Keypoint: Almost one year after the law went into effect, the first My Health My Data class action lawsuit was filed in Washington.

On February 10, 2025, a class action lawsuit was filed against an online retailer under the Washington My Health My Data (MHMD) Act’s private right of action. The complaint also alleges violations of federal wiretapping and computerized communications laws. MHMD went into effect on March 31, 2024. Despite initial speculation that the law would lead to significant civil litigation, no lawsuits were filed under it until now.

In this post, we provide a brief summary of the complaint, including the factual allegations, causes of action, and damages sought.

Factual Summary

The complaint—similar to a complaint filed last month by the Texas Attorney General’s Office under the Texas Data Privacy and Security Act—alleges the retailer’s advertising division unlawfully collected and monetized location data from consumers’ mobile devices through a software development kit (SDK).

The complaint explains an SDK is “a set of platform specific building tools . . .  that . . . developers use . . . for mobile app development, web development, and cloud computing, among other uses.”

The complaint alleges the defendant provided a specific SDK that “perform[ed] various advertising related functions such as mediation, measurement, attribution, and others.” The retailer allegedly licenses the SDK to mobile application developers, and it has been integrated into more than 10,000 Android and iPhone mobile applications, which have been downloaded by millions of consumers in North America. Moreover, the SDK is allegedly “designed . . .  to collect a vast amount of individual data points from the location of a user’s mobile phone.”

The complaint alleges that, unbeknownst to the consumer, when a user agrees to share their location data with a specific mobile app the retailer, through the SDK the app is built upon, will also have access to the location data, which is then exfiltrated and monetized.

Specifically, the data allegedly collected includes time-stamped latitude and longitude geolocation coordinates of the consumer’s mobile device, and mobile advertising IDs (MAIDs).

The complaint further alleges that location data provides intimate “insights” into a consumer’s health, such as:

1. When a user visits a cancer clinic,
2. Health behaviors about the user, such as when the user goes to the gym or eats fast food,
3. Social determinants of health, such as the neighborhoods and environments where a person lives and works in, and
4. Social networks that influence health, such as close contact during the COVID-19 pandemic.

The retailer allegedly collected, shared, and sold this data to support its own targeted advertising activities without providing notice to or obtaining consent from consumers. Specifically, the plaintiff claims that “mobile users of third-party apps receive no notice that . . . the SDK is running in the background and thereby [the retailer] is receiving equal access to the user’s location data. Nor is it readily apparent within the various mobile apps that the . . . SDK may be embedded within.” Moreover, consumers allegedly were not given an opportunity to grant or deny the retailer access to the data, separate from the application.

Claims

The complaint alleges numerous violations of law, including violations of the Federal Wiretap Act (FWA), as amended by the Electronic Communications Privacy Act of 1986 (ECPA); the Stored Communications Act; the Computer Fraud and Abuse Act (CFAA); and tortious violations under theories of invasion of privacy and unjust enrichment.

The complaint also alleges violations of the Washington Consumer Protection Act (CPA). As discussed in our prior article, MHMD provides a private right of action through the CPA, which requires plaintiffs to prove that the defendant’s conduct amounted to:

• An unfair or deceptive act or practice,
• Occurring in trade or commerce,
• Impacting the public interest,
• Injuring (monetarily or non-monetarily) a plaintiff in his or her business or property, and
• A causal link between the unfair or deceptive act and the injury suffered.

Because the complaint claims the retailer’s conduct violates MHMD, the first three elements are presumed met as a per se unfair or deceptive act or practice occurring in trade or commerce and impacting the public interest. To allege the remaining two elements are met, the complaint asserts the retailer’s conduct injured the plaintiff and class members by diminishing the tangible value of their personal data and increasing their risk of identity theft due to the retailer’s collection and sharing of that data. Of note, MHMD does not provide for statutory damages.

The complaint alleges that the retailer’s conduct violated MHMD in two ways:

1. Failure to obtain a consumer’s consent prior to collecting and sharing consumer health data.

The complaint alleges the retailer collected consumer health data, including biometric data and precise location data that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.

MHMD requires regulated entities collecting or sharing consumer health data to obtain the consumer’s consent prior to collection or sharing, where the collection or sharing is for any purpose not necessary to provide a product or service to the consumer.

• Failure to include a clear and conspicuous disclosure with a consent request.

The complaint alleges the retailer failed to include disclosures regarding the categories of consumer health data it collected or shared, the purpose of the collection or sharing, the categories of entities with whom consumer health data is shared, and instructions on how the consumer can withdraw consent from future data. MHMD requires regulated entities to include such disclosures with their request for a consumers’ consent.

Damages

The plaintiff claims she and the class are entitled to compensatory, consequential, general, and nominal damages in amounts to be determined at trial. Additionally, the plaintiff requests the court impose statutory damages, trebled damages, and punitive or exemplary damages, as permitted by law. The plaintiff also requests that the court order disgorgement and restitution of all earnings, profits, compensation, and benefits the retailer received as a result of the alleged unlawful conduct and impose permanent injunctive relief prohibiting such conduct.

As a reminder, the CPA authorizes plaintiffs injured by a violation to recover damages, costs of suit, and reasonable attorney’s fees. The court also has discretion to treble such damages, provided they do not exceed $25,000 per person injured.