Washington’s My Health My Data Act vs. California’s CCPA: Adapting Your Compliance Program
The Washington My Health My Data Act (MHMDA)’s strict requirements and broad application arguably make it the most significant US state privacy law to pass in 2023.
This article compares the MHMDA to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We’ll explore how each law applies and defines key terms, plus how they deal with consent requests, consumer rights, and more.
The MHMDA might apply to your business even if the CCPA does not. Or if you’ve already taken steps to comply with the CCPA, this guidance should help you identify the gaps you’ll need to fill when preparing for the MHMDA.
Understanding Whether Each Law Applies to You
Although the CCPA is considered a “comprehensive” privacy law, Washington’s health-focused MHMDA arguably applies even more broadly—but in somewhat different ways.
How the CCPA and MHMDA Apply
Here’s an overview of how the CCPA and MHMDA apply to different types of organizations.
|California CCPA: “Business”||Washington MHMDA: “Regulated entity” or “small business”|
|Does business in California.||
|Determines the purpose and means of processing consumers’ personal information.||Determines the purpose and means of collecting, processing, sharing, or selling consumer health data.|
|Meets one or more of the following three thresholds:
Unlike the CCPA, the MHMDA distinguishes a “small business”: An entity that processes consumer health data about fewer than 100,000 consumers annually—or fewer than 25,000 consumers if it derives less than 50% of its revenues from sharing consumer health data.
However, the only difference between a “small business” and a “regulated entity” is that most MHMDA obligations do not take effect for small businesses until June 30, 2024—two months later than the deadline for “regulated entities” (March 31, 2024).
We won’t distinguish between regulated entities and small businesses in this article. We’ll refer to both types of entities as “businesses”.
Both laws contain various exemptions and exceptions, summarized in the table below.
|CCPA exemptions||MHMDA exemptions|
|Does not apply to non-profits||Applies to non-profits|
|Does not cover government agencies or other bodies not organized for profit.||Does not cover government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of the government agency.|
|Certain obligations apply in employment and business-to-business contexts.||Does not apply in employment or business-to-business contexts.|
|Excludes personal information processed in the context of other regulations, such as:
||Excludes consumer health data processed under these same laws and a similar range of other regulations.|
Identifying Whether You Process Consumer Health Data
Both the CCPA and the MHMDA apply to health data, which can include technical information collected from apps, browsers, and devices. But it’s important to understand the differences in the types of health data covered under each law.
Health Information in California’s CCPA
California’s CCPA defines “personal information” broadly—and also refers specifically to “medical information” and “health insurance information”.
“Personal information collected and analyzed concerning a consumer’s health” is also a type of “sensitive personal information” under the CCPA.
Washington MHMDA: ‘Consumer Health Data’
The MHMDA has a very broad definition of “consumer health data” with three main elements:
- It is personal information
- It is linked or reasonably linkable to a consumer
- It identifies the consumer’s physical or mental health status
“Physical or mental health status” can mean practically anything related to a consumer’s health.
The MHMDA lists thirteen examples, including:
- Health conditions
- Precise location information
- Any data identifying a consumer seeking health care services
We provide a full breakdown of “consumer health data” in this article.
Definitions of ‘Collect’, ‘Share’, and ‘Sell’
The concepts of “collecting”, “sharing”, and “selling” information are central to both the CCPA and the MHMDA—but each law defines these words very differently.
The CCPA defines “collecting” as “buying, renting, gathering, obtaining, receiving, or accessing” personal information.
The MHMDA is much broader. “To collect” consumer health data means to “buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner”.
This broad definition means that practically any activity can constitute “collecting” consumer health data.
The CCPA’s “sharing” definition only applies to disclosures for the purposes of “cross-context behavioral advertising”.
Under the MHMDA, “sharing” means disclosing or making consumer health data available to any “third party” (anyone other than your business, except a processor) or “affiliate” (a company owned by and sharing common branding with your business).
