(1)(a) Except as provided in subsection (2) of this section, beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses:
(i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used;
(ii) The categories of sources from which the consumer health data is collected;
(iii) The categories of consumer health data that is shared;
(iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and
(v) How a consumer can exercise the rights provided in RCW
19.373.040.
(b) A regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage.
(c) A regulated entity or a small business may not collect, use, or share additional categories of consumer health data not disclosed in the consumer health data privacy policy without first disclosing the additional categories and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data.
(d) A regulated entity or a small business may not collect, use, or share consumer health data for additional purposes not disclosed in the consumer health data privacy policy without first disclosing the additional purposes and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data.
(e) It is a violation of this chapter for a regulated entity or a small business to contract with a processor to process consumer health data in a manner that is inconsistent with the regulated entity's or the small business's consumer health data privacy policy.
(2) A small business must comply with this section beginning June 30, 2024.