Keypoint: Claims brought under the Washington My Health My Data Act’s private right of action will turn on whether a plaintiff can prove actual damages that were caused by a violation effecting the plaintiff’s business or property.
Signed into law by Governor Jay Inslee on April 27, 2023, the Washington My Health My Data Act (MHMD) is a first-in-the-nation consumer health data privacy act with a private right of action.
We have been tracking the MHMD since it was first introduced in early January, provided a detailed analysis of the bill after it first passed the House in mid-March, and recently discussed its definition of “consumer health data” and private right of action. As we previously promised, in this post we take a deeper look at the private right of action with a particular focus on how Washington courts have handled CPA claims based on other conduct. We also provide two takeaways to help businesses better understand and evaluate their risk.
Section 11 of the MHMD includes a private right of action that may be brought under the Washington Consumer Protection Act, RCW §§ 19.86.020 & 19.86.090 (the “CPA”).
To prevail on a CPA action (and thus an action under the MHMD), a plaintiff must establish five elements:
- an unfair or deceptive act or practice;
- occurring in trade or commerce;
- impacting the public interest;
- injuring a plaintiff in his or her business or property; and
- a causal link between the unfair or deceptive act complained of and the injury suffered.
See, e.g., Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wash. 2d 778, 784, (1986). The plaintiff does not have to be in a consumer or other business relationship with the defendant. Panag v. Farmers Ins. Co. of Wash., 204 P.3d 885, 892 (Wash. 2009). The CPA includes a four-year statute of limitations that begins after the cause of action accrues. RCW § 19.86.120. As with all civil claims in Washington, a defendant must set out certain affirmative defenses in any answer, including assumption of the risk, contributory negligence, fault of a non-party, laches, statute of limitations, and waiver. Wash. Super. Ct. Civ. R. 8(c).
First Takeaway: The first three elements of a CPA claim are inherently proven through Section 11 of the MHMD.
The MHMD effectively establishes the first three CPA elements per se. Section 11 of the law states that a “violation of this chapter . . . is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act,” thus satisfying the first two elements of a CPA claim. Section 11 also expressly establishes that a MHMD violation impacts the public interest by stating that the “legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act.”
Moreover, the CPA itself provides that the public interest element of a CPA claim is satisfied when an alleged unfair or deceptive act or practice: (1) Violates a statute that incorporates the CPA; (2) Violates a statute that contains a specific legislative declaration of public interest impact; or (3)(a) Injured other persons or (3)(b) had or has the capacity to injure other persons. RCW § 19.86.093. Here, a MHMD violation arguably meets all three enumerated methods for establishing public interest.
A successful private action under the MHMD will therefore need to prove only the last two elements of a CPA claim: injury to the plaintiff’s business or property and, if that is present, whether such injury was caused by the MHMD violation.
Second Takeaway: MHMD plaintiffs must prove an “injury” to their business or property that is caused by the defendant’s MHMD violation, but monetary injuries are not required.
Unlike other statutes favored by privacy plaintiffs—such as the California Invasion of Privacy Act and the Illinois Biometric Information Privacy Act—the MHMD and CPA do not provide for statutory damages. Instead, the CPA allows a plaintiff who has been “injured in his or her business or property by a violation” to recover actual damages, costs of suit, reasonable attorney’s fees, and treble damages not to exceed $25,000. RCW § 19.86.090; Dees v. Allstate Ins. Co., 933 F.Supp.2d 1299, 1310 (W.D. Wash. 2013). “Costs of the suit” includes filing fees, service of process fees, notary fees (to the extent notarization is required by law and the fees were paid), and statutory witness fees, among other expenses deemed necessary and reasonable to the action. Litigants also can seek injunctive relief. RCW § 19.86.090; see also Zango, Inc. v. PC Tools Pty Ltd., 494 F.Supp.2d 1189, 1196 (W.D. Wash. 2007).
