Washington state's My Health My Data Act and Nevada's SB 370 go into effect on March 31, giving companies that collect “consumer health data” broadly defined under these laws a new perspective on how they collect that data. You are asked to rate, use, and share. Unique requirements arising from these laws require companies to analyze which aspects of health data collection, use, and sharing are “necessary” to provide the products and services consumers request. We sought.
Under both MHMDA and SB 370, entities of all sizes, including for-profits and nonprofits, may collect consumer health data for purposes “necessary” to respond to a consumer's express request. (defined as including “processing in any way”), and may be shared. Agree. Neither law defines what it means for data collection or use to be “necessary” to respond to a consumer request. Organizations should assess when collecting and sharing health data is necessary to meet consumer requests and seek consent where not.
To do so, organizations must: Establishing the data sets that constitute consumer health data under the Act and the systems for processing that data. Implement a standard decision-making framework or evaluation process to assess 'need' across business activities. Minimize data collection and inference on consumer health data. and remain flexible as guidance and enforcement activities develop that clarify the Attorney General's and courts' interpretations of this exception.
Considerations for assessing need
In assessing necessity, an entity determines whether a particular collection or processing activity is essential to its operations and provision of services and/or would be reasonably expected to be necessary by the average user. A consistent decision-making framework or evaluation process must be established to assess whether Based on our knowledge and experience regarding the service.
This good faith, facts and circumstances specific investigation will determine the collection and use of data strictly necessary to provide our services, including data processed for financial audits, product delivery and account authentication. Data activities that the organization cannot function without must also be considered. Where reasonably necessary — data activities carried out by an organization in order to provide consumers with the products they are looking for, such as data processed for product improvement or possible website personalization.
Below are some factors that should be addressed in such a study. Please note that while this guidance is based on a common sense approach that a court or regulator would consider, it is not derived directly from statute and is not absolute.
1. Is consumer health data core to your product or service?
Organizations should evaluate whether certain uses or transfers of consumer health data are core to operating, maintaining, and providing services that individuals are seeking and/or purchasing. If non-consumer health data can be used to accomplish the same product or service goal, the use of consumer health data is less likely to be necessary, and can the company achieve the same purpose with other data? should be considered.
2. Would a reasonable person assume or expect their data to be used when exploring, signing up for, or making a purchase from a service?
Companies should review and evaluate consumer feedback and branding to learn as much as possible about what products and services the average consumer is looking for when visiting their website or using their app. must be precisely identified. Where applicable, organizations should consider consumer feedback on “surprising” data usage and internal research regarding which products and services are most popular, and document this analysis. Organizations can use insights from reviews to assess what a reasonable consumer would expect when interacting with a brand, website, or product.
The more a consumer uses or engages with a service, the more they may naturally expect broader data usage (e.g., more or different types of personalization). A consumer's expectations when he or she visits a website for the first time are different from those of a customer who has been using the service for several years or who is logged into an account when using the service. Similarly, consumer expectations that can be assessed from multi-service web pages and/or services are lower than those that can be assessed from pages and/or services that focus on a particular service or condition. Similarly, it is more difficult to assess consumer intent and which services a consumer is seeking on a website or page that offers several different services or information.
3. What are the risks of harm from collecting or sharing consumer health data at issue?
Entities may not disclose data related to sexual activity, gender identity, reproductive health, mental health, or other health conditions that are widely considered to be sensitive, subject people to discrimination, prejudice, emotional distress, or You should be aware that you are likely to expose yourself to other serious harm. MHMDA and SB 370 were expressly drafted and passed to address such harms and require businesses to collect and share such data conservatively.
There is no one-size-fits-all approach to objective-based data minimization
Limiting data collection to what is necessary to meet consumer demands creates context-specific data minimization paradigms that vary depending on the purpose and promise of consumer health technology. A one-size-fits-all approach to data minimization may not be effective, as what data is “needed” may vary depending on the functionality and purpose of different technologies and business tactics. Companies should consider the following approaches to minimizing data:
- Variety of data points and amount of data. When evaluating data processing, companies need to consider both the data collection from the data points (for example, height and weight) and the amount of data collected from the data points (many height and weight entries over time). there is. The law requires that each data point processed without consent, as well as the overall amount of data collected, be necessary to fulfill the consumer's request. A shorter data retention schedule is especially useful when data is collected consistently over a long period of time, such as menstrual data or heart rate related to activity levels, but its usefulness to the use of a website or service is diminished. , may change.
- Inference and subsequent data. Both MHMDA and SB 370 define “gathering” to include “inference.” Entities may make inferences about health status from calculated fields, such as body mass index calculated from height and weight, and by combining two or more datasets. In complex systems, such inferences are often automatically generated at scale and at scale. One way to reduce the use of consumer health data is to take a critical look at their inferences when possible. Businesses should evaluate the inferences they make with the same weight as the data they originally collected, and should be mindful that inferences on consumer health data can be drawn from non-health data .
conclusion
MHMDA and SB 370 require businesses to carefully evaluate how they collect and share consumer health data and whether that collection and sharing is “necessary.” We encourage organizations to develop a standard decision-making framework for evaluating whether an instance of data collection or sharing is likely to be considered “necessary” under these laws. Purposes that are not directly useful to users, such as advertising, are not considered necessary. Purposes such as product development and improvement can fall into a gray area, and non-consensual data collection requires strong user-centric reasoning. Similarly, as discussed above, regulators and courts may consider certain categories of consumer health data when assessing whether the collection and use of that data is necessary to meet consumer demands for privacy risks. It may be considered more closely. Accordingly, companies must manage user input related to these categories, collect data that may reveal the status of these categories, and, if they choose, “link or reasonably associate with consumers.'' Care must be taken when making inferences that reveal information about these categories that may be “disadvantaged.'' Any attempt to obtain or infer such consumer health data is prohibited.
As attorneys general and courts' interpretations of the MHMDA and SB 370 evolve, specific use cases may reveal additional factors for determining whether data collection is “necessary.” Additionally, organizations should remain vigilant for further guidance and enforcement actions and carefully consider the collection of consumer health data, particularly data related to sexual and reproductive health, gender identity, mental health, and other sensitive health conditions. I need to continue. MHMDA and SB370.
The authors would like to thank Taylor Widawski, CIPP/E, CIPP/US, Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, and Amie Stepanovich for their valuable input. Thank you for your understanding. The thoughts put into this work.