There are exceptions to this broad “sharing” definition, including when disclosing consumer health data to a processor, to a third party with whom the consumer has a direct relationship, or as part of an acquisition or similar process. Strict conditions apply in each case.
While the CCPA’s “sale” definition is notoriously broad, the MHMDA’s definition of “sale” is even broader.
This means you might be using data in a way that constitutes “selling” under the MHMDA but not the CCPA.
Here are the main differences between each law’s concept of a “sale”.
|“Selling” personal information under the CCPA:||“Selling” consumer health data under the MHMDA:|
|Only covers the disclosure of personal information to a “third party” for valuable consideration.
CCPA-compliant disclosures to a “service provider” or “contractor” do not count.
|Covers the disclosure of consumer health data to any other person for valuable consideration.|
|Even when disclosing personal information to a third party, a “sale” does not include disclosing personal information under the following conditions:
||There are only two exceptions to the MHMDA’s “sale” definition:
Opt Out vs. Opt In
While the CCPA operates on a mostly “opt-out” basis, Washington’s MHMDA is a strictly “opt-in” law.
California’s “Opt-Out” Model
Under the CCPA, businesses can collect, share, or even sell personal information by default as long as they meet the CCPA’s compliance requirements.
Certain businesses must set up “Do Not Sell My Personal Information” or “Limit the Use of My Sensitive Personal Information” links to allow consumers to opt out of specific uses of their personal information.
The CCPA’s “consent” definition is relatively strict, but relatively few activities require consent under the CCPA.
Washington’s “Opt-In” Model
Washington’s MHMDA operates an “opt-in” consent model for practically all processing of consumer health data.
Under the MHMDA, you cannot collect or share consumer health data unless:
- You have the consumer’s consent in relation to a specific purpose, or
- You need to collect or share consumer health data to provide a specific product or service requested by the consumer.
You must make MHMDA consent requests separately. You cannot ask a consumer to provide consumer health data and also allow you to share the data using a single consent request.
The MHMDA provides some limited exceptions to these rules. Consent is not required for the “collection, use, or disclosure” of consumer health data when detecting or preventing crime, security incidents, or fraud.
The MHMDA defines “consent” very strictly. You must be able to demonstrate that a consumer’s consent is:
- Freely given
Under the MHMDA, pre-ticked boxes, repetitive requests, and vague language are not suitable for getting consent.
You cannot obtain consent via “dark patterns” (manipulative design) or via acceptance of your general terms of service.
Valid Authorization to Sell
Under the MHMDA, you cannot sell consumer health data unless you have obtained a “valid authorization” from the consumer.
A “valid authorization” is a document written in clear and plain language that provides the consumer with extensive information about the sale of their consumer health data. The MHMDA provides eight specific pieces of information that a valid authorization must contain.
A valid authorization must be signed by the consumer, dated, and retained for six years.
You can’t force a consumer to sign a valid authorization to receive your products and services, and a consumer can revoke their authorization at any time.
Working With Processors
“Processors” are the MHMDA’s equivalent to the CCPA’s “service providers” and “contractors”.
If you’ve drawn up CCPA-compliant service provider or contractor agreements, you might consider adapting these agreements to cover data-sharing with processors under the MHMDA.
The CCPA’s definitions of “service provider” and “contractor” are long and complex, and its rules on service provider and contractor agreements are extensive.
But under the MHMDA, a “processor” is anyone that processes consumer health data on behalf of a business.
As under the CCPA, you’ll need to put an agreement in place before sharing data with a processor under the MHMDA.
But Washington’s law is simpler than California’s in this respect. Under the MHMDA, a binding agreement with a processor must:
- Provide instructions for processing consumer health data on your behalf
- Limit the actions the processor may take on your behalf
The MHMDA does not specify what these instructions and limitations must entail. But you’ll be liable for violations of the MHMDA committed by the processor—unless the processor is acting against your agreement, in which case the processor will be directly liable.
