In Part Three of our FAQ series on Washington state’s My Health My Data (MHMD) Act, we answer questions related to the MHMD Act’s enforcement risks – including the much-feared private right of action.

Given the MHMD Act’s broad scope, its private right of action, the potential for large certified classes, the recoverability of attorneys’ fees, and trends under other privacy laws with private rights of action, such as Illinois’ Biometric Information Protection Act (BIPA), we anticipate a wave of litigation under the MHMD Act following the March 31, 2024, effective date for many of the law’s provisions.

Who can sue?

The MHMD Act broadly defines “consumers” to include any natural person who is a Washington resident and any natural person – even if not a US citizen – whose “consumer health data” is “collected” in Washington. Under this definition, any individual whose “consumer health data” is “collected” – which includes processed – in Washington may argue that they have rights under the law. The plaintiffs’ bar may argue that all individuals whose data touches Washington at some point, regardless of residency status, have the ability to sue under the law. This argument could seem particularly attractive to the plaintiffs’ bar given that two of the largest cloud providers operate data centers in Washington, which could lead to very large potential classes if courts were to accept this MHMD Act interpretation.

The Washington attorney general also can enforce the MHMD Act.

For which violations can ‘regulated entities’ be sued?

The MHMD Act’s private right of action may apply to any MHMD Act violation. This means any failure, however miniscule, to comply with the MHMD Act’s provisions discussed in Part Two of our FAQs may lead to a claim against a “regulated entity,” which we defined in Part One. While many US state consumer privacy laws do not afford a private right of action, those that do often limit the scope of the allowed claims. For example, the California Consumer Privacy Act of 2018 only affords a private right of action for data breaches.

The law also establishes a committee to review claims and actions brought by the attorney general and consumers. The committee must provide a report of its findings to the governor and state Legislature by 2030, including any recommended changes to the law’s enforcement provisions – which may, in the future, lead to changes in claims that can be brought under the MHMD Act.

What does a plaintiff need to prove to recover?

The MHMD Act allows consumers to bring a claim under the Washington Consumer Protection Act (CPA), Revised Code of Washington (RCW) §§ 19.86.020 and 19.86.090. To recover on a CPA claim, a claimant must establish all five of the following elements:

  1. An unfair or deceptive practice.
  2. Occurring in trade or commerce.
  3. Impacting the public interest.
  4. Injuring a consumer in their business or property.
  5. Causation between the unfair or deceptive practice and the injury suffered.

The MHMD Act provides that a violation of its terms “is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the [CPA],” such that the plaintiffs’ bar will likely argue that any violation of the MHMD Act satisfies elements 1 and 2 of the list above.

Plaintiffs may seek to pursue their MHMD Act claims as class actions. However, regulated entities may argue that the CPA’s particularized injury requirement (element 4 above) renders the claims unsuitable for class treatment due to an absence of “commonality” in injuries or “predominance” in individualized questions. “Commonality” requires class members to “have suffered the same injury.” “Predominance” requires that common questions (not individualized ones) prevail across the class such that each class member’s “claim can be resolved using class-wide proof.” Because of differences in at-issue consumer health data or causal links, class members’ alleged injuries may vary widely.

What remedies are available to consumers who successfully establish claims?

Unlike other US state data protection statutes that afford private rights of action (such as BIPA), neither the MHMD Act nor the CPA provide for the recovery of statutory damages.

The CPA, however, allows successful claimants to recover actual damages, “costs of the suit, including a reasonable attorney’s fee,” and, at the court’s discretion, treble damages up to $25,000, as well as injunctive relief. The ability to recover these damages, potentially on a class basis, may significantly interest the plaintiffs’ bar in litigation under the statute despite the unavailability of statutory damages.

Conclusion

The MHMD Act’s private right of action combined with its onerous and ambiguous obligations may lead to significant claim volume, with the potential for substantial class sizes and attorneys’ fees.

Authors

Lei Shen

Bethany Lobo

Andrew Epstein

Kristin Marshall

Richard Koch

Posted by Cooley