The first class action complaint was filed under Washington’s My Health My Data Act (“MHMDA”) on February 10, 2025, more than a year after the law’s passage. When the law passed in April 2023, MHMDA was novel for its broad regulation of consumer health data that is generated, collected, and processed outside of HIPAA. It also established a private right of action that allows for individuals to file lawsuits against companies under Washington’s consumer protection statute—a notable deviation from other state privacy laws that have passed in recent years. Since the noteworthy passage of Washington’s consumer health law, three other states (Connecticut, Nevada, and most recently, New York) have passed similar laws, though none have a private right of action. (We note that as of the date of this post’s publication, New York’s Health Information Privacy Act still awaits the governor’s signature.)

Maxwell, as the representative plaintiff for the class, filed the class action against Amazon.com, Inc. and Amazon Advertising, LLC (collectively, “the Company”) in the Western District of Washington. The class action alleges that the Company’s software development kit (“SDK”) embedded in third-party mobile applications violated federal wiretap laws and state privacy laws, including the MHMDA.

In hindsight, it should be no surprise that the first class action lawsuit alleging MHMDA violations comes in a case that implicates SDKs and targeted advertising concerns more broadly. In recent years, plaintiffs’ lawyers have actively brought lawsuits against companies using various categories of information (including location data) for targeted advertising purposes and have relied on creative theories of liability, including some of the theories raised in this lawsuit. Companies should closely pay attention to their use of SDKs and advertising trackers in light of this litigation trend, especially if their practices potentially implicate “consumer health data” (where the MHMDA may be relevant).

We have provided our key takeaways from the lawsuit below, as well as summarized the facts and the complaint. We are happy to answer any questions you might have about your company’s consumer health data practices. To keep up to date on the latest data privacy and cybersecurity developments, be sure to subscribe to the WilmerHale Cybersecurity and Privacy Law Blog.

Key Takeaways

This lawsuit represents a significant test case for Washington's MHMDA, which has been in effect since March 2024 but just now being used as the basis for civil litigation. There are several important considerations related to this case and the consumer health data landscape, such as:

• The outcome of this lawsuit will add clarity to the reach of MHMDA. This lawsuit tests how broadly courts will interpret "consumer health data" under the MHMDA, which statutorily refers to a broad set of data that “identifies the consumer's past, present, or future physical or mental health status.” The complaint suggests (but does not provide specific evidence) that because location data could potentially reveal visits to healthcare facilities, it qualifies as protected health information—an interpretation that would significantly expand MHMDA's reach. Significantly, the complaint lacks specific allegations that the plaintiff’s location data actually revealed visits to sensitive locations or that the Company linked the location information collected to healthcare facilities or that the plaintiff herself visited medical facilities with her phone. (The MHMDA violation claim theoretically states that “precise location information…could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.”) Additionally, the complaint only mentions once that the SDK also collected biometric data, but does not discuss the injury caused by the collection, which is a requirement for MHMDA’s private right of action under Washington’s consumer protection law.
• Companies should evaluate any third-party data collection and consent processes related to their business. The lawsuit focuses on data collection through SDKs rather than direct collection, raising questions about liability for embedded technologies in applications. Several FTC enforcement actions last year raised similar concerns regarding business oversight into the third-party apps of its vendors and a lack of transparency for consumers. Regulatory enforcement actions against companies like X-Mode Social and Outlogic, InMarket Media, and Avast Limited reflected similar themes of inadequate disclosures to consumers regarding the tracking of location data and a lack of informed consent for location data collection by third-party apps using SDKs.
• Companies utilizing location tracking and other data collection methods can expect heightened scrutiny. Private lawsuits and regulatory enforcement actions continue to focus on alleged harms associated with location data collection. The concern around the ability of mobile apps and other technology to closely track and log the whereabouts of consumers came to the forefront in the wake of the Supreme Court’s decision in Dobbs, but it remains as a point of enforcement whenever applicable. This MHMDA lawsuit discusses how sensitive and intimate inferences, including ones related to health, can be drawn from location data and argues that “access to precise location data is especially concerning given that such data is practically impossible to fully anonymize even where unique identifiers are used instead of names.” We have also started to see an increasing number of introduced state privacy bills contain specific provisions around restricting/prohibiting precise geolocation data and including inferential data in definitions of “sensitive data.”
• This case could generate a new wave of consumer health data lawsuits from plaintiffs’ lawyers, or not. We would expect to potentially see a wave of similar complaints under the MHMDA pending how the court rules on these claims and any responding motions, such as a motion to dismiss. This would not be the first time that plaintiff’s lawyers use state laws to pursue privacy violations against big companies—we’ve seen similar privacy litigation trends in earlier surges from California’s Invasion of Privacy Act claims and Illinois’ Biometric Information Privacy Act.