The MHMDA provides similar consumer rights to the CCPA, with some important differences.
If you’ve set up a process to enable California consumers to exercise their CCPA rights, this should be a good starting point for complying with this part of the MHMDA.
Types of Consumer Rights
The table below shows how consumer rights differ under the CCPA and the MHMDA.
|California CCPA consumer rights||Washington MHMDA consumer rights|
|The “right to know” about how a business collects, uses, and shares their personal information.||The right to:
|The right to:
||The right to withdraw consent.|
|The right to delete personal information collected directly from the consumer (with exceptions).||The right to delete consumer health data.|
|The right to correct inaccurate personal information||The MHMDA does not explicitly provide a “right to correct”.|
|The “right to non-discrimination” for exercising their CCPA rights.||The MHMDA also prohibits a business from discriminating against consumers.|
Facilitating and Responding to a Request
Both laws require that you set up methods to receive and verify consumer rights requests. These methods must take into account the way you normally interact with consumers.
Under both laws, you must respond to a consumer rights request within 45 days, with one 45-day extension available where reasonably necessary.
Both laws require that you facilitate consumer rights requests free of charge up to twice per year.
If a request is “manifestly unfounded, excessive, or repetitive”, both laws state that you can charge the consumer an administration fee or refuse the request.
Setting Up an Appeals Process Under Washginon’s MHMDA
Unlike the CCPA, the MHMDA requires you to set up an appeals process to allow consumers to challenge your response to a rights request.
Consumers can appeal your decision “within a reasonable period of time”. You must respond within 45 days, providing a reason for your decision. If you deny the consumer’s appeal, you must provide contact details for the Washington Attorney General.
Both the CCPA and the MHMDA provide extensive transparency obligations.
|The categories of personal information you collected in the past 12 months.
Your business and commercial purposes for collecting, selling, or sharing personal information.
|The categories of consumer health data you collect, your purposes for collecting it, and how you will use it|
|The categories of sources from which you collected personal information||The categories of sources from which you collect consumer health data|
|Any categories of personal information you have sold or shared over the past 12 months.
Any categories of personal information you have disclosed for a business purpose over the past 12 months.
|The categories of consumer health data you share.|
|The categories of third parties with whom you share personal information.||The categories of third parties and the specific affiliates with which you share consumer health data.|
|A description of the CCPA’s rights and how to exercise them.
Your “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links, if relevant.
|An of how to exercise the MHMDA’s consumer rights.|
Notice at Collection
Both the CCPA and the MHMDA require you to provide specific information to consumers in certain situations.
Before collecting personal information under the CCPA, you must tell the consumer which categories of personal information you are collecting, your purposes for collecting or using it, whether it will be shared or sold, and how long you will retain it.
Under the MHMDA, you must provide the consumer with the following information before requesting consent to collect or share consumer health data:
- Which categories of consumer health data you intend to collect or share.
- Your purposes for collecting or sharing the consumer health data, including the specific ways it will be used.
- The categories of entities with which you will share the consumer health data.
- How the consumer can withdraw consent.
As noted above, the MHMDA also requires that you provide extensive information when obtaining a “valid authorization” to sell consumer health data.
Both Washington’s MHMDA and California’s CCPA impose similar data security requirements.
The CCPA’s security obligations derive from California’s breach notification law, which requires businesses to maintain reasonable and appropriate data security measures that are appropriate to the nature of the information.
If you’ve established CCPA-compliant data security measures, you should be in a good position to comply with this part of the MHMDA, which requires a business to:
- Restrict access to consumer health data among its employees, contractors, and processors.
- Implement and maintain reasonable data security practices that are at least as strong as the relevant industry standards, and that are appropriate to the volume and nature of the consumer health data.
Enforcement and Liability
Both the CCPA and MHMDA provide enforcement powers to each state’s Attorney General.
Both laws also provide a “private right of action”, enabling consumers to sue a business that violates each law under certain conditions.
