A cannabis shop got sued over a website pixel
In November 2025, a Washington cannabis retailer was hit with a class action for running a standard website tracking pixel. Not a hospital. Not a HIPAA covered entity. A retail shop, sued under a health privacy law because of a marketing tag firing on its site. That case is the clearest signal yet of what Washington's My Health My Data Act (MHMDA) actually reaches, and why every consumer-facing website that touches anything health-adjacent needs to understand it.
If you run a hospital or clinic, our HIPAA and healthcare tracking guide is your starting point. This guide is about the other, much larger group: wellness apps, supplement and CBD stores, fitness sites, telehealth marketing pages, symptom checkers, period and fertility trackers, mental-health platforms, and any site that collects data a regulator could tie to health. HIPAA mostly doesn't touch you. MHMDA does.
MHMDA reaches far past HIPAA
The My Health My Data Act (RCW 19.373) deliberately sidesteps the HIPAA boundary. It applies to any "regulated entity" that conducts business in Washington, or targets Washington consumers, and that collects "consumer health data." There's no covered-entity requirement and no treatment relationship needed.
Two definitions do the heavy lifting, and both are broad:
- Consumer health data is any information linkable to a consumer that identifies their past, present, or future physical or mental health status, including data derived or inferred from non-health information. A search for a condition, a purchase of a health product, an appointment booking, even precise location near a clinic, can qualify.
- Regulated entity is essentially any business that meets those data and geography tests. It's the size of the definition, not an industry list, that determines coverage.
The key dates: most provisions took effect March 31, 2024 (June 30, 2024 for small businesses), and the geofencing prohibition has applied since July 23, 2023.
The two-permission structure that trips everyone up
MHMDA doesn't have one consent switch. It has two separate permissions, and confusing them is a fast way into trouble.
Consent, to collect or share. Before you collect or share consumer health data for anything beyond what's strictly necessary to deliver the product or service the consumer asked for, you need consent. And MHMDA's consent bar is high: a "clear affirmative act" that's freely given, specific, informed, opt-in, voluntary, and unambiguous. That's GDPR-grade opt-in, not a pre-ticked box and not implied-by-scrolling. A tracking pixel that sends health-adjacent data to an ad platform is "sharing," and it needs this consent first.
Valid authorization, to sell. Selling consumer health data requires a separate, signed authorization, a distinct legal instrument with its own required elements, not the same thing as the consent above. Bundling the two, or treating a marketing opt-in as permission to sell, doesn't satisfy the statute.
So an ad pixel that shares data needs consent; a data-broker arrangement that sells it needs authorization on top. Map every outbound flow to which bucket it falls in.
The geofencing ban is absolute
MHMDA makes it flat-out unlawful to run a geofence around a place that provides in-person health care services when the fence is used to identify or track consumers seeking care, collect their health data, or send them messages or ads based on it. The statute defines the fence as a virtual boundary within 2,000 feet of the facility's perimeter.
This one matters for marketers who never think of themselves as health businesses. Location-based ad targeting near clinics, pharmacies, addiction-treatment centers, or reproductive-health facilities is exactly what the ban prohibits, and there's no consent that cures it. It's not "get permission first," it's "don't do it." If your ad ops or an SDK in your app does location targeting, confirm it can't fence health facilities.
The separate homepage privacy policy
MHMDA requires a dedicated Consumer Health Data Privacy Policy, and it's not a section you fold into your main privacy policy. Washington's attorney general has stated in nonbinding guidance that the policy must be a separate and distinct link on the entity's homepage, and that it may not contain additional information beyond what MHMDA requires. In practice that means a standalone link, plainly labeled, sitting alongside your regular privacy policy, describing the categories of consumer health data you collect, the purposes, the sources, who you share with, and how consumers exercise their rights.
It's a small requirement that's easy to miss and easy for a plaintiff to point at, because either the link is on your homepage or it isn't.
The private right of action is the real teeth
Most US state privacy laws are enforced only by the attorney general. MHMDA is different. Violations are actionable under Washington's Consumer Protection Act, which carries a private right of action, so consumers can sue directly, and class actions follow. The CPA also allows civil penalties up to $7,500 per violation. Multiply that across a class of every Washington visitor a pixel touched, and the exposure is serious.
The litigation is already here. The first MHMDA class action, Maxwell v. Amazon (W.D. Wash., filed February 10, 2025), alleged that SDKs harvested location data from tens of millions of people without consent, on the theory that location data can be consumer health data. The November 2025 cannabis-retailer case took it to the website-pixel context directly. This is a live, growing category, not a theoretical risk.
What websites should actually do
- Treat health-adjacent trackers as consent-first. Any pixel or tag that could send health-inferable data (a condition page view, a health-product purchase, a booking) stays blocked until you have MHMDA-grade opt-in consent. Default blocking is the safe posture. See cookie categories.
- Map collect vs share vs sell. For every outbound data flow, decide whether it needs consent (collect/share) or authorization (sell), and get the right one.
- Kill health-facility geofencing. Audit ad targeting and app SDKs for location fencing near care facilities and shut it off.
- Publish the standalone policy. A separate, distinct Consumer Health Data Privacy Policy link on your homepage, scoped to what MHMDA requires.
- Treat location as health data. The early cases turned on location, not diagnoses. Precise geolocation is the exposure most sites underestimate. Our sensitive data guide covers the geolocation definitions.
- Keep the consent record. The high consent bar only helps if you can prove you cleared it. Log every decision.
And remember Washington isn't alone. Nevada's consumer health data law mirrors much of MHMDA, and Connecticut folded health-data protections into its general consumer privacy law. See our US state privacy laws guide for the wider map.
How CookieBeam handles consumer health data
Default blocking with a high consent bar. CookieBeam holds all non-essential scripts until the visitor makes an affirmative choice, so no health-adjacent pixel fires before you have the opt-in MHMDA demands.
Category and page-level control. You can enforce a stricter policy on condition pages, booking flows, or health-product checkouts than on the rest of the site, and keep third-party sharing off where the risk is highest.
Continuous scanning. The automated scanner catches trackers as they're added, which is how the pixel-on-a-checkout problem behind these lawsuits gets found before a plaintiff finds it.
Server-side enforcement. For measurement you still need, server-side consent enforcement lets you send a conversion signal without leaking clinical or health context to ad platforms.
Consent logging. Every decision is stored with timestamp and jurisdiction (consent logging and audit requirements), the evidence that you met the standard, which is exactly what a private-right-of-action claim will test.
MHMDA rewrote the risk model for a huge set of businesses that never thought of themselves as "health" companies. If your site can infer something about a visitor's health, and most commerce and wellness sites can, the pixel you drop in the global header is the liability. Block first, consent properly, and keep the receipts.