Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Consumer health data consent, authorization, and privacy policy

consumer-health-data-privacy-policyDomain: data-privacyType: policy

Description

The bundle of consents, authorizations, disclosures, and limits that the consumer-health-data statutes — led by Washington's My Health My Data Act — impose on any business that collects health-linked data outside the HIPAA perimeter. The defining feature of these laws is that 'consumer health data' is far broader than clinical records: it reaches precise location data that could indicate an attempt to acquire health services, and data about health status that is inferred algorithmically, which sweeps in adtech, SDK, and location-data businesses that do not think of themselves as health companies. The control has four legs. First, a separate opt-in consent to collect consumer health data beyond what is strictly necessary to provide the requested product or service. Second, a separate, specific written authorization to sell consumer health data, distinct from collection consent and meeting the statute's prescribed content. Third, a standalone consumer-health-data privacy policy disclosing the categories collected, the sources, the purposes, the categories shared, and the consumer's rights, kept distinct from the general privacy policy. Fourth, the rights machinery — access, deletion, and withdrawal of consent — plus the geofencing prohibition around in-person health-care facilities. The recurring mistake is bundling health-data consent into a general terms-of-service acceptance; the statute requires separate consent to collect and separate authorization to sell, each on its own.

Required by (1 regulation)

  • Washington MHMDA

    Requires separate consent to collect consumer health data beyond what is necessary, separate written authorization to sell it, a standalone consumer-health-data privacy policy, a geofencing ban within 2,000 feet of in-person health-care facilities, and access, deletion, and consent-withdrawal rights.

    Washington My Health My Data Act, Chapter 19.373 RCW (HB 1155, 2023); core obligations effective 2024-03-31

    Source →

Evidence formats

  • standalone consumer-health-data privacy policy distinct from the general privacy policy
  • separate opt-in consent records for collection of consumer health data
  • separate written authorization records for any sale of consumer health data
  • deletion-request workflow and geofencing-prohibition implementation around health facilities

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn