Introduction
Washington’s groundbreaking “My Health My Data Act” (HB 1155) (the Act) was signed into law on April 27, 2023. This Act imposes new requirements on the processing and sale of consumer health data by organizations with a nexus to Washington state, as our earlier blog posts explain. In this blog post, we examine the private right of action available under the Act, including how it interacts with the state’s Consumer Protection Act and the risk of class actions.
The Private Right of Action’s Extensive Scope
The Act provides for a private right of action in Section 11 by establishing that a violation of the Act is an unfair or deceptive act under the Washington Consumer Protection Act (CPA). It is one of the most far-reaching private rights of action of any state privacy law, for several reasons:
First, the private right of action appears to broadly apply to any violation of the statute (unlike, for instance, the private right of action under the California Consumer Privacy Act (CCPA) which applies only to a data breach). Every provision—including those relating to consumer rights, notice and consent obligations, and restrictions on selling and sharing—appears to be fair game. This exposes businesses to a wide range of potential violations within the Act’s four corners.
Second, other than certain narrow exceptions, there appear to be no meaningful prerequisites or deterrents to exercising the private right of action. For example, the Act includes no opportunity to cure and does not limit actions based on a violation’s severity (e.g., willful or reckless versus negligent violations) or procedural posture (e.g., class actions versus individual plaintiff suits). Nor does the Act require a plaintiff to exceed a minimum harm threshold before suing. This, combined with the CPA’s right to attorneys’ fees and the Act’s broadly worded provisions, could invite plaintiffs’ counsel to test hyper-technical interpretations, exposing businesses to various nuisance claims that are unlikely to promote the Act’s original goals.
Third, the Act’s broad definitions bring an expansive range of consumers and data within the private right of action’s scope. A “consumer” is defined to include not only Washington residents but any natural person whose health data is “collected in Washington,” subject to certain narrow exceptions. And because the Act defines “collect” to also include any processing, the Act appears to let non-Washington residents file suit if their “consumer health data” has merely been processed in Washington. “Consumer health data” is also broadly defined, as we explained in an earlier blog post, extending well beyond what most typically conceive of as medical history, diagnosis and treatment information. In other words, any natural person anywhere whose health data is processed in Washington could bring suit under the Act for any violation against an entity that meets the Act’s minimal nexus requirements to qualify as a regulated entity, subject to some narrow entity-level exceptions. This could significantly expand the pool of putative class members in a class action lawsuit and helps illustrate why early preparation to mitigate the risk of a class action lawsuit is critical.
In summary, plaintiffs’ counsel may target nearly any business that processes consumer health data of a Washington resident or individual whose consumer health data is processed in Washington. Because of how the Act defines “collected,” this risk extends to any regulated entity that processes any natural person’s consumer health data in Washington state. This broad scope helps illustrate why early preparation and ongoing compliance are important for any such business.
Relationship Between the Act and the CPA
As noted, the Act declares any violation of any of its provisions an unreasonable practice and unfair act, which then allows a plaintiff to sue under the CPA.
More specifically, to prevail on a CPA claim, a plaintiff must prove (1) an unfair or deceptive practice; (2) occurring in trade or commerce; (3) impacting the public interest; and (4) injuring a plaintiff in his or her business or property; as well as (5) causation between the unfair or deceptive practice and the injury suffered.
The Act provides plaintiffs with language establishing per se the first three (3) elements of a CPA claim for any violation of the Act: “The practices covered by [the Act] are matters vitally affecting the public interest for the purpose of applying the consumer protection act,” and a violation of the Act “is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the [CPA].” This language is consistent with Washington Pattern Jury Instructions, WPI 310.03, Per Se Violation of Consumer Protection Act.
We expect plaintiffs to reference this per se language in the Act in furtherance of establishing the first three elements of a CPA claim. We also expect them to argue that the remaining two elements (damages and causation) are not appropriate for resolution at the pleading stage, and that discovery is warranted, thus increasing the cost of litigation in hopes of gaining leverage for settlement.
