After Washington adopted the My Health My Data Act (MHMDA) almost two years ago, we and others predicted that the law would lead to a wave of private lawsuits against companies operating in or adjacent to the health space.
That prediction wasn’t crazy. Various aspects of MHMDA, which we explored shortly after it was passed by the Washington legislature in April 2023, caused quite the stir: an extremely broad definition of consumer health data! Extra-territorial jurisdiction! Specific, informed, voluntary, opt-in consent! Private right of action!!!
But then, nothing happened. That is, until earlier this week, when a Washington resident filed the first lawsuit alleging violations of MHMDA. The plaintiff’s complaint, filed against Amazon in federal court in the Western District of Washington, alleges that Amazon violated a litany of Washington state and federal laws by collecting data via its software development kit (SDK). In short, the plaintiff claims that Amazon licenses its SDK to a variety of third-party mobile applications and, operating in the background of those applications, surreptitiously collects app users’ sensitive information for Amazon’s own purposes.
The MHMDA-related allegations claim that Amazon:
- Collected and shared the plaintiff’s consumer health data—specifically, her “biometric data” and her “precise location information”—without her consent; and
- Did not clearly and conspicuously disclose to her:
- The categories of consumer health data collected or shared,
- The categories of entities with whom the consumer health data is shared, or
- How she can withdraw consent from future collection.
The MHMDA allegations are sparse, and the complaint does not clearly demonstrate how the data allegedly collected by Amazon via the SDKs constitutes consumer health data under MHMDA. To that end, the plaintiff alleges that Amazon collected her “biometric data” (which is consumer health data under the law) but does not state any facts supporting that allegation. Similarly, the complaint alleges that Amazon collected “precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies” (also consumer health data under the law) but does not allege any facts that establish a link between data collected about her precise location and any attempt she made to acquire or receive health services or supplies, or any other aspect of her health.
Instead, the plaintiff hangs her hat on the broad argument that “precise location information” is inherently sensitive because it could reveal health information. That argument has been advanced in one form or another by the FTC, OCR, and at least one State Attorney General, all of whom have taken the position that the combination of precise location data and user-generated health data (e.g., location + presence at an abortion clinic) is sensitive data falling under those agencies’ regulatory purview. This trend has been particularly apt following the Supreme Court’s decision in Dobbs.
It remains to be seen whether the MHMDA claim will survive Amazon’s inevitable motion to dismiss. But we expect the suit may encourage other potential MHMDA plaintiffs to shoot their shot. And if the MHMDA claim against Amazon does survive past the motion to dismiss stage, it could open the floodgates and lead to similar claims against other companies that collect and use precise geolocation or health-related data.
As a result, now would be a great time to reevaluate your company’s plan to comply with MHMDA, especially taking into account the lawsuit’s emphasis on location data. If you collect users’ precise location data (even if they give you permission to track their location), a prospective plaintiff (or court) could construe that data as consumer health data—collection of which requires prior specific, opt-in consent from the user (unless an exception applies).
We will be keeping a close eye on this case as it progresses.
