The strongest data privacy bill passed this year focused on health. It's already a model for other states.
In state after state this year, legislators enacted notably weak comprehensive data privacy bills — in fact, at least three of them were nearly identical to a Virginia privacy law drafted by an Amazon lobbyist.
There was, however, a glaring exception: In Washington state, in April, legislators passed a tough “first in the nation” health data privacy law known as My Health, My Data (MHMD) that stands out for its expansive health data privacy protections.
Looking back on a mostly disappointing series of relatively toothless comprehensive data privacy bills to have passed across the year, many experts and advocates say they believe the success of an aggressive law like My Health, My Data (MHMD) holds a lesson for privacy leaders looking for similar wins in other states.
Namely, that strong, narrowly targeted data privacy legislation can pass at times when stronger comprehensive bills cannot. And health data privacy has emerged as a particularly voter-friendly issue as abortion politics has galvanized voters enraged by the controversial Supreme Court decision overturning Roe v. Wade.
Washington advocates say it was crucial for them to harness voters’ anger and fear about the Dobbs decision in order to push through MHMD. Meanwhile, a big tech-friendly comprehensive data privacy bill advocates say was shaped by Microsoft has failed to pass four times in the past few years.
“The Dobbs decision helped lawmakers understand some of the concrete dangers that ordinary people face when their data privacy is violated and understand that data privacy harms are not abstract,” M. Lorena González, the legislative director at the ACLU of Washington said in an interview.
She added that it was strategically beneficial for Washington advocates to proactively push data privacy legislation through the “intersectional lens” that a health focus provided.
“This was the first year in four years that we were spending our time advocating for a strong data privacy bill as opposed to killing a weak data privacy bill,” she said.
Vandana Slatter, the Washington legislator who introduced MDMH, said she intentionally pursued a “very focused and narrow approach,” though she pointed out that since digital health is a $600 billion a year industry her legislation nonetheless is far-reaching. She noted in an email interview that her bill was supported by three-fourths of Washingtonians.
Nevada and Connecticut have since passed health data privacy laws modeled after MHMD.
A string of disappointments
After California enacted a relatively tough comprehensive state privacy law in 2018, privacy advocates say the tech lobby sprang into action. From there, advocates say, a concerted tech lobbyist-spearheaded effort to introduce weak state privacy laws began. Virginia’s law, drafted by an Amazon lobbyist, was the first to follow. California’s 2018 bill remains the strongest comprehensive state-level data privacy bill on the books. (Amazon declined to comment).
Big tech and business lobbyists have not been shy about touting their string of wins defeating or watering down comprehensive state bills. At a July Politico event, Jordan Crenshaw, who leads the U.S. Chamber of Commerce’s Technology Engagement Center, told a Capitol Hill audience that with the exception of California, business interests have seen “states pass privacy legislation that all tend to go around the Virginia model.”
The Virginia model inspired similar laws in Indiana, Tennessee, Iowa and, to some degree, Utah, which have taken the state’s legislation and “reintroduced it or just lightly changed it for the realities of their states,” said Matt Schwartz, a policy analyst at Consumer Reports. “And they're working off a model that was originally authored by Amazon lobbyists.”
Today, 12 states have passed comprehensive data privacy bills, with the majority passed this year, said Heather Morton, a director at the National Conference of State Legislatures.
Morton said she expects many more states to pass comprehensive data privacy legislation in the near future.
Often, legislators are using laws passed previously, like Virginia’s, “for inspiration,” she said.
Advocates say that big tech has pushed hard for bills like Virginia’s because they have almost no enforcement mechanism. Companies like Amazon and Microsoft, which also reportedly contributed to crafting the Virginia bill, profit off of unfettered access to consumer data.
The Virginia bill offers no private right of action allowing people to sue companies for violating their privacy and lets companies use “pay for privacy” schemes — meaning consumers who opt out of sharing their data for targeted advertising can be charged a different “price, rate, level, quality or selection of goods and services,” the civil liberties group Electronic Freedom Foundation wrote in a blog post.
