← Back to blog

Does the My Health My Data Act Apply to My Website?

·6 min read·Ezra Seal

privacy · my health my data act · washington · website tracking · small business

Not legal advice

This is an awareness and education piece from a web and UX studio, not legal advice. For how the law applies to your specific business, talk to an attorney.

Key takeaways

  • Washington's My Health My Data Act (MHMDA) can apply to your website if you do business in Washington or target Washington residents and your site collects data that could be linked to someone's health.
  • The definition of "consumer health data" is broad, and it can catch businesses that do not think of themselves as health related.
  • Unlike many privacy laws, the MHMDA has no revenue or size threshold that exempts small businesses.
  • It has a private right of action, so individuals can sue you directly, with damages that can reach up to $25,000 per violation plus attorney fees.
  • Website pixels are the common trigger, because they can quietly send health-adjacent data to third parties without the consent the law requires.

Does the My Health My Data Act apply to my website?

It applies if two things are true: you conduct business in Washington or aim your products and services at Washington residents, and your website collects information that could be linked to a person's health. That second part is where most owners are caught off guard, because the law's definition of health data is far wider than "medical records." There is no small-business carve-out that lets you off based on size or revenue, which is unusual and is exactly why it reaches so many ordinary sites. Primary source: RCW 19.373.

What counts as "consumer health data" under the MHMDA?

Consumer health data is information that is linked or reasonably linkable to a person and that identifies their past, present, or future physical or mental health. That includes obvious things like conditions, diagnoses, treatments, and medications, but it also reaches bodily functions, symptoms, reproductive or sexual health, precise location that could suggest someone is seeking health services, and even data that simply identifies a person as looking for those services. Critically, it also covers information a business derives or infers from non-health data. So a pattern of pages someone viewed, or an appointment they booked, can become health data in the law's eyes.

My business is not a clinic. Am I really covered?

Quite possibly, yes. The law does not limit itself to hospitals, clinics, or health companies. A fitness studio, a med spa, a supplement shop, a therapist's private practice, a dental office, or any site that lets people book appointments or discuss symptoms can be handling consumer health data without thinking of it that way. Even a general business can be swept in if its site collects precise location or lets someone signal they are seeking a health-related service. The question is not what industry you are in, it is what your website actually collects and infers.

How do website pixels create My Health My Data Act exposure?

Pixels create exposure by sending health-adjacent data to third parties without the consent the law requires. When a Meta Pixel or Google tag loads on a page about a treatment, or fires when someone books an appointment, it can transmit that activity to an ad platform. If that data is reasonably linkable to a person and touches health, the law generally requires clear consent to collect and share it, and a separate, specific authorization to sell it. That is the theory behind the real cases: a Seattle retailer was sued for pixels sending purchase and appointment details to Google, after the first MHMDA lawsuit was filed against Amazon in early 2025.

The question is not what industry you are in, it is what your website actually collects and infers.

What does the MHMDA actually require?

At a high level, it requires consent before you collect or share consumer health data, and a separate valid authorization before you sell it, which is deliberately hard to obtain in a normal website flow. It also bans geofencing around health care facilities to track or target people, and it gives consumers rights to access and delete their health data. The practical takeaway for a website owner is simple to say and harder to do: health-adjacent data should not be leaving your site to third parties before the visitor has genuinely agreed.

What happens if I get it wrong?

The MHMDA is enforced through Washington's Consumer Protection Act, which means individuals can sue you directly rather than waiting for a regulator. Damages under that act can be trebled up to $25,000 per violation, plus costs and attorney fees, which is what makes these cases attractive to plaintiff lawyers and dangerous for a small business. Primary source for the enforcement mechanism: RCW 19.86.

How do I tell if my site is at risk?

Find out what your website actually sends, and to whom, before assuming you are fine. Most owners have never seen the list of trackers running on their own pages, let alone what those trackers transmit when someone books or browses. Once you can see it, the fixes are concrete: stop health-adjacent data from leaving before consent, name your trackers honestly in your privacy policy, and give people a real way to opt out. If you want to see what your site is running without reading code, our free Exposure Scan lists every tracker on the page and flags the ones that keep firing after a visitor clicks Reject. For the wider picture across Washington and Oregon, start with the overview of what is and is not legal, and if you run a consent banner, check whether it actually works.

FAQ

Is there a small-business exemption in the MHMDA?

No size or revenue threshold exempts small businesses. Smaller businesses were given a slightly later compliance date, but the law still applies to them.

Does the MHMDA only cover medical information?

No. It covers a broad range of data linked to physical or mental health, including inferences drawn from ordinary browsing or booking activity.

Can someone sue me personally under this law?

The law provides a private right of action through the Consumer Protection Act, so individuals can bring claims directly, not only the state.

We use Google Analytics and a Meta Pixel. Is that a problem?

It depends on what those tools collect and send on your specific pages, and whether you have consent. On a health-adjacent site, sending that activity to third parties without consent is the core risk.

Sources and disclaimer

Sources are linked inline. This reflects the law as of mid 2026 and is not legal advice. Confirm the current rules, and how they apply to you, with a qualified attorney.