The Washington State Privacy Act (WPA), specifically the definitions and scope of the Consumer Protection Act (CPA) as amended by the WPA, outlines requirements for businesses that collect, process, and share personal data of Washington residents. A key aspect of the WPA is the consumer’s right to opt-out of the sale of personal data and targeted advertising. The WPA defines “sale” broadly to include the exchange of personal data for monetary or other valuable consideration, regardless of whether the entity selling the data profits directly from the transaction. It also includes sharing for targeted advertising purposes. When a business shares data with a third party for purposes that do not constitute a “sale” under the WPA, such as for essential business operations or to fulfill a direct request from the consumer, it is not subject to the opt-out requirements related to sales. However, if the sharing is for cross-context behavioral advertising, even without direct monetary exchange, it is considered a sale under the WPA. Therefore, if a Washington resident has opted out of the sale of their personal data, a business cannot share that data with a third party for cross-context behavioral advertising without violating the WPA. The scenario describes sharing data with an advertising network for targeted advertising, which falls under the WPA’s definition of a sale, triggering the opt-out requirement.

The Washington Privacy Act (WPA), specifically the chapter pertaining to consumer data, outlines distinct rights for consumers regarding their personal data. One of these rights is the right to opt-out of the sale of personal data. The WPA defines “sale” broadly to include exchanges of personal data for monetary or other valuable consideration. When a business collects data and then shares it with a third party for targeted advertising purposes, where the third party provides a benefit to the business (even if not direct monetary payment, such as improved analytics or customer insights that lead to future business advantages), this can be construed as a sale under the WPA if valuable consideration is exchanged. The WPA also grants consumers the right to request deletion of their personal data and the right to access their personal data. However, the core of the question revolves around the consumer’s ability to prevent the *dissemination* of their data in exchange for value, which is directly addressed by the opt-out of sale provision. The consent for data processing is a separate right, and while related, the question specifically probes the action of data sharing for value. The right to opt-out of sale is a proactive measure a consumer can take to prevent certain types of data sharing.

The Washington Privacy Act (WPA), specifically the provisions governing consumer data rights, outlines a process for individuals to request the deletion of their personal data. When a controller receives a verifiable consumer request to delete personal data, the WPA mandates that the controller must comply with the request, subject to certain exceptions. These exceptions are crucial for balancing consumer rights with legitimate business needs. For instance, the WPA permits a controller to retain personal data if it is reasonably necessary to complete a transaction for which the personal data was collected, provide a product or service requested by the consumer, perform a contract with the consumer, or if the data is necessary for legal obligations, defending legal claims, or for specific internal uses that are compatible with the context in which the consumer provided the data. The key here is that the retention must be *necessary* and *compatible* with the original purpose or legally permissible. If the data is not subject to any of these exceptions, the controller must delete it. The WPA does not require a controller to retain data indefinitely if a valid deletion request is made and no exceptions apply. Therefore, a controller cannot simply refuse a deletion request based on a general policy of data retention without assessing the applicability of these specific statutory exceptions.

The Washington My Health My Data Act (MHMD Act) establishes specific rights for consumers regarding their health data, including sensitive health data. A key aspect of the consumer rights is the right to withdraw consent. When a consumer withdraws consent for the collection, sharing, or sale of their sensitive health data, the controller must cease processing that data without undue delay. The Act specifies that this cessation should occur no later than 15 days after the withdrawal of consent. This 15-day period allows for the technical and operational implementation of the withdrawal request across the controller’s systems, ensuring that further processing of the sensitive health data stops promptly. This timeframe is a critical compliance obligation for entities processing sensitive health data under Washington law.

