Washington My Health My Data Act and When a Separate Notice Is Required

The Act applies to regulated entities and small businesses that conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of collecting, processing, sharing, or selling consumer health data. The important term is consumer health data, because the statute defines it broadly enough to include information that identifies a consumer's physical or mental health status, as well as data that can be used to infer that status.

That definition changes the review for many online businesses. A symptom checker, fertility app, supplement company, telehealth tool, therapy intake flow, or even a retailer using purchase behavior to infer a health condition may have a Washington notice issue even when your business describes itself in broader consumer terms.

RCW 19.373.020 requires a consumer health data privacy policy that clearly and conspicuously discloses the categories of consumer health data collected, the purposes for which that data is collected and used, the categories of sources, the categories of consumer health data shared, the categories of third parties and specific affiliates with whom the data is shared, and how consumers exercise their rights.

The same section also requires your business to prominently publish a link to that consumer health data privacy policy on its homepage. If the law applies, your business needs more than a good general privacy page. It needs a separate notice, a separate link, and a clean boundary around the information that notice is supposed to contain.

Washington requires the notice to track the actual categories and purposes in use. When a business expands the categories of consumer health data it uses or the purposes for which it uses them, the notice and consent flow need to be updated with the same level of precision.

The business needs to know which health related categories it collects, how those categories are used, who receives them, and how the rights workflow functions. If the internal data map is vague, the separate notice will be vague as well, and the defect will be visible on the page.

RCW 19.373.040 gives consumers rights tied directly to health data. Those rights include confirmation and access, withdrawal of consent where consent is the basis for collection or sharing, deletion, and appeal. A business that publishes the notice therefore needs a request path and an appeal path that can support those rights in practice.

That requirement looks familiar to anyone who has worked through omnibus privacy laws, but Washington uses it in a separate health data context. The request pathway should not be treated as an afterthought. If the separate Washington notice is published, your business should also be able to explain how a Washington consumer can act on it.

Washington also contains substantive restrictions that make the law more than a disclosure statute. One of the clearest examples is the geofence prohibition around in person health care services when the geofence is used for tracking, collection, or targeted messaging tied to consumer health data. The Act also regulates the sale of consumer health data through a separate authorization structure.

Those features show that the homepage notice is only one part of the build. The separate policy is the visible output, and the operational review should also cover tracking, sharing, sales analysis, and any product features that touch physical health care locations or sensitive health inferences.

A Washington review should begin with the category analysis and then move into the separate notice and the homepage placement. The business should know exactly why the notice is being published and what data practices it is supposed to cover.