As the Washington Supreme Court has explained: “Because the CPA addresses ‘injuries’ rather than ‘damages,’ quantifiable monetary loss is not required.” Frias v. Asset Foreclosure Servs., Inc., 181 Wash. 2d 412, 431 (2014). To plead and prove a CPA claim, “the injury involved need not be great, but it must be established.” Hangman Ridge, 105 Wash. 2d at 792. Although quantifiable monetary loss is not required, personal injuries such as mental distress and embarrassment do not satisfy the injury requirement. Frias, 181 Wash. at 431; Dees, 933 F.Supp.2d at 1311 (holding that defendant’s failure to pay medical bills could not constitute an injury to plaintiff’s business or property but plaintiff could potentially claim that defendant’s failure to pay the medical bills caused her to incur a financial loss apart from the medical bills themselves such as interest on the amounts she borrowed to cover the costs).
The pattern jury instructions for proving injury in a CPA claim provide a good frame of reference for recoverable injuries:
Plaintiff has suffered an “injury” if her business or property has been injured to any degree. Under the Consumer Protection Act, Plaintiff has the burden of proving that she has been injured, but no monetary amount need be proved and proof of any injury is sufficient, even if expenses or losses caused by the violation are minimal.
Injuries to business or property do not include physical injury to a person’s body, or pain and suffering.
Injuries to business or property, if any, include: financial loss, loss of professional business reputation, loss of goodwill, difficulty in securing a loan or other credit, time away from work . . . , or inability to tend to business establishment.
A review of some CPA decisions helps further illustrate what constitutes an injury to a plaintiff’s business or property:
In Cousineau v. Microsoft Corp., 992 F.Supp.2d 1116 (W.D. Wash. 2012), the plaintiff alleged that Microsoft acted deceptively in violation of the CPA by “causing the Windows Phone 7 to transmit data after users expressly denied it approval to do so.” Id. at 1128. The plaintiff’s complaint alleged that “Microsoft intentionally designed illusory privacy controls” that resulted in “imminent threat to many users’ information.” Id. The District Court found that those allegations established the first three elements of a CPA claim, but not the fourth element – i.e., that the “phone’s dysfunction caused injury to her business or property.” Id. In doing so, the Court rejected the plaintiff’s argument that Microsoft’s conduct diminished the value of her phone and that Microsoft’s transmission of data to its servers caused a diminution in users’ data plans” absent an allegation that the plaintiff had a finite allowance of data. Id.
In Panag v. Farmers Ins. Co. of Wash., 204 P.3d 885 (Wash. 2009), the plaintiffs alleged that the defendant’s debt collection methods were an unfair and deceptive practice in violation of the CPA. Id. at 888. One of the plaintiff’s alleged injuries were “expenses incurred in investigating the true legal status of the alleged debt, including out-of-pocket expenses for driving, parking, postage, and consulting an attorney.” Id. The other plaintiff’s alleged injuries were taking “substantial time away from his business to investigate the collection notices, resulting in a loss of business profits [as well as] incidental damages, including the cost of purchasing a credit report and a credit monitoring service, parking, wear and tear on his car, and consulting with an attorney to ascertain the legal status of the alleged debt.” Id. at 889.
The Court recognized that investigation costs (separate and distinct from litigation-related costs) could be recoverable. Id. at 903. Further, with respect to the plaintiff’s alleged injury based on obtaining credit monitoring the Court stated:
[Defendant] has also submitted a number of cases in support of the proposition that the plaintiffs’ purchases of credit reports and credit monitoring services does not establish injury because such expenses constitute potential injury, not actual injury. See Kahle v. Litton Loan Servicing, LP, 486 F.Supp.2d 705, 713 (S. D. Ohio 2007); Forbes v. Wells Fargo Bank, 420 F.Supp.2d 1018 (D. Minn. 2006); Randolph v. ING Life Ins. & Annuity Co., 486 F.Supp.2d 1, 8 (D.D.C. 2007). These are “lost data” cases involving plaintiffs seeking compensation for the cost of monitoring their credit to avoid a potential harm resulting from the alleged negligent failure to secure the plaintiffs’ personal information. Unlike in the “lost data” cases, the plaintiffs here do not seek recovery of this type of expense as a prophylactic measure against some potential future harm. The expenses incurred by the plaintiffs to monitor their credit represent a completed harm.