The Washington My Health, My Data Act (MHMD Act) defines “health data” broadly to include information that identifies or can reasonably be linked to a consumer and relates to the past, present, or future physical or mental health condition of the consumer. This includes information about medical services provided to the consumer. The Act also defines “health care provider” to include individuals or entities licensed under Washington state law to provide health care services. In the given scenario, “WellnessHub,” a company offering online fitness tracking and personalized nutrition plans, collects data on users’ reported energy levels, sleep patterns, and dietary intake. While this data might be considered health-related, it does not inherently relate to a “physical or mental health condition” in the same way as medical diagnoses or treatment information. Crucially, WellnessHub is not a licensed healthcare provider in Washington state, nor does it provide medical services. The MHMD Act’s scope is specifically tied to data collected in connection with the provision of health care services or by entities acting as health care providers. Therefore, data collected by WellnessHub, which operates outside the regulated healthcare system and does not provide medical services, would not fall under the definition of “health data” as regulated by the MHMD Act. The Act’s intent is to protect sensitive health information directly linked to medical care.

The Washington State Privacy Act (WPA), specifically the Washington Privacy Act (RCW 19.375), grants consumers rights regarding their personal data. One crucial right is the right to opt-out of the sale of personal data. Under the WPA, a “sale” is defined broadly to include sharing personal data for monetary or other valuable consideration. This definition is key to understanding when a business must provide an opt-out mechanism. The WPA also distinguishes between data processing for targeted advertising, profiling, and the sale of personal data. While the WPA requires consent for processing sensitive data and provides opt-out rights for targeted advertising and sale, the specific scenario presented involves a data broker sharing a consumer’s browsing history with a third-party analytics firm in exchange for market research reports. This exchange, where browsing history (personal data) is shared for valuable consideration (market research reports), constitutes a sale under the WPA’s broad definition. Therefore, the data broker must honor a consumer’s request to opt-out of this sale. The WPA mandates that controllers provide clear mechanisms for consumers to exercise their opt-out rights, including the sale of personal data. This obligation is distinct from the consent requirements for sensitive data or the opt-out for targeted advertising, though often overlapping in practice. The core principle is that if personal data is exchanged for value, and it’s not for a disclosed purpose of the initial collection, it likely falls under the sale provision, triggering the opt-out right. The WPA’s definition of sale is inclusive, encompassing more than just traditional monetary transactions, and this scenario fits that expansive interpretation.

The Washington Privacy Act (WPA), specifically RCW 19.375, outlines consumer rights concerning personal data. A key aspect is the right to opt-out of the sale of personal data. The WPA defines “sale” broadly to include situations where a controller discloses personal data to a third party for monetary or other valuable consideration. This consideration does not need to be a direct financial transaction; it can encompass benefits like advertising, analytics, or other commercial advantages. When a company shares data with a third party for targeted advertising purposes, and the third party provides a commercial benefit in return, this constitutes a sale under the WPA, triggering the consumer’s right to opt-out. The scenario describes a company sharing user browsing history with an analytics firm in exchange for insights that improve the company’s own marketing strategies. These insights represent valuable consideration, making the disclosure a sale. Therefore, the company must provide a mechanism for consumers to opt-out of this specific type of data sharing. The other options are incorrect because they misinterpret the definition of “sale” or the scope of consumer rights under the WPA. For instance, sharing data solely for essential operational purposes without valuable consideration would not be a sale. Similarly, the WPA’s right to opt-out is distinct from rights related to data deletion or access, although these are also consumer rights. The focus here is on the transaction that constitutes a “sale.”

The Washington My Health, My Data Act (MHMD) defines “sensitive health data” broadly to include data that identifies or can reasonably be associated with a consumer and relates to past, present, or future physical or mental health or condition. This encompasses information about an individual’s health status, medical treatments, or healthcare providers. The Act specifically addresses data collected by applications that monitor or track an individual’s health, including data from wearable devices, health and fitness apps, and other digital health tools. When a company collects data from a consumer’s device that indicates their presence at a healthcare provider’s office, this information directly relates to their health condition or treatment, thus qualifying as sensitive health data under the MHMD. The Act requires explicit consent for the collection and sharing of sensitive health data. The scenario describes a mobile application that collects location data, which, when cross-referenced with known healthcare provider locations, reveals a consumer’s presence at a medical facility. This collected data is therefore considered sensitive health data under Washington’s MHMD.

