Biometrics Litigation Update: First Class Action Complaint Filed Under Washington’s My Health My Data Act — Is Your Company Ready?

On February 10, 2025, the first class action complaint was filed under Washington state’s My Health My Data Act (“MHMDA”), over a year after the law was passed. See Maxwell v. Amazon.com, Inc. et al., Case No. 2:25-cv-261 (W.D. Wash.). The complaint alleges that defendants Amazon.com, Inc. and Amazon Advertising, LLC collected consumer health data in violation of the statute through licensing their software development kits (SDKs) to a variety of mobile applications. Specifically, the complaint claims the defendants’ advertising SDK unlawfully gathered “biometric data and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.” The harvested data, the complaint further alleges, was then monetized for Amazon’s own targeted advertising and sale to third parties.

As we have detailed previously, MHMDA was intended to supplement the Health Insurance Portability and Accountability Act (HIPAA), providing for broader, more comprehensive regulations of consumer health data and, to that end, created a private right of action. MHMDA applies to entities that (i) conduct business in Washington or produce or provide products or services that are targeted to individuals in Washington; and (ii) determine the purpose and means for collecting consumer health data. MHMDA’s definition of “consumer health data” is also broad and includes biometric data, precise location data that could reasonably indicate a consumer’s attempt to acquire or receive certain health services or supplies, and data that identifies a consumer seeking health care services. The state was particularly focused on protecting reproductive health data in the fallout after the 2022 U.S. Supreme Court Dobbs decision, overturning Roe v. Wade. MHMDA protects health data similar to how Washington law already protects other types of data but provides a unique private right of action. See, e.g., Wash. Rev. Code Ann. § 19.375 (protecting biometric data). While MHMDA provided additional avenues for privacy litigation in Washington courts, until now they have gone unused. This new case may portend additional lawsuits are forthcoming, particularly in a climate where the U.S. Federal Trade Commission has been increasingly scrutinizing location consumer data collection and SDKs, and other states, including Connecticut and Nevada, have passed similar health laws, albeit without a private right of action. See Con. Gen. Stat. Ch. § 42-515 et. seq (as amended by SB 3 in 2023); Nev. Rev. Stat. § NRS 603A.400 et. seq. (New York’s legislature passed a similar bill, SB 929, but Gov. Hochul has yet to sign it into law.)  

Privacy litigation filed in other states under similar statutes may offer valuable insight into what to expect in Washington. In particular, given the proliferation of lawsuits filed under Illinois’ Biometric Information Privacy Act (BIPA) and California’s Invasion of Privacy Act (CIPA) following their enactment, it is reasonable to predict a similar pattern of litigation will follow here. Furthermore, beyond an uptick in cases filed asserting claims under the MHMDA, an examination of the historic BIPA and CIPA litigation landscape suggests that there will be conflicting interpretations of the law’s scope and meaning, especially at first.

Until the Washington Supreme Court weighs in on MHMDA as the ultimate arbiter of Washington state law, there will remain an element of uncertainty, regardless of how Maxwell is decided in the Western District of Washington. That lingering uncertainty will likely raise compliance costs as companies are forced to continually adjust their policies to meet evolving judicial interpretation of the requirements of the law.

Beyond offering insight into how the MHMDA litigation landscape may develop, companies facing litigation under the MHMDA may be able to look to defenses that were at least successful early on against BIPA and CIPA claims for strategic guidance. For example, in Illinois, prior to 2019, when the Illinois Supreme Court issued its opinion in Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186, taking an expansive view of statutory standing, defendants had a fair amount of success moving to dismiss BIPA cases on standing grounds. Similarly, in California, explicit and even implicit consent to data collection have proved useful defenses to CIPA claims. See, e.g., Silver v. Stripe Inc., No. 4:20-cv-08196-YGR, 2021 WL 3191752, at *3-5 (dismissing CIPA claim because defendant’s website utilized a “sign-in wrap” agreement that offered an opportunity to review the terms of service in the form of a hyperlink, plaintiff expressly acknowledged assent by clicking “place order,” and a reasonably prudent user would thus have been aware of the defendant’s privacy policy); see also Garcia v. Enter. Holdings, Inc., 78 F. Supp. 3d 1125, 1135-37 (N.D. Cal. 2015) (dismissing CIPA claim based on determination that plaintiff implicitly consented to defendant’s Privacy Policy and Terms of Service by signing up and using the website, and holding that ‘browsewrap” agreements are binding even where users have not reviewed the underlying agreement).

