(1) Except as provided in subsection (6) of this section, beginning March 31, 2024, it is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorization from the consumer. The sale of consumer health data must be consistent with the valid authorization signed by the consumer. This authorization must be separate and distinct from the consent obtained to collect or share consumer health data, as required under RCW
19.373.030.
(2) A valid authorization to sell consumer health data is a document consistent with this section and must be written in plain language. The valid authorization to sell consumer health data must contain the following:
(a) The specific consumer health data concerning the consumer that the person intends to sell;
(b) The name and contact information of the person collecting and selling the consumer health data;
(c) The name and contact information of the person purchasing the consumer health data from the seller identified in (b) of this subsection;
(d) A description of the purpose for the sale, including how the consumer health data will be gathered and how it will be used by the purchaser identified in (c) of this subsection when sold;
(e) A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization;
(f) A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to submit a revocation of the valid authorization;
(g) A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section;
(h) An expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization; and
(i) The signature of the consumer and date.
(3) An authorization is not valid if the document has any of the following defects:
(a) The expiration date has passed;
(b) The authorization does not contain all the information required under this section;
(c) The authorization has been revoked by the consumer;
(d) The authorization has been combined with other documents to create a compound authorization; or
(e) The provision of goods or services is conditioned on the consumer signing the authorization.
(4) A copy of the signed valid authorization must be provided to the consumer.
(5) The seller and purchaser of consumer health data must retain a copy of all valid authorizations for sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later.
(6) A small business must comply with this section beginning June 30, 2024.