The Washington My Health, My Data Act (MHMD) grants consumers the right to control their health data. A key aspect of this control is the ability to request the deletion of their health data. The Act specifies conditions under which a controller must honor such a request. When a consumer requests the deletion of their health data, the controller must respond within a specific timeframe and, if they intend to refuse the request, provide a justification for that refusal. The Act outlines specific exemptions to deletion, such as when the data is necessary for the controller to provide a product or service the consumer has requested, or when the data is required for legal compliance or defense. In this scenario, the controller must assess if the health data collected is essential for fulfilling an ongoing service requested by the consumer. If the data is no longer necessary for that purpose, or if no other legal basis for retention exists, the deletion request must be honored. The Act does not permit a controller to refuse a deletion request simply because it is inconvenient or to retain data indefinitely for future, unspecified analytical purposes without a valid legal basis or consumer consent. The correct response involves the controller adhering to the statutory requirements for deletion or providing a legally permissible reason for refusal, aligning with the principles of data minimization and purpose limitation inherent in privacy legislation.

The Washington My Health, My Data Act (MHMD) grants consumers the right to control their health data. Specifically, it requires a controller to obtain consent before collecting, sharing, or selling health data. The act defines “health data” broadly to include data that identifies or can reasonably be associated with a consumer and relates to the consumer’s past, present, or future physical or mental health. This includes data generated by wearable devices that track physiological metrics. When a consumer exercises their right to withdraw consent, the controller must cease processing the data and delete it, unless retention is required by law or for the purpose for which it was collected with consent. In this scenario, the wearable device company collected data from its users in Washington. A user withdraws consent for the processing of their data. The company must honor this request by ceasing further processing and deleting the data. The act also mandates that a controller must respond to a consumer request to withdraw consent within 45 days. Therefore, the company must cease processing and delete the data within this timeframe. The initial collection without explicit consent for the specific purposes outlined in the act would be a violation, but the primary action required upon withdrawal of consent is cessation of processing and deletion. The act does not require a controller to provide a refund for services already rendered when consent is withdrawn.

The Washington My Health My Data Act (MHMDA) establishes specific rights for consumers regarding their health data, which is broadly defined to include data linked or reasonably linkable to a consumer that identifies their past, present, or future physical or mental health status. The Act also defines “health data” to include data that could be used to infer health status. A key aspect of the MHMDA is the consent framework it imposes on regulated entities. Specifically, the Act requires a consumer’s affirmative consent to collect, share, or sell their health data. This consent must be freely given, specific, informed, and unambiguous. The Act also mandates that regulated entities must provide consumers with the right to withdraw consent and the right to request the deletion of their health data. When considering the sale of health data, the MHMDA explicitly prohibits the sale of health data without the consumer’s consent. Furthermore, it requires regulated entities to provide a clear and conspicuous notice to consumers about the sale of their health data and the categories of third parties to whom it is sold. The Act also outlines specific disclosure requirements regarding data collection and sharing practices. The question probes the core principle of consent for data sharing under MHMDA, specifically when a company collects data that, while not directly health-related, can be reasonably linked to infer health status. The Act’s broad definition of health data means that even seemingly innocuous data, if it can be used to infer health, falls under its purview. Therefore, any sharing of such data without affirmative consent would violate the Act.

The Washington My Health, My Data Act (MHMD) grants consumers the right to request the deletion of their health data. When a consumer makes such a request, a regulated entity must honor it, subject to certain exceptions. One such exception is if the data is necessary for the entity to exercise its right to freedom of speech or of the press. Another significant exception is if the data is required to be retained by federal or state law. The Act also specifies that a regulated entity must retain the data if it is necessary for the entity to complete the transaction for which the personal data was collected, or for a reasonable period after the transaction, to provide a product or service requested by the consumer. In this scenario, the primary purpose of collecting the genomic sequencing data was to provide a personalized health report to Ms. Anya Sharma. Therefore, retaining the data to fulfill this initial transaction and provide the requested service is a valid reason to deny the deletion request, provided the retention is for a reasonable period after the transaction completion. The question asks for the most appropriate action under the MHMD. Acknowledging the request and informing Ms. Sharma that the data is retained to fulfill the completed transaction and provide the requested service, while also informing her of her other rights, aligns with the Act’s provisions for handling deletion requests when exceptions apply. The MHMD requires a response to a deletion request within a specified timeframe, and if an exception applies, the entity must inform the consumer of the basis for the denial.