Other defenses that have gained or sustained success in BIPA and CIPA cases may also be instructive for MHMDA defendants. For example, insufficient personal jurisdiction has proven to be a successful defense for BIPA and CIPA cases. See, e.g., Brantley v. Prisma Labs, Inc., No. 23 C 15666, 2024 WL 3673727, at *6-8 (N.D. Cal. Aug. 6, 2024) (granting motion to dismiss BIPA case on personal jurisdiction grounds); Mayhew v. Candid Color Sys., Imc., 734 F. Supp. 3d 994, 1000-006 (S.D. Ill. 2024) (same); Heiting v. Marriott Int’l, Inc., 745 F. Supp. 3d 1163, 1169-72 (C.D. Cal. 2024) (granting motion to dismiss CIPA case on jurisdictional grounds and denying request for jurisdictional discovery). Because MHDMA regulates collection of consumer health data in Washington, businesses that do not operate or collect data in the state should have congruent success defending MHMDA lawsuits with jurisdictional arguments. See Wash Rev. Code § 19.373.010(8).

Beyond personal jurisdiction, there are other defense arguments that have succeeded against BIPA and CIPA claims that may be relevant to defending MHMDA claims. These include arguing the data collected falls under an express statutory exemption or does not qualify as the type of data regulated by the statute. See, e.g., Mosby v. Ingalls Mem’l Hosp., 2023 IL 129081 (dismissing BIPA case because the biometric information of health care workers at issue in the lawsuit falls under BIPA’s exemption for information collected, used or stored for health care treatment, payment or operations under HIPAA); Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021) (dismissing CIPA case because the challenged IP addresses, locations, browser types and operating systems were not the kind of “content” regulated by CIPA).

Maxwell, as a first-of-kind MHMDA case, will undoubtedly set the tone for the frequency and success of future MHMDA litigation. The currently scheduled deadline for the defendant to respond to the complaint is April 21, 2025. See Maxwell, No. 2:25-cv-261, at Dkt. 14.

The asserted claims seem susceptible to a standing attack because they are premised on the mere possibility that the statute could be violated if the collected location data were to reveal that someone was acquiring health services. See Compl. ¶ 132; see also Tex. v. United States, 523 U.S. 296, 300-01 (1998) (“A claim is not ripe for adjudication if it rests upon ‘contingent future events that may not occur as anticipated, or indeed may not occur at all.’”) (citations omitted). How the court ultimately resolves that question, as well as others that may be raised, will be important to shaping the MHMDA litigation landscape. Nonetheless, considering the evolution of litigation under parallel privacy statutes with private rights of action in Illinois and California, this case will certainly not be the last of its kind.

Therefore, companies operating in Washington or otherwise subject to MHMDA should move quickly to mitigate risk of litigation or adverse judgments. Immediate steps companies can take include evaluating business operations and data collection processes; reviewing and, if appropriate, revising policies, websites, disclosures, consent mechanisms, storage procedures and related employee training; and appraising existing insurance policies to cover any gaps in coverage for potential MHMDA litigation.  

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises companies on how to proactively meet the requirements of state privacy laws and regulations like MHMDA and is uniquely positioned to defend companies in privacy litigation matters through industry-leading expertise. If you have any questions about this law or any other data privacy law, please do not hesitate to contact any member of our team.