Washington’s My Health My Data Act signed into law

Julie Rubash, Chief Privacy Counsel
May 1, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Washington My Health My Data Act Signed

The Washington State Governor officially signed the My Health My Data Act, which will go into effect March 31, 2024.

The law will require obtaining freely given, specific, informed opt-in consent through a clear affirmative act on a purpose-by-purpose basis for the collection, sharing, sale or use of consumer health data, which consent cannot be obtained as part of broad terms of use, through deceptive design, or through a consumer closing a piece of content. 

The law also requires the extension of certain rights, such as the right to have consumer health data deleted, and includes a private right of action. 


Although the My Health My Data Act only applies to “consumer health data”, the definition and application of such term is broad enough to impact many entities that likely have not previously considered themselves to be involved in the processing of health-related data.

For example, the definition includes data identifying social and behavioral interventions, use or purchase of prescribed medications, bodily functions and vital signs, data that identifies a consumer seeking health care services, and health-related inferences derived or extrapolated from non-health data.  

Starbucks May Face a Class Action Over Cookie Settings

Class action attorneys have announced an investigation into whether Starbucks continues to use unnecessary cookies to track users on even after users have declined all but “required cookies” through the pop-up presented when visiting the website.

The investigation is requesting information from users in California, Pennsylvania and Florida to determine whether Starbucks broke “certain privacy and wiretapping laws”.


Class action lawsuits under state anti-wiretapping laws, especially the Pennsylvania Wiretapping and Electronic Surveillance Control Act (WESCA), have been filed with increased frequency since a 3rd-Circuit ruling in 2022 involving a website’s use of third-party tracking software. 

In that case, an appellate judge held that liability under WESCA, which prohibits the interception of electronic communication without consent, cannot be avoided by showing that the person making the interception was a direct party to the communication.

The decision notes that “WESCA is not so unreasonable” to “mean websites can never use cookies or third-party marketing companies to analyze customer data” and points to “the all-party consent exception, under which it is not unlawful for someone to intercept a wire, electronic or oral communication, where all parties to the communication have given consent to such interception”.   


Bill C-27 Passes Second House Reading

Federal Bill C-27, which would enact three laws: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, has passed two readings in the House of Commons and will now be referred to the House Committee on Industry and Technology for consideration before a third reading. The first reading took place in June 2022.


The CPPA portion of the bill would amend the existing Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to the collection and use of personal information for commercial activities.

The law would require consent except in the event of certain limited activities, such as for security or safety, to provide a product or service, or in the event of legitimate interest, which could not apply if the data is collected to influence the individual’s behavior or decisions or if a reasonable person would not expect the collection. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]