The Washington My Health, My Data Act (MHMD Act) establishes specific rights for consumers regarding their health data. A key aspect is the definition of “health data” itself, which is broadly construed to include data that identifies or can reasonably be associated with a consumer and that relates to past, present, or future physical or mental health condition, health care, or health services. This definition is crucial for determining the scope of the Act’s protections. The MHMD Act specifically exempts certain types of data, including deidentified health data, which is data that cannot be used to identify an individual. The Act also exempts data collected, used, or disclosed by a covered entity or business associate under HIPAA, as well as data collected, used, or disclosed by a federal agency, if that collection, use, or disclosure is subject to HIPAA. Furthermore, data collected or used for purposes of public health activities and purposes for which data is collected under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) are also excluded. The question focuses on whether data collected by a Washington-based telehealth provider, which is also a covered entity under HIPAA, for the purpose of providing direct patient care, falls under the MHMD Act’s purview. Since the data is collected by a HIPAA-covered entity for direct patient care, it is already regulated under HIPAA. The MHMD Act explicitly excludes data subject to HIPAA. Therefore, this data is not subject to the additional requirements of the MHMD Act.

The Washington My Health My Data Act (MHMDA) establishes specific rights for consumers regarding their health data. A key aspect is the prohibition of selling or sharing health data without consent, with limited exceptions. The Act defines “health data” broadly to include information that identifies or can reasonably be associated with a consumer and that relates to the past, present, or future physical or mental health condition of the consumer. This includes data collected through consumer health technologies. The Act also mandates clear privacy notices and requires controllers to implement reasonable security safeguards. When a controller receives a request to delete health data, they must honor that request unless an exception applies. Exceptions include situations where the data is necessary to complete a transaction for which the health data was collected, to prevent immediate harm, or for certain legal or regulatory compliance reasons. In this scenario, the data collected via the fitness tracker, which monitors heart rate, sleep patterns, and activity levels, clearly falls under the definition of health data under MHMDA. The fitness company’s sale of this data to a third-party advertising firm without explicit consent violates the Act. Therefore, the company must cease the sale and delete the data upon request, subject to the Act’s exceptions. Since no exceptions are indicated in the scenario that would permit continued sale or refusal of deletion, the company is obligated to comply with the deletion request. The correct response focuses on the obligation to delete health data when requested by the consumer, which is a core consumer right under the MHMDA.

The Washington My Health My Data Act (MHMDA) establishes specific requirements for businesses that collect, share, or sell health data. A key aspect of the MHMDA is the definition of “health data” and the consent mechanisms required for its processing. The Act defines “health data” broadly to include data that identifies or can reasonably be used to identify a consumer in relation to their past, present, or future physical or mental health status. This includes data derived from a consumer’s interaction with a healthcare provider, health conditions, medical history, or any data that reveals a consumer’s attempt to seek health care services. The MHMDA also mandates that controllers obtain affirmative, opt-in consent before collecting or sharing health data, and a separate opt-in consent for the sale of health data. The Act further outlines specific rights for consumers, including the right to access, delete, and withdraw consent for the use and sharing of their health data. When evaluating a scenario under the MHMDA, it is crucial to identify whether the data in question falls under the Act’s definition of health data and whether the appropriate consent mechanisms have been followed. The scenario describes a company collecting data on users’ visits to fitness studios and their stated wellness goals. While wellness goals might seem health-related, the MHMDA’s definition of “health data” is tied to identifying a consumer in relation to their *past, present, or future physical or mental health status*, often in connection with healthcare providers or medical conditions. Data solely related to general fitness activities or stated wellness aspirations, without a direct link to a diagnosed condition, treatment, or healthcare provider interaction, may not meet the MHMDA’s threshold for “health data.” Therefore, if the collected data primarily consists of fitness studio visit frequency and self-reported, non-specific wellness goals, and does not reveal a specific health condition or treatment, it would likely not be considered “health data” under the MHMDA, and thus the Act’s specific consent requirements for health data would not apply.

