Vandana Slatter represents Washington State’s 48th legislative district and introduced what could be one of the most consequential privacy bills in the country: The My Health, My Data Act, which was signed into law by Governor Jay Inslee on Thursday. Prior to working in politics, she worked as a clinical scientist at companies including Amgen and UCB and as a hospital pharmacist.
Marketing Brew spoke with Rep. Slatter about the bill on Wednesday before it was signed into law.
This interview has been lightly edited and condensed for clarity.
Washington State has tried to pass a broader privacy law for the past few years and has failed. Why did this pass?
I can’t speak to everybody’s vote on this issue…But, for three years, we’ve worked on privacy policy, and broad, comprehensive privacy legislation has not passed. It was not clear that this bill would actually make it across the finish line. Actually, originally, I was not sure if a privacy bill should be in the works after last year’s privacy bill did not make it through the process.
With the recent Dobbs decision, with the restriction of access to reproductive healthcare in other states, with the privacy landscape changing with that decision, it became evident that women’s health data needed to be protected. People’s health data who were accessing reproductive care, gender-affirming care—and were seeking it in Washington State—needed to be protected. Otherwise, they would be targeted by people. There was a gap in that protection on websites, apps, and searches. I think that that helped to address the urgency of this issue.
How important was the inclusion of private right of action? (Editor’s note: Private right of action enables private parties like consumers to sue in order to enforce their rights under the law.)
I’m a healthcare professional, and if I release your personal, deeply sensitive healthcare data, my license is at risk. That same protection of your data does not exist on websites, apps, or searches. A private right of action, or the ability for a consumer to find relief or remedy for somebody releasing that very deeply personal information, I don’t think is a question in certain spaces. But certainly, in the comprehensive data privacy world, that is something that the [tech] industry was really worried about.
A lawyer I interviewed described the law’s consent requirements as being “on steroids” because it goes as far as asking for written consent to collect data. And would need an additional layer of consent if the company wanted to sell that data. Is that accurate?
Get marketing news you'll actually want to read
Marketing Brew informs marketing pros of the latest on brand strategy, social media, and ad tech via our weekday newsletter, virtual events, marketing conferences, and digital guides.
If you go to the doctor’s office right now or you get a procedure, generally speaking, you would fill out a consent form so that your doctor could actually share that information with an insurance company, with other physicians…That same level of protection, that same consent, is not provided to you online. Right now, companies can collect, share, and sell that data without your even knowing about it or consenting to it. This bill is basically providing that protection to you; it doesn’t mean that data cannot be collected or shared, but it needs to be transparent that that’s what they’re doing and that they get your consent.
With respect to selling, in the original bill, it was prohibited. But HIPAA does actually allow for selling with valid authorization, so the legal team said to me that we would need to allow it with valid authorization in the bill in order to prevent any kind of constitutional challenge.
There’s a famous example of Target assuming that a customer was pregnant in part because of her online behavior. Are those kinds of assumptions covered under this bill?
Yes, this is not something that’s completely new to data privacy legislation.
Do you have an estimation of compliance costs for tech companies, advertisers, and data brokers?
I don’t have an understanding of the compliance costs. What I can tell you is that we have talked with experts and technologists as to whether or not this would be difficult to implement and where the difficulties would be.
This has been six months of countless meetings and countless changes—hundreds of hours with the tech industry, businesses, diagnostic companies, biopharmaceutical companies, data broker representatives. Any type of industry that reached out to us, we met with them. We spent hours working on the language in order to address their concerns while still protecting sensitive data and trying to stay true to the intent of the bill. We wanted to double check what companies were telling us by reaching out to experts and technologists—those who are privacy watchers—but also those who work in companies right now.