Washington’s My Health My Data law (“MHMD”) is finally facing a test. This week, Amazon has been accused of violating a myriad of different laws, including MHMD, through the use of its software development kits (“SDKs”).   

History of MHMD

MHMD became effective on March 31, 2024 and regulates the collection and processing of “consumer health data” which encompasses a broad range of data including biometric data, precise location information, health care services, and information processed to associate or identify a consumer with consumer health data that is derived or extrapolated from non-health information.  

The law requires that businesses maintain a consumer health data privacy policy, acquire consent to collect or share consumer health data, obtain valid authorization to sell consumer health data, and grant consumer rights to their data. Notably, MHMD is one of the only consumer privacy laws in the country that includes a private right of action. 

Amazon Lawsuit

Among the many causes of action (seven in total), the class action plaintiffs allege violations of MHMD due to Amazon’s collection of health data, “including biometric data and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.” 

The complaint states that the named plaintiff uses popular apps on her phone that have embedded the Amazon Ads SDK. This SDK is then alleged to collect “personal data, including location data, without knowledge or consent” as required under MHMD which is then sold by Amazon. Per the complaint, mobile users of apps do not receive notice that the Amazon Ads SDK “is running in the background and thereby receiving equal access to the user’s location data” and users are not given the opportunity to deny access to Amazon’s SDK.  

It is unclear how the allegations necessarily implicate MHMD. Though MHMD defines consumer health information broadly, it is not clear that the categories of data that may have been collected by the SDK match the definition. For example, the complaint does not allege that Amazon actually connected location information to an individual or that Amazon identified sensitive locations such as medical facilities. The complaint only alleges that location data may provide insight into intimate aspects of an individual’s health but does not support its statement that “Amazon collected Plaintiff’s consumer health data, including biometric data and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.” 

With penalties of up to $7,500 per violation, a class action lawsuit under MHMD could have significant consequences for Amazon. However, a motion to dismiss is likely forthcoming. We will continue to monitor this case, and post updates as we learn more.