• Amazon faces allegations of unauthorized data collection in violation of federal and state privacy laws, including a first-of-its-kind claim under Washington’s My Health My Data Act (“MHMDA”).
• The MHMDA restricts businesses from collecting, sharing, or selling any-health related information about a consumer without their consent of “valid authorization”, going beyond the typical protections provided by the Health Insurance Portability Accountability Act (“HIPAA”).
• The case against Amazon brings into focus the potential repercussions for companies dealing in health-related data and using modern internet tracking technologies for the operation of their websites.
• Businesses—especially those dealing in health-related data—must scrutinize their data privacy practices to ensure alignment with an ever-evolving legal landscape.

* * *

Privacy and health law experts no longer need to hold their breath: the first major lawsuit under Washington’s recently enacted MHMDA was filed against Amazon. (Maxwell v. Amazon.com, Inc., No. 2:25-cv-00261 (W.D. Wash. Filed Feb. 10, 2025)). In broad terms, the Western District of Washington lawsuit alleges that Amazon violated federal wiretapping laws and Washington state privacy and consumer protection rules by gathering location data via its software development kits (“SDKs”), which it then used for targeted advertising and third party data sales, all without affirmative user consent or valid authorization.

At the heart of Maxwell is the alleged violation of the MHMDA. Under the MHMDA, a violation is deemed an unfair or deceptive act under the Washington state consumer protection statute (the “Washington CPA”). The case underscores the growing risks companies engaging with consumer health information face in the modern privacy era.

Washington’s My Health My Data Act

Enacted in April 2023 and effected March 2024, MHMDA (HB 1155) represents a significant stride toward enhancing privacy protections related to health data within Washington. Emerging from growing concerns surrounding the misuse of reproductive health data, the Act aims to safeguard personal health information from unauthorized collection, storage, or sale, except where explicit consent is given by individuals.

Specifically, the MHMDA states that a regulated entity or a “small business” may not collect or share any consumer health data except “with consent from the consumer for such collection for a specified purpose” or “to the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business.” The Act also applies to a wider range of consumer health data than what is typically covered under HIPAA, obliging entities falling under its scope to meticulously manage health-related data practices and paving the way for increased scrutiny over the efficacy of those practices in protecting sensitive consumer information.

Notably, the MHMDA grants a private right of action to impacted plaintiffs, with remedies that include actual damages and attorney’s fees (plus the potential for an additional award of trebled damages) under the Washington CPA.

Maxwell v. Amazon

The Maxwell case marks the debut of the first private right of action for a MHMDA violation. The putative class action complaint alleges that Amazon improperly accessed and monetized user data obtained through certain location-based apps (e.g., OfferUp and the Weather Channel) equipped with its SDKs, taking advantage of geolocation functions inherent in them. According to the lawsuit, these apps transmitted sensitive information, including biometric and precise location data, which might reflect individuals’ engagements with health services or attempts to acquire or receive health services or supplies—a direct breach of the MHMDA’s stringent privacy mandate. 

In addition, the complaint alleges that beyond not obtaining consumer consent, Amazon did not make certain MHMDA-required disclosures, such as failing to: “clearly and conspicuously disclose the categories of consumer health data collected or shared; the purpose of the collection or sharing of consumer health data; the categories of entities with whom the consumer health data is shared; and how the consumer can withdraw consent from future collection.to disclose prior to the data collection the categories of consumer health data collected or shared, the purpose of such alleged data collection, the categories of entities with whom the consumer health data is shared; and how the consumer can withdraw consent from future collection.”

According to the plaintiff, Amazon defies the prohibitions outlined by both federal statutes and the MHMDA because users were unaware of—and thus did not consent to—Amazon’s full data access when using those apps. The complaint asserts that when a mobile app using Amazon’s SDK requests location data access, users are “not provided with an opportunity to grant or deny access to Amazon as well.” The suit seeks not only injunctive relief to halt data practices lacking user consent but also damages for the purported privacy violations.

While the outcome remains uncertain, the first-of-its-kind case will serve as a critical data point in evaluating the MHMDA’s strength and definition in legal environments, drawing parallels to prior claims under California’s privacy laws.

Key Takeaways

• Implicated business navigating this novel territory will want to pay close attention to the Maxwell case. 
• More importantly, those businesses should be sure to normalize regular assessments of their privacy policies and tracking technology functionalities to ensure compliance with, among the patchwork of state privacy laws across the country, the MHMDA.
• Legal counsel should guide companies involved in the data-driven market in tailoring strategies to mitigate privacy risks, avoiding hefty fines and legal disputes.