- Amazon faces allegations of unauthorized knowledge assortment in violation of federal and state privateness legal guidelines, together with a first-of-its-kind declare below Washington’s My Well being My Knowledge Act (“MHMDA”).
- The MHMDA restricts companies from accumulating, sharing, or promoting any-health associated details about a shopper with out their consent of “legitimate authorization”, going past the standard protections supplied by the Well being Insurance coverage Portability Accountability Act (“HIPAA”).
- The case in opposition to Amazon brings into focus the potential repercussions for firms dealing in health-related knowledge and utilizing fashionable web monitoring applied sciences for the operation of their web sites.
- Companies—particularly these dealing in health-related knowledge—should scrutinize their knowledge privateness practices to make sure alignment with an ever-evolving authorized panorama.
* * *
Privateness and well being regulation consultants not want to carry their breath: the primary main lawsuit below Washington’s lately enacted MHMDA was filed in opposition to Amazon. (Maxwell v. Amazon.com, Inc., No. 2:25-cv-00261 (W.D. Wash. Filed Feb. 10, 2025)). In broad phrases, the Western District of Washington lawsuit alleges that Amazon violated federal wiretapping legal guidelines and Washington state privateness and shopper safety guidelines by gathering location knowledge through its software program growth kits (“SDKs”), which it then used for focused promoting and third get together knowledge gross sales, all with out affirmative consumer consent or legitimate authorization.
On the coronary heart of Maxwell is the alleged violation of the MHMDA. Beneath the MHMDA, a violation is deemed an unfair or misleading act below the Washington state shopper safety statute (the “Washington CPA”). The case underscores the rising dangers firms participating with shopper well being info face within the fashionable privateness period.
Washington’s My Well being My Knowledge Act
Enacted in April 2023 and effected March 2024, MHMDA (HB 1155) represents a big stride towards enhancing privateness protections associated to well being knowledge inside Washington. Rising from rising issues surrounding the misuse of reproductive well being knowledge, the Act goals to safeguard private well being info from unauthorized assortment, storage, or sale, besides the place specific consent is given by people.
Particularly, the MHMDA states {that a} regulated entity or a “small enterprise” might not acquire or share any shopper well being knowledge besides “with consent from the buyer for such assortment for a specified goal” or “to the extent vital to offer a services or products that the buyer to whom such shopper well being knowledge relates has requested from such regulated entity or small enterprise.” The Act additionally applies to a wider vary of shopper well being knowledge than what is often coated below HIPAA, obliging entities falling below its scope to meticulously handle health-related knowledge practices and paving the way in which for elevated scrutiny over the efficacy of these practices in defending delicate shopper info.
Notably, the MHMDA grants a non-public proper of motion to impacted plaintiffs, with treatments that embody precise damages and lawyer’s charges (plus the potential for an extra award of trebled damages) below the Washington CPA.
Maxwell v. Amazon
The Maxwell case marks the debut of the primary non-public proper of motion for a MHMDA violation. The putative class motion grievance alleges that Amazon improperly accessed and monetized consumer knowledge obtained by means of sure location-based apps (e.g., OfferUp and the Climate Channel) geared up with its SDKs, benefiting from geolocation capabilities inherent in them. In response to the lawsuit, these apps transmitted delicate info, together with biometric and exact location knowledge, which could mirror people’ engagements with well being companies or makes an attempt to amass or obtain well being companies or provides—a direct breach of the MHMDA’s stringent privateness mandate.
As well as, the grievance alleges that past not acquiring shopper consent, Amazon didn’t make sure MHMDA-required disclosures, corresponding to failing to: “clearly and conspicuously disclose the classes of shopper well being knowledge collected or shared; the aim of the gathering or sharing of shopper well being knowledge; the classes of entities with whom the buyer well being knowledge is shared; and the way the buyer can withdraw consent from future assortment.to reveal previous to the info assortment the classes of shopper well being knowledge collected or shared, the aim of such alleged knowledge assortment, the classes of entities with whom the buyer well being knowledge is shared; and the way the buyer can withdraw consent from future assortment.”
In response to the plaintiff, Amazon defies the prohibitions outlined by each federal statutes and the MHMDA as a result of customers have been unaware of—and thus didn’t consent to—Amazon’s full knowledge entry when utilizing these apps. The grievance asserts that when a cellular app utilizing Amazon’s SDK requests location knowledge entry, customers are “not supplied with a possibility to grant or deny entry to Amazon as properly.” The swimsuit seeks not solely injunctive aid to halt knowledge practices missing consumer consent but additionally damages for the purported privateness violations.
Whereas the result stays unsure, the first-of-its-kind case will function a crucial knowledge level in evaluating the MHMDA’s energy and definition in authorized environments, drawing parallels to prior claims below California’s privateness legal guidelines.
Key Takeaways
- Implicated enterprise navigating this novel territory will need to pay shut consideration to the Maxwell case.
- Extra importantly, these companies ought to make sure you normalize common assessments of their privateness insurance policies and monitoring expertise functionalities to make sure compliance with, among the many patchwork of state privateness legal guidelines throughout the nation, the MHMDA.
- Authorized counsel ought to information firms concerned within the data-driven market in tailoring methods to mitigate privateness dangers, avoiding hefty fines and authorized disputes.