In fact, the Washington Legislature had adopted an amendment to remove the per se language in March 2023. This amendment would have required a private plaintiff to prove in each case that an alleged violation (1) relates to a matter vitally affecting the public interest and (2) is an unfair or deceptive act in trade or commerce. In short, this amendment would have likely provided a barrier to nuisance claims. But in a last-minute amendment modifying several provisions before the Act passed, the Legislature added the per se language back in.
Like the Act, the CPA allows “natural persons” to bring claims and does not appear to limit the size or scope of a putative class, further increasing litigation risk and potential exposure.
Available Damages Under the Act
Unlike with the CCPA or Illinois’ Biometric Information Privacy Act (BIPA), statutory or liquidated damages are not available in private suits for a violation of the Act (as opposed to actions brought by the state, which allow for a civil penalty of up to $7,500 “for each violation” and another $5,000 for targeting people based on certain protected characteristics).
The Act is not toothless, however. It provides for:
- Actual damages sustained by “any person . . . injured by a violation” of the Act;
- Treble damages in the court’s discretion up to $25,000;
- Attorneys’ fees and costs; and
- Injunctive relief.
It remains to be seen whether each claim for a violation of the Act accrues only once—when consumer health data is first collected or disclosed—or, as with BIPA, a new claim accrues each time consumer health data is collected or disclosed. Although statutory damages are not in play, even nominal damages for each violation can add up to a substantial number, especially with a large putative class. The availability of attorneys’ fees is also likely to embolden plaintiffs.
Risk of Class Action Lawsuits
Although the legislature’s decision to exclude statutory damages may blunt the risk of class-action lawsuits under the Act, the risk remains high for at least the following reasons:
- As noted, any alleged violation of the Act is actionable, there are few restrictions on the private right of action, nonresidents can sue in some cases, and attorneys’ fees are available.
- The Act is rife with expansive yet vague provisions (e.g., the definition of “consumer health data”). The statements regarding the Act’s purpose are plaintiff friendly.
- Washington is home to some of the largest technology companies and cloud service providers in the world (ideal targets for plaintiffs’ lawyers).
- There is a significant risk of biometric class actions as the Act imposes several new requirements and restrictions on entities that collect and use biometric data, much like BIPA (minus the availability of statutory damages).
- The Act arises within a broader trend toward intense scrutiny of health information practices under state privacy laws, heightening the risk of private lawsuits and regulatory enforcement.
Moreover, although plaintiffs must prove an “injury” to their business or property that is caused by a defendant’s alleged violation of the Act, Washington courts have held that such injury need not be monetary, so long as the plaintiff can prove a specific harm to his or her business or property. The viability of an alleged injury under the Act will likely turn on the type of violation alleged and the type of consumer health data at issue, among other factors. This uncertainty alone is expected to elevate litigation risk for regulated entities as plaintiffs and their counsel test the uncharted waters of the Act.
Determination of whether a class may be certified is a critical juncture in healthcare-related privacy class actions. There are strong grounds, including decisions our team has recently achieved (see, e.g., here), for finding these types of cases are not suitable for class treatment.
Interestingly, the Act includes a provision obligating a committee to review actions brought by consumers and prepare a report including “the number of civil actions where a judge determined the position of the nonprevailing party was frivolous” and “recommendations for potential changes to enforcement provisions of the act.” This inclusion suggests the legislature is aware of the risk that the Act’s broad language will lead to plaintiffs abusing the private right of action.
Finally, unlike CCPA section 1798.192, the Act does not contain a provision prohibiting contract terms that limit the exercise of consumer rights. Accordingly, companies should evaluate whether risk-mitigating contract provisions such as class action waivers may be enforceable, yet weigh the risk of a court finding that such limitations may be contrary to public policy or inconsistent with the private right of action allowed under the Act through the CPA.