Washington state is poised to enact legislation that -- while billed as a health privacy law -- actually encompasses an extremely broad range of information. The law, which will cover many entities doing business with Washington consumers, protects health information, biometric data, and genetic data and allows consumers the same kinds of rights we have seen in European-style comprehensive privacy laws. Most importantly, the law allows for a private right of action for violations. The law should take effect in the spring of 2024 (summer 2024 for small businesses).
Why It Matters
The scope of the new Washington law makes it fairly broad in potential application. Fitness, wellness, and cosmetic services could fall within its ambit; so could authentication systems in use in employment and security settings; and so could M&A activity that involves sale of data covered. Businesses that collect or use any of the data described by the Act should start now on the process of compliance, which will require a separate privacy notice and specific consent procedures, as well as back-end processes to handle consumer access/deletion requests. Because of the broad scope of information covered, it is prudent to seek to advice on whether this law applies or could apply to your business.