Washington’s My Health My Data Act (MHMDA), enacted in 2023, has finally led to its first lawsuit nearly two years after its passage. The legislation, designed to strengthen consumer privacy in the health sector, has long been expected to trigger legal actions against tech companies collecting and sharing health-related data. This expectation has materialized with a recent lawsuit against Amazon, alleging that the company improperly gathered sensitive user information through its software development kit (SDK).

A group lawsuit was launched against Amazon according to Washington State’s MHMDA on February 10, 2025, marking it as the inaugural case of this nature under the act. The case could set a legal precedent for data privacy enforcement in the U.S., particularly concerning how companies handle consumer health data. If successful, it may encourage further lawsuits, forcing businesses to rethink their data collection practices and comply with the strict consent requirements outlined in MHMDA.

Key Takeaways

Washington’s My Health My Data Act is facing its first significant legal challenge, with a lawsuit accusing Amazon of collecting health-related data without proper consent.

  • Amazon is facing a lawsuit under Washington’s MHMDA for allegedly collecting user data through its SDK without explicit consent.
  • This case might set a precedent for tougher enforcement of consumer privacy rules in the tech sector, especially concerning health data.
  • Companies should review their data collection practices and implement stronger consent procedures to meet evolving regulatory standards.

A closer look at the My Health My Data Act

Washington’s MHMDA is one of the most comprehensive health privacy laws in the United States, providing stronger consumer protections than federal regulations like HIPAA. Unlike HIPAA, which primarily applies to healthcare providers and insurers, MHMDA extends its reach to a wide range of businesses that handle consumer health data, including tech companies, app developers, and digital platforms.

The law defines consumer health data broadly, covering information related to physical and mental health conditions, biometric identifiers such as fingerprints or facial recognition data, precise geolocation data that could indicate visits to medical facilities, and any other information that can be linked to health-related services.

Regulatory compliance and policy in health tech

To comply with the law, companies must first obtain explicit, opt-in consent before collecting or sharing consumer health data. This ensures that users have full control over their personal information and are aware of how it will be used. Additionally, businesses are required to clearly disclose the types of data they collect and how it will be utilized, promoting transparency in data handling.

Consumers must also have the ability to withdraw consent at any time, giving them the flexibility to revoke permissions if they no longer wish to share their information. Lastly, companies must implement strict security measures to protect sensitive health data from unauthorized access or breaches, ensuring that consumer information remains safe and confidential.

One of MHMDA’s most significant aspects is the private right of action, which allows individual consumers to file lawsuits if they believe their rights under the act have been violated. This sets MHMDA apart from many other state privacy laws, which often rely on government agencies for enforcement rather than lawsuits from private individuals.

Lawsuit against Amazon: Allegations and key issues

The first lawsuit under MHMDA was filed by a Washington resident in federal court, alleging that Amazon violated the law by collecting and sharing health-related data without proper consent. The lawsuit focuses on Amazon’s SDK, a software tool used in third-party mobile applications. According to the complaint, this SDK runs in the background of apps and secretly gathers user data, which is then allegedly used for Amazon’s own purposes.

Specific allegations in the lawsuit

The plaintiff and other members of the group lawsuit accuse Amazon of improperly collecting biometric data and precise location information without obtaining informed consent from users.

They also claim that Amazon failed to provide clear disclosures about its data collection practices, leaving users unaware of what information was being gathered and how it was being used. Additionally, the lawsuit alleges that Amazon did not inform users of their right to withdraw consent for future data collection, preventing them from exercising control over their personal information.

The lawsuit does not present concrete evidence that the collected data was directly used for health-related purposes. However, it argues that precise location data is inherently sensitive because it can reveal information about a person’s medical history, such as visits to abortion clinics, mental health facilities, or other healthcare providers.

This argument aligns with the stance of the Federal Trade Commission (FTC), the Office for Civil Rights (OCR), and some state attorneys general, who have previously warned about the risks of combining geolocation data with other health indicators. These concerns have gained more attention following the Supreme Court’s Dobbs decision, which overturned Roe v. Wade and raised fears about digital surveillance of reproductive healthcare choices.

Impact on Amazon and others

Amazon is expected to file a motion to dismiss the lawsuit, arguing that the data collected does not qualify as consumer health data under MHMDA. If the court agrees, the case could be dismissed, limiting the scope of the law’s enforcement. However, if the lawsuit proceeds beyond the dismissal stage, it could encourage more legal challenges against companies that collect geolocation and biometric data.

The broader impact on data privacy regulations

If the lawsuit against Amazon succeeds, it could shape how MHMDA is applied, lead to greater scrutiny of companies handling geolocation and biometric data, and prompt more consumer lawsuits over similar privacy concerns.

This case may also push lawmakers in other states to consider stronger consumer privacy laws, particularly those targeting tech companies handling health-related data.

Preparing for enforcement

With the first MHMDA lawsuit now in motion, companies that collect, store, or process consumer health data need to reevaluate their compliance strategies. Even businesses that do not consider themselves part of the health sector may be unexpectedly affected by the law’s broad definitions. To mitigate potential legal challenges, companies should do observe the following.

Review data collection and sharing practices: Determine whether your company collects biometric data, precise location data, or any other information that could be linked to consumer health.

Audit third-party tools and SDKs used in mobile applications to ensure they do not automatically collect sensitive data.

Strengthen consumer consent mechanisms: Implement clear opt-in consent processes before collecting or sharing health-related data, provide detailed disclosures on what data is collected, how it is used, and with whom it is shared, and ensure users can easily withdraw consent at any time.

Monitor evolving legal and regulatory trends: Stay informed about ongoing MHMDA-related lawsuits and how courts interpret the law and track potential new state laws that could impose similar or even stricter requirements.

The future of digital health data privacy

The lawsuit against Amazon may be just the beginning of a larger wave of legal challenges under MHMDA. If courts uphold the claims against Amazon’s data collection practices, other companies may face lawsuits or regulatory actions for similar privacy violations.

The outcome of this case will shape how tech companies approach health-related data collection and whether they need to implement stricter privacy safeguards. It will also influence how other states craft their own data privacy laws, potentially leading to a patchwork of state regulations that businesses must navigate.

For consumers, MHMDA represents a significant step toward stronger digital privacy protections. However, its effectiveness will ultimately depend on how courts interpret and enforce its provisions. As digital privacy concerns continue to grow, companies should proactively align their practices with evolving regulations to avoid legal risks and maintain consumer trust.

Washington’s MHMDA was designed to close loopholes in health data privacy and hold businesses accountable for how they collect and share consumer health information. The first lawsuit under MHMDA against Amazon could set a precedent that shapes future regulations and policies in the health technology sector.

Regardless of the lawsuit’s outcome, businesses should treat this as a warning sign and take immediate steps to review their data collection policies.