A very encouraging first step: My Health My Data's first hearing
Part two of Washington state privacy legislation 2023
"The environment in 2023 is much more favorable than it's ever been for strong privacy legislation – nationally, and in Olympia – so there's good reason for optimism.
One of the reasons the legislative environment is much more favorable in 2023 is that privacy threats have become a lot more real to many people in the aftermath of the Supreme Court's Dobbs decision overturning Roe."
– A much more favorable environment, but a lot of complexity Washington state privacy legislation 2023, January 23
"The My Health, My Data Act would require third-party services, such as apps that track menstrual cycles, to publish policies surrounding health data collection and sharing, and require them to obtain consumers’ consent prior to any data collection or sharing. It would prohibit both the sale of this data and the use of geofencing, a type of location-based advertising, surrounding health care facilities.
While the bill applies to health data protection generally, supporters emphasized the importance of data collection in regard to reproductive health and gender care."
– State Lawmakers Hear Slew of Abortion Protection Bills Following 50th Anniversary of Roe v. Wade, Laurel Demkovich in the Spokesman Review
My Health My Data's first hearing featured strong support for the bill and virtually no overt opposition – although the industry lobbyists who water down state privacy regulation tried to make a case for watering its protections for consumer health data. No surprises there, of course; it's their job! So overall, the hearing was a very encouraging first step for this urgently-needed bill.
As Demkovich says, most of the outstanding testimony at the hearing focused on the need to respond to the Dobbs decision by protecting reproductive health care patients and providers against the threat of states criminalizing abortion and authorizing bounty hunters and vigilantes – and on protecting people seeking and providing gender-affirming services, who face similar threats. Bill sponsor Rep. Vandana Slatter, Andrea Alegrett from the Attorney General's Office (who worked with Rep. Slatter and Sen. Manka Dhingra to develop the bill), and advocates from organizations including Pro-Choice Washington, Gender Justice League, Legal Voice, Washington Immigrant Solidarity Network, Cedar River Clinics, Planned Parenthood Alliance Advocates, Japanese American Citizens League - Seattle Chapter, La Resistencia, League of Women Voters of Washington, and ACLU of Washington all made powerful cases for why this bill is so badly needed. In fact there was so much support for the bill that Chair Hansen cut off testimony before WA People's Privacy and several grassroots activists with a technology background could testify which was really unfortunate. My live-tweeting has more details, and it's really worth watching the video of the hearing.
Industry lobbyists also consistently said they "support the bill's goals," and for good reason: in a state like Washington, they don't want to be seen as opposing reproductive freedom. But as expected, they pushed back strongly against some of the bill's language, claimed the bill as written would cause the sky to fall, and suggested "improvements" (haha) including narrowing the definitions of consumer health data, introducing more loopholes and exemptions, allowing some geofencing as long as it wasn't "precise", and weakening enforcement.
Of course, if legislators take lobbyists' suggestions and water My Health My Data down, then it won't protect health data, pregnant people, or gender-affirming care.
Does that really "support the bill's goals"? Opinions differ, I guess.
For example, industry's most prominent talking point was the need to narrow My Health My Data's defintion of "consumer health data." Here's how it's currently defined, accroding to the bill summary:
Personal information relating to the past, present, or future physical or mental health of a consumer including any personal information relating to:
- individual health conditions, treatment, status, diseases, or diagnoses;
- social, psychological, behavioral, and medical interventions;
- health-related surgeries or procedures, diagnostic testing, and treatment;
- use or purchase of medication;
- bodily functions, vital signs, symptoms, or related measurements;
- efforts to research or obtain health services or supplies;
- gender-affirming care information;
- reproductive or sexual health information;
- biometric and genetic data related to consumer health data;
- location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; and
- any consumer health data information that is derived or extrapolated from non-health information, such as proxy, derivative, inferred, or emergent data.
That all looks like health data to me! How does it "support the bill's goals" to remove any of those bullets?
Still, it's not hard to see why this makes industry nervous. As a lobbyist said at the hearing, this definition could mean that data derived from purchasing a book could be considered consumer health data. But then again, if the book is something like "Living With Alzheimer's" ... it really is health data, and narrowing the definition to exclude it is just putting in a loophole for indusry to exploit.
To be fair, there may well be some valid suggestions for improvements along with exaggerated claims that the bill as written will cause the sky to fall. One lobbyist brought up a situation where (if I understood correctly) the bill's requirements to allow people to delete data clashed with federal legislation that prohibits data deletion from peer-reviewed research. If that's the case (and I could certainly believe it is – the landscape of existing privacy legislation is very complicated), and the resolution isn't as simple as "the federal bill takes precedence over state legislation," it might make sense to clean up the bill's language.