The Washington Privacy Act (WPA), specifically the version that took effect in 2023, defines a “consumer” as a natural person who is a resident of Washington. The WPA grants specific rights to these consumers regarding their personal data. A key aspect of the WPA is its extraterritorial reach, meaning it can apply to controllers and processors that are not physically located in Washington if they conduct business in the state or target Washington residents. The definition of “resident” under the WPA is generally aligned with the concept of domicile or habitual abode, but for the purposes of the WPA, it specifically refers to a natural person who is present in Washington and not solely present in Washington on a temporary or transitory basis. This definition is crucial for determining who has rights under the act. When evaluating whether a business is subject to the WPA, factors such as offering goods or services to Washington residents, or monitoring the online activities of Washington residents, are considered. The act aims to provide Washington consumers with control over their personal information, including rights to access, correction, deletion, and opting out of the sale of personal data and targeted advertising. The applicability of the WPA is determined by the business’s activities and its relationship with Washington residents, rather than solely on the business’s physical location.

The Washington My Health, My Data Act (MHMD Act) establishes specific rights for consumers regarding their health data, including sensitive health data. This act grants consumers the right to access, delete, and prevent the sale or sharing of their health data. The definition of “health data” under the MHMD Act is broad and includes data that is linked or reasonably linkable to a consumer and that identifies or can be used to identify the consumer’s past, present, or future physical or mental health status. This encompasses a wide range of information beyond traditional medical records, such as geolocation data indicating visits to healthcare facilities or data revealing engagement with health-related content or services. The Act specifically targets data collected by entities that do not have a direct treatment relationship with the consumer, thereby extending privacy protections to data collected by non-traditional healthcare providers or data brokers. The prohibition on selling or sharing health data without consent is a core tenet, aiming to prevent the commercial exploitation of sensitive personal health information. The Act’s scope is limited to data collected by entities operating in Washington or targeting Washington consumers, and it applies to data collected on or after July 23, 2023. The MHMD Act also mandates specific consent requirements for the collection, use, and sharing of health data, emphasizing transparency and consumer control. The question asks about the specific prohibition concerning the sale or sharing of health data under this act. The MHMD Act explicitly prohibits the sale or sharing of health data without the consumer’s affirmative consent. This prohibition is a direct and unambiguous provision within the law.

The Washington My Health, My Data Act (MHMD Act) establishes specific rights for consumers regarding their health data. A key aspect of this act is the right to opt-out of the sale of sensitive health data. The MHMD Act defines “sensitive health data” broadly, encompassing information that, alone or in combination with other information, could reasonably be used to infer health status. This includes data collected through connected devices that monitor health. When a consumer exercises their right to opt-out, the regulated entity must cease selling that consumer’s sensitive health data. The act also mandates that regulated entities provide clear notice of their data collection and sale practices and offer mechanisms for consumers to exercise their rights, including opt-out requests. The requirement to honor an opt-out request is a fundamental consumer protection under the MHMD Act, preventing the unauthorized commercial transfer of sensitive health information without explicit consent or a valid opt-in. The act’s scope extends to entities that conduct business in Washington or produce products or services targeted to Washington consumers and meet certain revenue thresholds, making its provisions applicable to a wide range of businesses that handle health-related data.

