First Lawsuit Filed Under Washington’s My Health My Data Act

4 minute read | February.24.2025

On February 10, 2025, a Washington state resident filed a lawsuit on behalf of herself and similarly situated individuals against Amazon under the Washington My Health My Data Act (MHMD). This is the first lawsuit brought under MHMD’s private right of action.

Because MHMD regulates non-HIPAA consumer health data, broadly defined, and allows any Washington resident (and others whose consumer health data is collected in Washington) to enforce alleged violations, businesses should take notice of this development and re-assess if they may have exposure under it or need to improve their MHMD compliance program.

What MHMD Regulates

MHMD regulates entities that (1) conduct business in Washington or produce or provide products and services targeted to “consumers” in Washington, and (2) determine the purpose and means of the collection of consumer health data. “Consumers” includes Washington residents as well as any individuals whose consumer health data is collected in Washington.

Moreover, the definition of “consumer health data” is far-reaching. It includes not only what would traditionally be considered health information, such as individually identifiable information regarding an individual’s physical and mental health and condition, but also biometric data and precise location information that could indicate a consumer’s attempt to acquire or receive health services or supplies.

What the Plaintiff Alleges

The plaintiff alleges that Amazon violated MHMD by failing to (1) obtain the plaintiff’s consent prior to collecting her consumer health data, including location and biometric data, and (2) provide disclosures that must accompany a request for consent.

The complaint continues to allege that Amazon used its software development kit (its “SDK”) embedded in thousands of apps across the Google Play Store and Apple App Store to collect the location data of millions of smartphone users. According to the complaint, the location data may provide insights into the user’s health, such as tracking visits to a cancer clinic or health behaviors, such as trips to the gym. The complaint further alleges that, while the user may agree to share their location data with the app, they have no idea that Amazon, through its SDK, is also obtaining that data and monetizing it.

The plaintiff argues that her data has tangible value and so these actions caused her harm in the form of lost money or property. Notably, the same federal district court in which this complaint was filed has accepted a similar theory of harm in another recent case. Castillo v. Costco Wholesale Corp (W.D. Wash. Nov. 14, 2024).

What it Means

MHMD provides a private right of action through the Washington Consumer Protection Act (the “CPA”). Under the CPA, a plaintiff must prove that the defendant’s action:

Results in an unfair or deceptive act or practice,
Occurring in trade or commerce,
Impacting the public interest,
Injuring the plaintiff in their business or property, and
There is a causal link between the defendant’s unfair or deceptive act or practice and the injury suffered.

If there is a violation of MHMD, the first three elements of a CPA claim are presumed to be met. As such, a plaintiff needs to prove only injury and the causal link.

If the court allows this lawsuit to proceed, particularly in terms of injury, it may open the floodgates to substantial class action litigation arising under MHMD.

What to Do

If you haven’t considered your company’s MHMD compliance obligations or are revisiting them, we recommend you prioritize these four action items:

Determine whether your company’s activities fall under the broad scope of MHMD. If yes, determine if any exemptions apply.
Draft necessary consents. These consents cannot be buried in other documents, such as Privacy Notices and Terms of Use. MHMD has specific content and form requirements. For example, you may need to modify your “cookie banners” to meet MHMD’s consent requirements when using marketing or analytics pixels or other tracking technologies in the context of consumer health data.
Post a consumer health data privacy policy on your company’s website. Meet MHMD’s content and posting requirements.
Review your company’s collection of consumer health data, including via its website. Determine if third parties collect consumer health information for analytics, marketing, or other reasons. If yes, your company will likely need to execute data processing agreements with those third parties and obtain consumer consent.

We are committed to helping our clients determine their obligations, defend their practices, and update their compliance programs to address consumer health data laws. If you face an enforcement action or lawsuit under these laws—or if you would like advice on how to avoid them—please contact one of the authors (Thora Johnson, Aravind Swaminathan, Sundeep Kapur, Emily Tabatabai, Peter Graham) or another member of the Orrick team.

Authors

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Sundeep Kapur Partner

Washington, D.C.

See my bio

D:+1 202 339 8402
E: skapur@orrick.com

Practice:

Technology & Innovation Sector

vCard

See full bio

Sundeep Kapur Partner

Washington, D.C.

Sundeep is also a leading advisor in the rapidly evolving advertising ecosystem and possesses an in-depth technical and legal understanding of adtech across all channels (e.g., connected TV, linear TV, over-the-top media, desktop, mobile web, mobile app). He participates in adtech working groups and is a key contributor to the development of industry-wide privacy compliance solutions. He advises on compliance with self-regulatory regimes developed by the Network Advertising Initiative (NAI), the Interactive Advertising Bureau (IAB), and the Digital Advertising Alliance (DAA). The IAB named him Outstanding Contributor to Legal Affairs in 2024 for his significant impact on the adtech ecosystem through his work on such industry-wide initiatives.

Sundeep is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States (CIPP/US). He is also a member of Law360's 2025 Cybersecurity & Privacy Editorial Advisory Board.

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: etabatabai@orrick.com

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Peter Graham Associate, Technology & Innovation, Cyber, Privacy & Data Innovation

Boston

See my bio

D:+1 617 880 1802
E: pgraham@orrick.com

Practice:

Technology & Innovation
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Peter Graham Associate

Boston

Peter counsels clients on the implementation of global privacy programs and advises on the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, and the General Data Protection Regulation (GDPR).

Peter is designated by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional - United States (CIPP/US).

Related Areas

Markets

Seattle