Washington state privacy statement

Norton Rose Fulbright US LLP (“NRFUS”) takes data privacy seriously.

We recognize and value the trust that individuals place in us when providing us with personal data and we are committed to safeguarding the privacy and security of personal data we may collect from visitors to our websites and/or the clients to whom we provide legal and other services. In addition to our general Privacy Policy, if you are a Washington resident and the Washington My Health My Data Act applies to you, this Washington Consumer Health Data Privacy Notice will apply. In the event of any conflict with our general Privacy Policy, this Washington Consumer Health Data Privacy Notice will take precedence. In this Notice, terms in quotations, such as “collect,” are defined in the Washington My Health My Data Act, chapter 44.28 Revised Code of Washington.

“Consumer health data” we “collect”

NRFUS typically does not require that you provide “consumer health data” to us, but Washington’s law broadly defines both “consumer health data” and “collect,” so we may receive or otherwise process your “consumer health data” in connection with, for example, a company that has been the victim of a security incident and we’re assisting with a review of the data, or in connection with litigation. We could ask you directly for “consumer health data” if, for example, we are assisting you with a trust for a family member, or assisting you on a pro bono basis on an immigration claim.

Categories of “consumer health data” “collected” and the purpose for the “collection”

We may “collect” physical or mental health data of Washington residents, which may include, but is not limited to:  (i) individual health conditions, treatment, diseases, diagnosis or testing; (ii) health-related surgeries or procedures; (iii) use or purchase of prescribed medication, (iv) precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; or (v) bodily functions, vital signs, symptoms, or measurements of the information described in this subsection; for example, if a health insurer was the victim of a security incident and engaged NRFUS to review the data to determine which individuals were affected, we could receive and process your health data to help the insurer provide legally required notices to the affected individuals.

How “consumer health data” will be used

We will use this “consumer health data” to carry out our obligations arising from any contracts entered into with our clients, including as necessary or appropriate to protect the rights of our clients or others. We also use this information for our internal analysis purposes and other internal uses that are reasonably aligned with consumer expectations. We do not “sell” “consumer health data.”

Categories of sources from which “consumer health data” is “collected”

As described above, and in our general Privacy Policy, we may “collect” “consumer health data” from you, but more often will collect it from third parties such as your employer or insurer, and from publicly available sources.

Categories of “consumer health data” shared

We may share each of the categories of consumer health data described above for the purposes described above.

Third parties and affiliates with whom data is shared

As necessary for the purposes described above, we share “consumer health data” with the following categories of third parties:

  • Service providers. Vendors or agents (“processors”) working on our behalf may access consumer health data for the purposes described above. For example, we may use a hosting provider for the data we are examining in connection with a security incident.
  • Affiliates. We enable access to data across our Norton Rose Fulbright law firms, and related companies, for example, if the security incident affects individuals in multiple countries where those affiliates provide services. A full list of specific affiliates is:

Norton Rose Fulbright LLP,

Norton Rose Fulbright Australia,

Norton Rose Fulbright Canada LLP and

Norton Rose Fulbright South Africa Inc

These law firms are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients.

  • Government agencies. We disclose data to law enforcement or other government agencies when we believe doing so is necessary to comply with applicable law or respond to valid legal process.
  • Other third parties. In certain circumstances, it may be necessary to provide data to other third parties, for example, to comply with the law or to protect our rights or those of our customers.
  • Parties to a corporate transaction. We may disclose “consumer health data” as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.

How consumers can exercise their rights

Washington residents have certain rights:

  1. You have the right to confirm whether we are “collecting,” “sharing,” or “selling” “consumer health data” concerning you and to access such data, including a list of all third parties and affiliates with whom we have “”shared or “sold “the “consumer health data.”  We do not “sell” your “consumer health data.”
  2. You have the right to withdraw consent from our “collection” and “sharing” of “consumer health data” concerning you.
  3. You have the right to have “consumer health data” concerning you deleted.

If you have any questions about our use of your “consumer health data,” you should first contact us via the methods provided below.

If you opt to exercise your privacy rights, we are required to verify your identity in order to prevent unauthorized access of your data. This may require us to ask you certain questions to confirm your identity or require you to provide state-issued identification. Requests to exercise these rights may be granted in whole, in part, or not at all, depending on the scope and nature of the request and applicable law. Where required by applicable law, we will notify you if we reject your request and notify you of the reasons we are unable to honor your request.

To submit any of the above requests, you may click here to complete our online form or you may call toll-free 1 (877) 203‑2849. You may also submit via email at CCPAInquiry@nortonrosefulbright.com for assistance. Please note for your protection, certain requests sent to us will be subject to the a verification procedure that may require you to provide us with information about you that we have in our files. If you contact us to exercise any of these rights we will check your entitlement and respond in most cases within 45 days.

How to appeal. In the event we deny your request, you may appeal our decision by clicking here to complete our online form or you may call toll-free 1 (877) 203‑2849. You may also submit via email at ccpainquiry@nortonrosefulbright.com  for assistance. Please note for your protection, certain requests sent to us will be subject to the a verification procedure that may require you to provide us with information about you that we have in our files. You can also file a complaint with the Washington Attorney General here.

Effective Date: June 30, 2024