And as I pointed out in my testimony (included below), there are also ways the bill could be strengthened. For example, "de-identified" data is currently exempted. As Sen. Ron Wyden pointed out when discussing the de-identified data exemption in the proposed ADPPA, this loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities. And the bill exempts government agencies; as Rep. Amy Walen clarified during the hearing, this means that Washington's Apple Health isn't covered.
So it'll be interesting to see how the bill evolves. The next step is potential amendments, and then an executive session where the Civil Rights & Judiciary Committee will vote on the amendments and advance the bill. That could happen as early as Friday or it could get pushed to next week. The Senate "companion bill" SB 5351 may also have its own hearing in the next couple of weeks, and in general there's still a long way to go.
Still, this hearing was a very encouraging first step in the process!
Here's my written testimony, which expanded on my live testimony at the hearing. Section numbers refer to the original version of the bill.
Chair Hansen, Ranking Member Walsh, and members of the committee,
Thank you for the opportunity to address the committee today – and thanks as well to the sponsors and AG’s office for bringing a privacy bill so many of us are excited to support. This written testimony expands on my comments at the hearing in support of the My Health My Data Act (HB 1155).
I’m a technologist and entrepreneur, and the founder of The Nexus of Privacy, which focuses on the intersection of privacy technology, policy, and strategy. In 2021, I served on the state Automated Decision Systems (ADS) Workgroup. My career also includes roles as General Manager of Strategy Development at Microsoft, and Chief Product Officer and founder/CTO of successful venture-funded startups.
The data abuses that My Health My Data addresses are real and constant. As Ranking Member Walsh pointed out during the hearing, these abuses affect everybody. For example:
- Early last year, a suicide chat hotline shared chat logs with mental health information with a for-profit spinoff.
- Last summer The Markup reported that Facebook is receiving sensitive medical information from hospital websites.
- Just last week, ProPublica websites that sell medication are sharing data with Google,
All of this data sharing happens without consent.
For years, tech companies have been able to dismiss privacy advocacy by saying “privacy’s only for people who have something to hide.” But the Supreme Court’s Dobbs decision shows people across the political spectrum that everybody potentially has something to hide. Even people who oppose abortion are shocked to realize that something like a period tracking app, a web search, or a visit to a doctor could expose their health data to bounty hunters … and it’s just a small step from that to realizing that predatory companies like Facebook have already been exploiting their health data for years.
- Resist any attempts to weaken My Health My Data by narrowing the definition of health data as so many lobbyists who testified today suggested. Yes, it’s true that the bill’s current definition of health care data includes purchase history of books like “A Guide to a Healthy Pregnancy” or “The Chronic Illness Companion.” From a consumer perspective, that’s a good thing!
- Don’t give in to industry threats to make our lives miserable by bombarding us with opt-in notifications if this bill passes. Some companies may well destroy their business by attempting to bully their customers into consenting but if so it’s their own fault. Apple has shown that it’s possible to do a very usable opt-in experience. Successful companies will learn from that.
- Ignore the spin from industry lobbyists claiming that this bill will cause the sky to fall. They always say that. The reality is that companies should have no problem complying with this straightforward, cleanly written law. My Health My Data’s requirement for opt-in consent before collecting or sharing data, ban on sales of health data, and prohibition of geofencing align well with trends in privacy law elsewhere.
As people here in Washington and all over the world demand stronger privacy protections, a high bar for privacy here will be a huge advantage to Washington’s startup ecosystems and our world-class technology companies.
Indeed, there are a few ways in which My Health My Data should be strengthened – for example by removing Section 2(17)(c), the exemption for “de-identified” data. In practice, “deidentified” data can always be re-identified; Your Data Were ‘Anonymized’? These Scientists Can Still Identify You, from 2019, is one of many examples. Here’s how Sen. Ron Wyden described the “de-identified” data loophole (his term, not mine) in the proposed federal American Data Privacy Protection Act:
“Data that tracks phones from a doctor’s office to where individuals sleep at night would make it trivially easy to re-identify supposedly anonymous data and put women’s privacy at risk.”
Another area for improvement is prohibiting economic coercion of consent. Section 5(4) does prohibit discrimination against consumers who exercise their rights, but more explicit language such as California’s requirement that “[the] business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature” to obtain consent [§1798.125(b)(4)] might well be a useful complement.
Washington has a well-deserved reputation for being on the cutting edge of technology, so legislation here will influence the rest of the country. This a great opportunity for Washington to take leadership on one of the most important civil rights issues of our time.
So please strengthen and advance My Health My Data!
Jon Pincus, Bellevue
Image credit: @gggonzalezzz on Twitter