- Businesses located outside of the state of Washington that only store data in Washington are not regulated entities
Per Section 3 (7), the act protects "consumers," which includes a natural person whose consumer health data is collected in Washington. "Collect" is defined in Section 3 (5) to include the processing of consumer health data in any manner. Questions have been raised if this means that a business located outside of Washington that collects consumer health data about individuals outside of Washington but that stores such data in Washington is a regulated entity subject to the act. The FAQs assert that an entity that only stores data in Washington is not a regulated entity.
- Inferences about a consumer's health status from purchases of products could be considered consumer health data
Consumer health data is defined as "personal information that is linked or reasonably linkable to a consumer, and that identifies the consumer's past, present, or future physical or mental health status". The definition goes on to give non-exhaustive examples of physical or mental health status. Questions have been raised if inferences drawn about a consumer's health status from purchases of products could be considered consumer health data. The FAQs assert that, yes, any inferences drawn from purchases could be consumer health data. In contrast, non-health data that a regulated entity collects but does not process to identify or associate with a physical or mental health status is not consumer health data.
- Contradictory retention and deletion requirements should be solved by redaction
Under Section 9 of the act, it is unlawful for anyone to sell or offer to sell consumer health data without first obtaining valid authorization from the consumer. When a consumer grants a person valid authorization to sell their consumer health data, both the seller and purchaser are required to retain a copy of the valid authorization for six years. Section 6 of the act empowers consumers to have their consumer health data deleted from a regulated entity's network, including archived or backup systems. Begging the question of how the retention and deletion requirements can be reconciled.
The FAQ guidance provides that if, after executing a valid authorization, a consumer exercises their Section 6 right to have their consumer health data deleted, a regulated entity may meet its obligation to delete the consumer's health data and its obligation to retain a copy of the valid authorization by redacting the portion of the valid authorization that specifies the consumer health data for sale (for example, by applying a redaction that states: "REDACTED pursuant to consumer deletion request on [insert date]").