Washington My Health My Data Act: Definitions

Definitions

"Person" means, where applicable, natural persons, corporations, trusts, unincorporated associations, and partnerships, excluding government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of a government agency. Out-of-state entities that fall within the definition of person must comply with the Act's consumer health data sale and valid authorization requirements and geofencing prohibition.

"Regulated entity" means any legal entity that does the following.

• Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and
• Alone or jointly with others, determines the purpose and means of the collecting, processing, sharing, or selling of consumer health data, excluding government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency. An entity that only stores data in Washington is not a regulated entity.

"Small business" means a regulated entity that satisfies one or both of the following.

• Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
• Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

"Processor" means a person that processes consumer health data on behalf of a regulated entity or a small business. Out-of-state entities that are processors for regulated entities or a small business must comply with the Act.

"Consumer" means a natural person that does the following.

• Who is a Washington resident; or
• Whose consumer health data is collected in Washington; and
• Who acts only in an individual or household context, however identified, including by any unique identifier, excluding an individual acting in an employment context.

"Collect" means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.

"Process" or "processing" means any operation or set of operations performed on consumer health data.

"Sell" or "sale" means the exchange of consumer health data for monetary or other valuable consideration, excluding the exchange of consumer health data for monetary or other valuable consideration.

• To a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity's or the small business's assets that complies with the requirements and obligations in the Act; or
• By a regulated entity or a small business to a processor when such exchange is consistent with the purpose for which the consumer health data was collected and disclosed to the consumer.

"Share" or "sharing" means to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, consumer health data by a regulated entity or a small business to a third party or affiliate, excluding the disclosure.

• Of consumer health data by a regulated entity or a small business to a processor when such sharing is to provide goods or services in a manner consistent with the purpose for which the consumer health data was collected and disclosed to the consumer;
• Of consumer health data to a third party with whom the consumer has a direct relationship when the following occurs.
  • The disclosure is for the purposes of providing a product or service requested by the consumer;
  • The regulated entity or the small business maintains control and ownership of the data; and
  • The third party uses the consumer health data only at the direction from the regulated entity or the small business and consistent with the purpose for which it was collected and consented to by the consumer; or
• The transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the regulated entity's or the small business's assets and complies with the requirements and obligations in the Act.

"Consumer health data" means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. For the purposes of this definition, physical or mental health status includes, but is not limited to, the following.

1. Individual health conditions, treatment, diseases, or diagnosis;
2. Social, psychological, behavioral, and medical interventions;
3. Health-related surgeries or procedures;
4. Use or purchase of prescribed medication;
5. Bodily functions, vital signs, symptoms, or measurements of the information described in (1) through (13) herein;
6. Diagnoses or diagnostic testing, treatment, or medication;
7. Gender-affirming care information;
8. Reproductive or sexual health information;
9. Biometric data;
10. Genetic data;
11. Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
12. Data that identifies a consumer seeking health care services; or
13. Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (1) through (12) above that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).

"Consumer health data" does not include personal information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that determines that the regulated entity or the small business has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

"Third party" means an entity other than a consumer, regulated entity, processor, small business, or affiliate of the regulated entity or the small business.

"Affiliate" means a legal entity that shares common branding with another legal entity and controls, is controlled by, or is under common control with another legal entity. For the purposes of this definition, "control" or "controlled" means the following.

• Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company;
• Control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
• The power to exercise controlling influence over the management of a company.

"Personal information" means information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer, including but not limited to, data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier, and excluding publicly available information and excluding deidentified data.

"Publicly available information" means information that is the following.

• Lawfully made available through federal, state, or municipal government records or widely distributed media; and
• A regulated entity or a small business has a reasonable basis to believe a consumer has lawfully made available to the general public, excluding any biometric data collected about a consumer by a business without the consumer's consent.

"Deidentified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such consumer, if the regulated entity or the small business that possesses such data does the following.

• Takes reasonable measures to ensure that such data cannot be associated with a consumer;
• Publicly commits to process such data only in a deidentified fashion and not attempt to reidentify such data; and
• Contractually obligates any recipients of such data to satisfy the criteria set forth herein.

"Biometric data" means data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data, including, but not limited to the following.

• Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or
• Keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.

"Health care services" means any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health, including but not limited to the following.

• Individual health conditions, status, diseases, or diagnoses;
• Social, psychological, behavioral, and medical interventions;
• Health-related surgeries or procedures;
• Use or purchase of medication;
• Bodily functions, vital signs, symptoms, or measurements of such information;
• Diagnoses or diagnostic testing, treatment, or medication;
• Reproductive health care services; or
• Gender-affirming care services.

"Homepage" means the introductory page of an Internet website and any Internet Web page where personal information is collected, and in the case of an online service, such as a mobile application, homepage means the application's platform page or download page, and a link within the application, such as from the application configuration, "about," "information," or settings page.

"Consent" means a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means. "Consent" may not be obtained by any of the consumer's following actions.

• Acceptance of a general or broad terms of use agreement or a similar document that contains descriptions of personal data processing along with other unrelated information;
• Hovering over, muting, pausing, or closing a given piece of content; or
• Agreement obtained through the use of deceptive designs.

"Deceptive design" means a user interface designed or manipulated with the effect of subverting or impairing user autonomy, decision-making, or choice.

"Geofence" means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary. For purposes of this definition, "geofence" means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.