Washington MHMDA privacy law - what is actually exempt?
https://app.leg.wa.gov/RCW/default.aspx?cite=19.373
The Washington My Health My Data Act (MHMDA), linked above, has fairly broad definitions of consumer health data, which include "biometric data" such as fingerprints, retinal scans, and also images of faces.
However, there are a couple of possible exemptions that I find ambiguous when I read the law, especially where loss prevention is concerned. Notably:
- RCW 19.373.030(1)(a)(ii) says data is exempt if it is "necessary to provide a good or service" that the consumer has requested. Is this likely to include loss prevention? As a consumer, I would argue that loss prevention is not a good or service I am buying, and that "necessary" has two opposing definitions which make this unclear - sometimes, in law, it seems to mean "useful" and at other times it means "required". Clearly, loss prevention is useful; however, it is not required, per se, as there are obviously alternatives to capturing biometric data (such as increasing prices or hiring additional labor).
- RCW 19.373.100(3) makes clear that the act does not restrict collection of health data for purposes of preventing illegal activity, e.g. loss prevention. However, "does not restrict" does not seem to imply a full exemption; i.e., it may mean affirmative consent is not required, but it does not seem, to me, to say that businesses collecting this data are not still subject to the rest of the law, e.g. notice requirements, data requests, deletion requests, etc.
All that said... I am not a lawyer, and would love to hear from a lawyer. I'm considering the possibility of trying to push for changes in privacy law in my municipality, but obviously state law supercedes here, so I'd like to understand what is actually going on in this law. I definitely recognize that there may just be unresolved ambiguity, too!