In Brown v. Transworld Sys. Inc., 2022 WL 1750097 (W.D. Wa. Dec. 15, 2022), the defendants allegedly attempted to collect on debts despite knowing they could not prove ownership of the debt. Id. at *6. The court denied a motion to dismiss the CPA claim after finding the plaintiff sufficiently pled an “injury” by alleging the defendants “ma[de] him unable to manage his finances and causing him to incur out of pocket expenses to determine his legal rights and responsibilities which caused loss of time away from his business.” Id. at *7. The court also found the plaintiff sufficiently alleged “[b]ut for these debt collection activities, Plaintiff would not have had to invest time in reviewing and defending against Defendants’ actions, which caused loss of time away from his business.” Id. at *8.
In Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wash.2d 778 (1986)—the decision that first officially recognized the fourth and fifth elements of a CPA claim—the plaintiffs alleged the defendant committed unfair or deceptive actions when it did not alert the plaintiffs to potential tax consequences related to deed preparation and closing activities. Id. at 793. The court held the plaintiffs did not show injury because they offered “no verification that the liability existed or that they ever actually paid it.” Id. at 794. The court then found the causation element was missing because there was substantial evidence that the tax liability could not have been avoided because the taxable event was a legal requirement of the lender. Id. at 795.
In Young v. Toyota Motor Sales, U.S.A., 196 Wash.2d 310 (2020), the plaintiff alleged the defendant had advertised a specific model of a pickup truck he purchased included a mirror that displayed the outside temperature (when it did not). Plaintiff claimed he relied on the advertisement to purchase the vehicle. The district court found the plaintiff’s testimony was not credible and his actions “were ‘much more consistent with someone who learned that Toyota had made a mistake and wanted to take advantage of it, than someone who relied upon that item in good faith, and then did very little until Toyota actually admitted their error.’” Id. at 321. The Washington Supreme Court also affirmed the district court’s finding that the plaintiff failed to show causation. Id. at 322.
Collectively, these decisions show courts have allowed the plaintiff to proceed with a CPA claim when the plaintiff alleged a specific harm to its business or property, regardless of whether the harm was monetary or not. These decisions also show the importance of tying the alleged harm to the defendant’s actions. Further, some of the injury concepts in the above decisions are reminiscent of injuries alleged in data breach cases such as lost time, out of pocket expenses, and obtaining credit /identity theft monitoring. See, e.g., In re Equifax, Inc., Customer Data Security Litigation, 362 F.Supp.3d 1295 (N.D. Ga. 2019) (analyzing recoverability of damages in data breach case).
The type of consumer health data at issue also will be important. As we previously have noted, MHMD defines “consumer health data” broadly such that organizations that collect information that is not traditionally considered health data may still get swept up in the bill. For purposes of proving an actual injury, however, there is a significant difference between collecting reproductive or sexual health information (which is squarely within the law’s provisions) and collecting information at the fringe of the law’s potential scope of applicability. Stated differently, the further plaintiffs stretch to apply the law to non-traditional consumer health data, the more difficult it may be for them to prove an actual injury.
It also remains to be seen whether the type of recoverable injuries will prohibit plaintiffs from pursuing class actions. While this, again, will depend on the nature of the underlying violation and alleged injury, the Supreme Court has stated that “[c]ommonality requires the plaintiff to demonstrate that the class members ‘have suffered the same injury.’” Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 349-50 (2011). In other words, the more specific the injury is to an individual plaintiff (and, therefore, recoverable under the CPA), the less likely it is that a class could be established. To state the obvious, the risk to a regulated entity of a MHMD action significantly turns on whether a plaintiff’s claim is brought only on her own behalf or on behalf of a class.
In the end, there are many issues with the MHMD that courts will need to decide in the coming years, including the scope of the MHMD’s defined terms, such as “consumer health data,” as well as the law’s private right of action. Entities that are subject to the MHMD will need to understand and evaluate their risk when developing compliance plans and programs.