Takeaways from First Washington My Health My Data Act Complaint
It took some time, but we officially have the first complaint filed alleging violations of the Washington My Health, My Data Act (“MHMDA”). The complaint, filed February 10 in the U.S. District Court Western District of Washington, alleges violations of MHMDA along with six additional claims, including alleged violations of federal wiretap laws. While this is the first MHMDA complaint since the law went into effect in March 2024, allegations of federal wiretap violations have quickly become one of the hottest data privacy legal issues for businesses today.
The complaint alleges Amazon tracked users’ mobile location data without consent and used such data for its own targeted advertising and other means of enriching its business (e.g., selling data to third parties) via its Amazon Ads software development kits (“SDKs”) licensed to a variety of mobile apps. SDKs are a set of software tools that developers use in creating apps than run on a specific platform or operating system.
The complaint notes that the data at issue included “biometric data and precise location data that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies”, putting the data squarely into the definition of “consumer health data” regulated under MHMDA.
MHMDA has extensive requirements for consumers to provide opt-in consent for collection, use, disclosure, and other processing of consumer health data beyond processing necessary to provide a product or service requested by a consumer. The complaint does not address whether the alleged SDK data collection would fit under this MHMDA “necessity” exception, but the implication seems to be that no, the data collection was not necessary to provide the apps.
It is not clear whether the plaintiffs’ claims allege sufficient allegations of harm or injury to survive a (likely forthcoming) motion to dismiss, as MHMDA is yet untested litigation ground. The plaintiffs’ ability to survive a motion to dismiss may be the first step in opening the flood gates to MHMDA litigation. Some privacy experts have been surprised at the lack of MHMDA complaints to date given the broad applicability of the law (in terms of regulated entities and breadth of data), but to succeed, plaintiffs’ need to rely on the Washington Consumer Protection Act (“CPA”). For more on what constitutes an “injury” under the CPA, check out our My Health My Data Act Summer Series.
The complaint does not include significant analysis of MHMDA claims, but it does seem to rely on the increasingly prevalent argument that location data is sufficiently sensitive in revealing a consumer’s presence at a specific, sensitive location.
Successful plaintiffs under the CPA may recover actual damages, treble damages up to $25,000, attorneys’ fees, and injunctive relief. The proposed class is seeking a permanent injunction to prohibit Amazon from continuing to collect data from its SDKs without consent, damages, and disgorgement of profits related to the alleged unlawful behavior.
We will continue to track this case and any additional complaints alleging violations of MHMDA. If you have questions about the applicability of MHMDA to your business or the increase in federal wiretap lawsuits, please contact any member of the Quarles & Brady Data Privacy & Security Team or:
- Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com
- Simone Colgan Dunlap: (602) 229-5510 / simone.colgandunlap@quarles.com