The Washington My Health My Data Act (MHMDA) establishes specific requirements for the collection, sharing, and sale of consumer health data. A key aspect of this act is the definition of “consumer health data” and the consent mechanisms required for its processing. The MHMDA defines consumer health data broadly to include information that a consumer provides to a business, that a business generates about a consumer in the course of providing health services, or that a business infers about a consumer’s past, present, or future health status. This includes data related to medical conditions, treatments, diagnoses, and even information about a consumer’s search history for health-related topics. The act mandates that businesses obtain affirmative consent from consumers before collecting or sharing their consumer health data. This consent must be specific, voluntary, and informed. Furthermore, the MHMDA provides consumers with the right to withdraw consent, request deletion of their data, and opt out of the sale of their consumer health data. The definition of “sale” under the MHMDA is also broad, encompassing the exchange of consumer health data for monetary or other valuable consideration. The Act’s applicability extends to businesses that conduct business in Washington or target Washington consumers and process consumer health data, regardless of whether they have a direct relationship with the consumer. Therefore, a business that operates solely online, targets Washington residents, and collects health-related search queries without a physical presence in Washington would still be subject to the MHMDA’s provisions regarding the collection and sale of such data. The scenario presented involves a business collecting sensitive health-related search queries from Washington residents, which falls squarely within the scope of “consumer health data” as defined by the MHMDA. The subsequent sharing of this data with third parties for targeted advertising, without explicit consent, constitutes a violation of the Act’s prohibition on the sale and sharing of such data without proper authorization.

The Washington My Health My Data Act (MHMDA) grants consumers significant rights regarding their health data, including the right to access, delete, and prevent the sale or sharing of their health data. A key aspect of MHMDA is its broad definition of “health data,” which encompasses data that identifies or can reasonably be associated with a consumer and relates to their past, present, or future physical or mental health status. This includes information about healthcare services received, health conditions, and even data collected through apps or devices that infer health status. The Act imposes specific obligations on “regulated entities,” which are businesses that collect, share, or sell health data. These obligations include obtaining consent, providing clear privacy notices, and honoring consumer requests. The scenario involves a wellness app that collects data on sleep patterns, exercise frequency, and mood, which are all indicators of a consumer’s health status. When this app shares aggregated, anonymized data with a third-party research firm for studies on general well-being trends, it must still adhere to MHMDA’s principles if the data, even when aggregated, could reasonably be linked back to individuals or if the aggregation process itself is not sufficiently robust to truly de-identify the data according to legal standards. The core principle is that if the data pertains to an individual’s health, MHMDA’s protections are likely engaged. The Act’s emphasis on “reasonable association” means that even data not explicitly labeled as health information can fall under its purview if it can be used to infer health status. Therefore, sharing even aggregated data without explicit consent for such sharing, or without ensuring true anonymization that prevents re-identification, would likely violate the Act. The Act’s provisions regarding the sale and sharing of health data are particularly stringent, requiring affirmative consent for these activities.

The Washington My Health, My Data Act (MHMD Act) provides consumers with significant rights regarding their health data. A key aspect of this law is the requirement for controllers to obtain opt-in consent before collecting, sharing, or selling sensitive health data. The MHMD Act defines “sensitive health data” broadly, encompassing data that identifies or can reasonably be used to infer information about an individual’s past, present, or future health status. This includes data related to medical conditions, treatments, diagnoses, and even data that, when combined with other information, could reveal such health details. The law also mandates specific disclosures to consumers about data practices and provides a private right of action for violations. When a controller seeks to process sensitive health data, the consent must be affirmative, specific, informed, and unambiguous. The absence of a response or the use of pre-checked boxes does not constitute valid consent under the MHMD Act. Furthermore, the law requires controllers to provide consumers with the ability to withdraw consent easily. The scenario describes a situation where a fitness tracking company collects data that, through sophisticated analysis and correlation with other publicly available information, could infer an individual’s mental health status. This inferential capability places the collected data within the scope of “sensitive health data” as defined by the MHMD Act, necessitating opt-in consent for its processing, including sharing with third parties for targeted advertising.

The Washington Privacy Act (WPA), specifically the Consumer Protection Act (CPA) as amended by the WPA, establishes rights for consumers regarding their personal data. A key aspect is the right to opt-out of the sale of personal data and targeted advertising. When a controller receives a request to opt-out of the sale of personal data, they must cease selling the consumer’s personal data. This cessation is not merely a temporary pause but a permanent discontinuation of the sale of that specific consumer’s data. The law does not require a specific waiting period before honoring such a request, nor does it permit continued sale after a request is made, even if the data is anonymized, as the original data was subject to the sale. The obligation is to stop the sale of the *personal data* as defined by the act. Therefore, a controller must cease selling the consumer’s personal data upon receiving a valid opt-out request.

