Proposed Washington law puts period-tracking apps on notice • The Register

A bill proposed by Washingston state lawmakers would make it illegal for period-tracking apps, Google or any other website to sell consumers' health data while also making it

harder for them to collect and share this personal information. Washington Representative Vandana Slatter, a Democrat, introduced House Bill 1155 [PDF], the My Health, My Data Act,

in response to the US Supreme Court ruling last year to overturn Roe v. Wade, which removed constitutional rights to abortion. Since then, a dozen states have banned the

procedure. "It's long overdue that we have increased data protections for our most sensitive health data, and it's taken on an increased urgency in a post-Dobbs world," Slatter

told The Register. "This information, if it's bought or sold, can do real harm." "Many people think their health data is protected under HIPAA," Slatter continued, referring to

America's Health Insurance Portability and Accountability Act. But HIPAA's privacy protections do not extend to information collected by medical apps, tech giants or even so-called

pregnancy crisis centers set up by anti-abortion groups. This data can be shared or sold, and post-Roe it can be used to prosecute women seeking abortions or doctors providing the

procedure or to discriminate against people looking for information about gender-affirming healthcare. "Think about period-tracking apps that can sell information about a woman's

missed or late period," Slatter said. "Or a pregnancy crisis center that someone visits and then learns they can't receive an abortion, but their information can be sold to

anti-abortion groups. Or digital advertising firms that set up geofencing around healthcare facilities. This bill is about closing the gap on health data privacy protections from

the technological side of it." In addition to blocking websites and apps from collecting and sharing private health information without written permission, the bill would also ban

the use of geofences – using a mobile device's location to send unsolicited messages and ads to people at health facilities. Plus, it would require companies that collect

personal health data to create, maintain and publish a privacy policy. The proposal also gives Washington consumers greater transparency into who and what is collecting their

health data. It makes opting into data collection more intentional on the consumer's part – and more difficult for the website – by requiring "voluntary, specific, and

unambiguous written consent." A consumer can't give consent by simply agreeing to broad terms of use or by a website using deceptive designs, according to the draft bill.