The CCPA’s private right of action is underpinned by California’s breach notification law, which means that consumers may only sue for CCPA violations that result in certain types of data breaches.
The MHMDA’s privacy right of action links to the Washington Consumer Protection Act. This means consumers can sue if they are injured by any type of MHMDA violation, as long as the violation is an unfair or deceptive commercial act and certain other conditions are met.
In short, it’s much easier for consumers to bring legal claims under the MHMDA than under the CCPA.
1. What is Washington’s My Health My Data Act (MHMDA)?
Washington’s My Health My Data Act (MHMDA) is a state privacy law passed in 2023 that presents strict requirements and broad application regarding the collection, processing, and sharing of consumer health data. Its obligations are applied to both "regulated entities" and "small businesses."
2. What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a comprehensive privacy law that determines how businesses handle California consumers’ personal information. It applies to any business that does business in California, determines the purpose and means of processing consumers’ personal information, and meets certain thresholds related to annual revenues or handling of personal data.
3. How does the CCPA differ from the MHMDA?
While both laws address privacy concerns, they apply in different ways. CCPA is broad, applying to businesses with significant connections to California and specific revenue or data thresholds. MHMDA, on the other hand, focuses on health data and applies to any entity that processes consumer health data in Washington, with no specific revenue or data thresholds.
4. What is considered as a small business under MHMDA?
A small business under MHMDA is an entity that processes consumer health data about fewer than 100,000 consumers annually—or fewer than 25,000 consumers if it derives less than 50% of its revenues from sharing consumer health data.
5. What are the exemptions in both laws?
Both laws contain exemptions. CCPA does not apply to non-profits and government agencies and excludes personal information processed under other regulations like HIPAA and GLBA. MHMDA, however, applies to non-profits but does not cover government agencies, tribal nations, or service providers processing consumer health data on behalf of the government agency. It also excludes consumer health data processed under certain laws and regulations.
6. How do the CCPA and MHMDA differ in the definition of "sale"?
While both laws use the term "sale", they define it differently. Under the CCPA, a sale covers the disclosure of personal information to a third party for valuable consideration. MHMDA's definition is broader, covering the disclosure of consumer health data to any person for valuable consideration, with only a few exceptions.
7. What is the difference in consent mechanisms between CCPA and MHMDA?
While the CCPA operates on a mostly "opt-out" basis, Washington’s MHMDA is a strictly "opt-in" law. Under the CCPA, businesses can collect, share, or even sell personal information by default as long as they meet the CCPA’s compliance requirements. However, MHMDA requires explicit, informed, and voluntary opt-in consent from the consumer for the collection, sharing, or sale of their health data.
8. What are the consumer rights under CCPA and MHMDA?
Both laws provide consumers with rights to access, control, and delete their data. However, the specifics differ. For example, the CCPA provides consumers with the right to know about data collection, usage, and sharing practices, and the right to opt out of the sale of their personal information. MHMDA provides similar rights, plus the right to withdraw consent, and additional rights related to the confirmation of data collection, access, and third-party sharing information.
9. How do CCPA and MHMDA compare in terms of enforcement and liability?
Both laws provide enforcement powers to each state’s Attorney General and also provide a “private right of action,” enabling consumers to sue a business that violates each law under certain conditions. The CCPA’s private right of action is mostly tied to data breaches, while the MHMDA allows consumers to sue for any type of MHMDA violation as long as the violation is an unfair or deceptive commercial act.
10. What are the transparency obligations under both laws?
Both the CCPA and MHMDA require businesses to be transparent about their data practices. They require businesses to create privacy policies detailing their data collection, usage, and sharing practices. Both laws also require businesses to provide specific information to consumers in certain situations, such as before collecting personal information or requesting consent to collect or share consumer health data.
Robert is a writer covering privacy, security, and AI. He is a respected voice on privacy and has covered and has been working in the field since 2017.