The Washington My Health, My Data Act (MHMD) grants consumers specific rights regarding their health data, including sensitive health data. The Act defines sensitive health data broadly, encompassing information that, when combined with other information, could reasonably indicate a person’s past, present, or future health status. This includes data collected through a health and wellness service, even if not directly medical. A health and wellness service is defined as a product or service that collects, processes, or shares health data, or is marketed as being for health purposes. In the given scenario, “AuraBalance,” a device and associated app that tracks sleep patterns, heart rate variability, and stress levels, and is marketed as promoting overall well-being and stress reduction, clearly falls under the definition of a health and wellness service. The data collected, such as sleep quality, heart rate, and stress indicators, constitutes sensitive health data under the MHMD. Therefore, AuraBalance is subject to the Act’s requirements for obtaining consent for the collection and sharing of this sensitive health data. The Act mandates that a controller must obtain a consumer’s affirmative express consent before collecting or sharing sensitive health data. This consent must be specific, informed, and freely given. Without this consent, AuraBalance’s continued collection and sharing of this data would be a violation of the MHMD.

The Washington State Privacy Act (WPA), specifically the Washington Privacy Act of 2023 (SB 5261), governs the processing of personal data by controllers and processors. A key aspect of the WPA is the requirement for controllers to conduct and document Data Protection Assessments (DPAs) for processing activities that present a heightened risk of harm to consumers. This heightened risk is triggered by certain types of processing, such as targeted advertising, selling personal data, or processing sensitive data. The WPA does not mandate a DPA for every data processing activity, but rather for those deemed to carry a significant risk. The assessment should consider the nature, scope, context, and purpose of the processing, as well as the rights and freedoms of consumers. The WPA also specifies that these assessments should be conducted periodically and updated when processing activities change in a way that increases risk. The obligation to conduct a DPA is a proactive measure designed to ensure that privacy risks are identified and mitigated before significant harm occurs to individuals.

The Washington My Health, My Data Act (MHMD Act) establishes specific requirements for the collection, processing, and sharing of consumer health data. A key aspect of this act is the concept of consent. The MHMD Act mandates that a controller must obtain affirmative express consent from a consumer before collecting or sharing their precise geolocation data. This consent must be specific, informed, and freely given. Furthermore, the Act outlines that a controller must provide consumers with a clear and conspicuous notice detailing the categories of health data collected, the purposes of collection, and with whom the data will be shared. The Act also includes provisions for consumer rights, such as the right to access, delete, and opt-out of the sale of their health data. In the scenario presented, the company is collecting precise geolocation data without obtaining the required affirmative express consent, which directly violates the MHMD Act’s provisions. The Act’s enforcement mechanism includes potential statutory damages and injunctive relief.

The Washington My Health, My Data Act (MHMD Act) defines “health data” broadly to include information that identifies or can reasonably be linked to a consumer and relates to the consumer’s past, present, or future physical or mental health status. This definition is critical for determining the scope of the Act’s protections. When a company collects data from a mobile application that tracks a user’s daily steps, sleep patterns, and self-reported mood, it is gathering information that can be directly linked to a consumer’s health status, even if it doesn’t explicitly record a diagnosis. For instance, consistent low step counts or negative mood reports can indicate potential health concerns. Therefore, this type of data falls under the MHMD Act’s definition of health data, triggering requirements for consent and data protection. The Act’s emphasis on data that “relates to” health status means that even indirect indicators are covered. The calculation here is conceptual, not mathematical: Identifying that the collected data points (steps, sleep, mood) are reasonably linkable to a consumer and relate to their physical or mental health status. This direct relationship to health status is the core of the determination.