For its part, Washington has struggled to pass a comprehensive data privacy bill despite the heavy involvement of tech behemoth Microsoft in pushing one, said Hayley Tsukayama, associate director of legislative activism at EFF.
“The tactic that Microsoft has taken, and Amazon also, is they're advancing privacy laws that are on the weaker side, and trying to see if they can push those through,” Tsukayama said. Microsoft declined to comment on its role shaping the Washington legislation.
Despite the stark example provided by Washington’s experience passing a tough but narrow health data privacy bill — while a comprehensive one sits in limbo — Tsukayama said she is wary of advocates using that approach broadly.
“My preference is always to protect as much of the data as possible … [though] it can be easier to get a narrower bill through,” Tsukayama said. “You make a trade off when you do that — you aren’t protecting as much information.”
Still, Tsukayama is a realist and has recently made concessions in her own work. She said a California bill her team is working on to stop geofencing — tracking individuals and then marketing based on their GPS locations — and reverse keyword search warrants got significant pushback in the California legislature from law enforcement-friendly lawmakers and moderate Democrats.
Her team is now back to the drawing board, she said, hoping to win support from legislators who are saying, “if you narrowed this bill to only cover gender affirming and abortion or reproductive-related care we wouldn't have a problem with it. But because you're trying to go broad, we have concerns.”
There’s also a practical problem with a narrow approach, said Daniel Castro, director of the Center for Data Innovation at the Information Technology and Innovation Foundation. He said that general health data privacy and kids’ safety online bills often draw broad bipartisan support at the state level, but these single issue bills can lead to a policy mess.
“It's always easier to address these issues at the sectoral level because you have a smaller group of people, and can more narrowly target specific issues,” Castro said.
But he said this approach poses a risk because lawmakers “create a patchwork within a patchwork” where not only are rules different from state to state but even within states for separate entities.
“The problem is there's often overlap,” he said, adding that the muddle makes adhering to the laws very complex for companies and threatens competitiveness.
Leveraging the post-Dobbs juggernaut
For Courtney Normand, the state director of Planned Parenthood in Washington, these arguments are dwarfed by how MHMD will change the lives of women seeking reproductive care in Washington and far beyond.
She pointed to a letter 19 state attorneys general sent to the U.S. Department of Health and Human Services in June, arguing they should have access to out-of-state medical records for abortion and gender-affirming care. Normand pointed out that women in Idaho, which borders Washington, will potentially experience lifesaving consequences thanks to MHMD.
A rally in Melbourne, Australia, in response to the Supreme Court's Dobbs ruling. Credit: Matt Hrka via Flickr
Normand said Planned Parenthood’s national office has been connecting her with advocates nationwide who want to replicate Washington’s law.
The abortion rights movement has been galvanized to embrace the health data privacy movement in part because they know what they are up against, Normand said. She pointed to what she called the “giant data mining operation” the pro-life group Heartbeat International has built in part through its network of crisis pregnancy centers which feed it reams of patient information. A Heartbeat International spokesperson said “it is well-known that anonymized data is routinely studied by businesses so that they can better serve their customers. Organizations on both sides of this debate do just that.”
Lobbying against MHMD was “fierce,” Normand said, but the coalition of organizations which rallied around the law were able to make it clear that “this kind of information is really different from other sorts of consumer protections.”
Part of what makes Washington’s law transformative, said Sara Geoghegan, counsel at the Electronic Privacy Information Center, is how it defines and targets which “covered entities” will have to ask users for their permission to gather consumer health data.
“The scope here of covered entities is broad and the scope here of covered data is broad,” Geoghegan said, pointing out that the provision will have a big impact on major tech companies who she said maintain “massive data centers” in Washington.
MHMD notably creates data processing requirements for consumer health data that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).
The Dobbs decision puts the health data privacy threat into “more stark relief so people can really picture what could happen to someone if their health data is revealed to someone who has ill intent,” Normand said.
“Leaking private health data, especially such sensitive data as your whereabouts, your fertility cycle, and so on — that's just not the same as looking for the best price on a TV online,” she said.
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.