Washington My Health Data Act FAQ's: processing biometric data

What are the unique features concerning the processing of biometric data under the MHMDA?

The MHMDA defines “biometric data” very broadly.[1] Specifically, biometric data is “data that is generated from the measurement or technological processing of an individual’s physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.”[2]

The definition includes by way of example a number of identifiers that are typically associated with biometric data in other, more well-known, statutes like Illinois’ BIPA—identifiers like the imagery of an iris, a retina, a fingerprint, and other traditional biometric PII. But that is not all that counts as biometric data under MHMDA. Specifically, section 3(4)(b) states that biometric data also “includes, but is not limited to . . . [k]eystroke patterns or rhythms and gait patterns or rhythms that constitute identifying information.”[3] This is a noteworthy expansion for a few reasons:

• Neither gait—that is, the distinct manner in which someone walks or moves[4]—nor keystroke patterns are typically found in other definitions of biometric data.[5] Many other statutes, including BIPA, contain broad catch-all language, but the inclusion of gait is a relative rarity.[6] Gait can, in fact, be used to identify an individual. For example, the Associated Press reported that Chinese authorities utilized such a tool in 2018.
• It is important to remember, however, that the data must also qualify as “consumer health data” to be regulated under MHMDA.[7] MHMDA is not a broad “omnibus” data privacy law. It is targeted at a specific type of PII—namely, consumer health data. But here, the MHMDA appears to be making a categorical assertion that all biometric data, including gait data, is health data.[8] The statute provides that, “for the purposes of the [definition of consumer health data], physical or mental health status, includes but is not limited to: (ix) [b]iometric data.”[9] Whether this expansive reading survives scrutiny in practice remains to be seen.
• Indeed, such an expansive reading may be especially problematic as it pertains to keystroke pattern logging. It is unclear how device fingerprinting or keystroke pattern logging which identifies an individual could plausibly be considered data that “identifies the consumer’s past, present, or future physical or mental health status.”[10] Yet because keystroke patterns are within the definition of “biometric data” and “biometric data” is categorically included in the examples provided of “physical or mental health status,” there is potentially an argument that all keystroke pattern logging data sufficient to identify a Washington consumer is “consumer health data” regulated by the Act.

Whether these expansive applications are ultimately adopted by regulators and courts remains to be seen. At this juncture, we can only note that the definition of biometric data under the MHMDA is quite a bit broader than that found in other laws.