No calculation is required for this question as it tests conceptual understanding of Washington’s data privacy law, specifically the Washington Privacy Act (WPA). The WPA grants consumers rights regarding their personal data, including the right to opt-out of the sale of personal data. The definition of “sale” under the WPA is broad and includes sharing personal data for monetary or other valuable consideration. In the scenario presented, “Luminara Solutions” is sharing customer data with “Insight Analytics” in exchange for market trend analysis and insights. This exchange, even if not a direct monetary transaction for the data itself, constitutes valuable consideration. Therefore, Luminara Solutions must provide consumers with an opt-out mechanism for this type of data sharing, aligning with the WPA’s provisions on the sale of personal data. The WPA’s focus is on the transfer of personal data to third parties for purposes beyond the original disclosed purpose, where such transfer benefits the controller through consideration, which can be monetary or otherwise valuable. This includes sharing for profiling, advertising, or market research purposes, as depicted in the case. The obligation to honor opt-out requests for sales is a core consumer protection under the WPA, ensuring individuals have control over how their information is monetized or leveraged by businesses.

The Washington My Health My Data Act (MHMD Act) grants consumers rights regarding their health data, including sensitive health data. A controller must obtain a consumer’s opt-in consent before collecting or sharing sensitive health data. The Act defines “sensitive health data” broadly to include data that identifies a consumer and relates to past, present, or future physical or mental health conditions, medical conditions, or health care. This includes data collected through a device or service that is reasonably likely to infer a health condition. When a consumer withdraws consent, the controller must cease processing the sensitive health data and, where feasible, delete it. Sharing data with third parties after consent withdrawal requires a reasonable effort to notify those third parties to cease processing. The Act also mandates that a controller must honor a consumer’s request to withdraw consent for the sale of sensitive health data. If a controller has shared sensitive health data with third parties prior to consent withdrawal, they must provide notice to those third parties to cease processing that data. The most accurate response reflects the controller’s obligation to cease processing and delete the data upon withdrawal, and to reasonably notify third parties with whom the data was shared.

The Washington My Health, My Data Act (MHMD Act) grants consumers rights concerning their health data, including the right to access, delete, and prevent the sale or sharing of their health data. A “consumer” under the Act is defined as a natural person residing in Washington or to whom the Act applies. The Act distinguishes between “health data” and “sensitive health data.” Health data is broadly defined to include data that is linked or reasonably linkable to a consumer or household that identifies or could reasonably be used to identify a consumer or household, and that relates to the past, present, or future physical or mental health condition of a consumer. Sensitive health data includes a more specific subset of health data, such as data that reveals a consumer’s precise geolocation, data revealing the consumer’s consumption of drugs or services for the treatment of mental health conditions, or data revealing a consumer’s specific medical treatments. In this scenario, the data collected by “WellBeing Analytics” about users’ exercise frequency, sleep patterns, and dietary habits, when linked to an individual’s account or device, falls under the broad definition of “health data” as it relates to their physical health condition. While not explicitly listed as “sensitive health data” in the same vein as precise geolocation or mental health treatment, the combination of these data points can provide significant insights into an individual’s health. Crucially, the Act applies to entities that collect, process, or share the health data of Washington consumers. WellBeing Analytics, by collecting this data from individuals residing in Washington, is subject to the Act’s requirements. The Act mandates that such entities obtain consent before collecting or sharing health data and provide consumers with specific rights regarding their data, including the right to opt-out of the sale of their health data. Therefore, WellBeing Analytics must comply with the MHMD Act’s provisions concerning the collection, processing, and potential sale or sharing of this health data.

The Washington Privacy Act (WPA), specifically RCW 19.370, outlines the rights of consumers regarding their personal data and the obligations of controllers. One of the key rights granted to consumers is the right to opt-out of the sale of their personal data. The WPA defines “sale” broadly to include situations where a controller discloses personal data for monetary or other valuable consideration, excluding specific enumerated exceptions. When a consumer exercises their right to opt-out of the sale of their personal data, a controller must honor this request. The WPA also requires controllers to provide clear mechanisms for consumers to exercise this right. In the scenario presented, LuminaTech, a Washington-based company, is processing personal data of its users. If LuminaTech engages in practices that constitute a “sale” under the WPA, and a user, Anya Sharma, submits a verifiable request to opt-out of such sales, LuminaTech must cease selling Anya’s personal data. The act of ceasing the sale, upon receiving a valid opt-out request, is the direct consequence of Anya exercising her statutory right. Therefore, LuminaTech’s obligation is to stop the sale of Anya Sharma’s personal data.