Summary of the Complaint

Factual Allegations

The complaint centers on an advertising SDK that developers integrate into popular third-party mobile apps, including the Weather Channel app, Offerup, Speedtest by Ookla, and Truecaller: Caller ID Blocker. As the complaint explains, an SDK is “a set of platform-specific building tools for developers that put[s] everything you need to develop and run software in one place” and is commonly used by developers for mobile app and web development.

According to the complaint, while mobile app developers use the advertising SDK to perform various advertising-related functions, it also runs in the background of thousands of mobile apps and allegedly collects and transmits sensitive and personal data about the consumer back to the Company, such as:

• Time-stamped latitude and longitude coordinates from consumers' mobile devices;
• Mobile advertising IDs (“MAIDs”); and
• Location data that could reveal sensitive health information.

The complaint further alleges that the location data collected could “provide[] insights into the diverse and intimate aspects of an individual’s health,” such as (1) visits to healthcare facilities like cancer clinics; (2) health behaviors like gym attendance or fast food consumption; (3) social determinants of health based on an individual’s neighborhood and work environment; and (4) social networks that influence health, such as close contacts during COVID-19.

The complaint argues that there are a lack of privacy disclosures—consumers do not receive notice that this SDK is operating in the background of the app and collecting data for the Company. The complaint also contends that the apps do not provide consumers the option to separately consent to who may access and collect their data (i.e. the complaint charges that consumers are unaware their information can be accessed by other parties when they consent to share location data with the third-party mobile apps).

Claims

The class action asserts a total of seven claims. The first three claims allege violations of the Federal Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act, all federal laws. These claims generally argue that electronic communications were “intentionally intercept[ed],” stored, and accessed without authorization from the consumer and then used to generate a profit.

The next two state law claims allege violations of Washington’s MHMDA and Consumer Protection Act (“CPA”). The MHMDA allegations state two violations:

1. Failure to obtain a consumer’s consent prior to collecting and sharing biometric data and “precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies”—both provisions within the Act’s expansive definition for “consumer health data.”
2. Failure to include clear and conspicuous disclosures with consent requests regarding the categories of health data collected/shared; the purpose for the collection/sharing; the categories of entities receiving the data; and instructions for withdrawing consent as mandated by the statute.

The plaintiff and Class Members also claim that the SDK data collection practices constituted unfair or deceptive acts or practices in violation of Washington's CPA, which provides a private right of action for MHMDA violations if certain criteria are met. Here, because the alleged violation of Washington's MHMDA is statutorily considered a per se violation of the Washington CPA, the plaintiff and class members only need to additionally prove injury to business or property and a causal link between the unfair or deceptive act and injury. They argue that consumers’ personal data has tangible value (as evidenced by third parties that use the data for financial gain or sell to others for value) and that the plaintiff suffered injury due to lost money associated with this value. Additionally, the plaintiff is “at an increased risk of identity theft” due to the advertising SDK collecting data that could be used to identify the plaintiff and sharing with third parties.

The final two claims assert the tort claim of invasion of privacy (intrusion into private affairs), arguing that the “Plaintiff and Class Members reasonably expected that the location data they shared with third-party apps would be protected and secured and would not be disclosed to [other parties],” and the equitable claim of unjust enrichment. According to the complaint, the Company was unjustly enriched by obtaining and monetizing consumers’ personal data without authorization, selling more services and products as a result, and profiting from the data in violation of consumers’ privacy rights.

Requested Damages

The complaint seeks remedies under multiple statutory frameworks that provide a few different forms of relief and damages, including:

• Permanent injunctive relief to prohibit the Company from continuing to collect data from its SDKs without consent.
• Monetary damages, including:
  • Compensatory damages for actual harm suffered
  • Consequential damages
  • General and nominal damages
  • Statutory damages (including under the Federal Wiretap Act, which provides for the greater of $100 per day per violation or $10,000)
  • Trebled damages under Washington law (up to $25,000 per person under the CPA)
  • Punitive or exemplary damages where permitted by law.
• Disgorgement and restitution of all earnings, profits, compensation, and benefits the Company received from processing and selling the data collected by the SDK.