharing, sale or use of consumer health data, which consent cannot be obtained as part of broad terms of use, through deceptive design, or through a consumer closing a piece of content. 

The law also requires the extension of certain rights, such as the right to have consumer health data deleted, and includes a private right of action. 

TAKEAWAY

Although the My Health My Data Act only applies to “consumer health data”, the definition and application of such term is broad enough to impact many entities that likely have not previously considered themselves to be involved in the processing of health-related data.

For example, the definition includes data identifying social and behavioral interventions, use or purchase of prescribed medications, bodily functions and vital signs, data that identifies a consumer seeking health care services, and health-related inferences derived or extrapolated from non-health data.  

Starbucks May Face a Class Action Over Cookie Settings

Class action attorneys have announced an investigation into whether Starbucks continues to use unnecessary cookies to track users on starbucks.com even after users have declined all but “required cookies” through the pop-up presented when visiting the website.

The investigation is requesting information from users in California, Pennsylvania and Florida to determine whether Starbucks broke “certain privacy and wiretapping laws”.

TAKEAWAY

Class action lawsuits under state anti-wiretapping laws, especially the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA), have been filed with increased frequency since a 3rd-Circuit ruling in 2022 involving a website’s use of third-party tracking software. 

In that case, an appellate judge held that liability under WESCA, which prohibits the interception of electronic communication without consent, cannot be avoided by showing that the person making the interception was a direct party to the communication.

The decision notes that “WESCA is not so unreasonable” to “mean websites can never use cookies or third-party marketing companies to analyze customer data” and points to “the all-party consent exception, under which it is not unlawful for someone to intercept a wire, electronic or oral communication, where all parties to the communication have given consent to such interception”.   

CANADA

Bill C-27 Passes Second House Reading

Federal Bill C-27, which would enact three laws: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, has passed two readings in the House of Commons and will now be referred to the House Committee on Industry and Technology for consideration before a third reading. The first reading took place in June 2022.

TAKEAWAY

The CPPA portion of the bill would amend the existing Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to the collection and use of personal information for commercial activities.

The law would require consent except in the event of certain limited activities, such as for security or safety, to provide a product or service, or in the event of legitimate interest, which could not apply if the data is collected to influence the individual’s behavior or decisions or if a reasonable person would not expect the collection. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.