RatedWithAI

RatedWithAI

Accessibility scanner

Biometric & Health DataJuly 4, 2026

Washington My Health My Data Act & AI: Biometric Compliance 2026

If your AI product touches biometric signals, fitness data, mental-health interactions, or anything that lets a model infer someone's health status, Washington's My Health My Data Act probably applies — and unlike many privacy statutes, consumers can sue you directly for violating it.

Private
Right of action lets individual consumers sue directly
Broad
'Consumer health data' reaches far beyond medical records
Any state
Applies to any company processing WA residents' data

Why This Law Catches AI Companies Off Guard

Most AI teams building fitness trackers, mood-tracking apps, or behavioral-inference models assume health-privacy law means HIPAA — and assume HIPAA doesn't apply because they're not a covered healthcare provider or insurer. That assumption is exactly the gap Washington's My Health My Data Act (MHMDA) was built to close. MHMDA defines "consumer health data" broadly enough to capture data that reveals or can be used to infer a health condition — which routinely includes biometric signals, location patterns near health facilities, and behavioral data that an AI model uses to make health-adjacent predictions, even if the company never calls itself a "health" business.

For AI-native products, this matters more than it did for traditional software: models increasingly infer sensitive attributes (stress levels, sleep quality, likely medical conditions) from signals that weren't explicitly collected as "health data" — biometric sensor output, typing patterns, voice cadence, or activity data. MHMDA treats the inference, not just the raw input, as consumer health data.

Key Obligations for AI Products

  • Opt-in consent before collection — you generally need affirmative consumer consent before collecting consumer health data, not just a disclosure buried in a privacy policy.
  • Separate authorization to sell — selling or sharing consumer health data (including with AI training or analytics vendors, in many cases) requires a distinct, valid authorization beyond general consent.
  • Geofencing ban — using location data to identify consumers seeking health services near a facility (including mental-health or reproductive- health locations) is prohibited outright, which matters for any AI app using location as a behavioral signal.
  • Data minimization and deletion rights — consumers can request deletion of their consumer health data, and companies must honor it across their systems, including data used to train or fine-tune models where feasible.
  • Explicit biometric coverage — biometric data used to identify a consumer or infer health status is specifically named as a protected category, not left to interpretation.

The Private Right of Action Changes the Risk Math

Most US state privacy laws route enforcement exclusively through the state attorney general. MHMDA is different: it gives Washington consumers a private right of action under the state's Consumer Protection Act, meaning an individual user — not just a regulator — can bring a lawsuit over a violation. Combined with the potential for class treatment, this materially raises the litigation exposure for AI companies compared to CCPA-style regimes where individual consumers have far more limited standing.

MHMDA vs. BIPA: Don't Assume One Covers the Other

Companies that have already built an Illinois BIPA compliance program sometimes assume it covers Washington too. It doesn't. BIPA is narrowly about biometric identifiers and written consent before collection. MHMDA is broader in subject matter (all consumer health data, not just biometrics), broader in behavior it restricts (geofencing, data sales, sharing), and distinct in its enforcement mechanism (private right of action under Washington's Consumer Protection Act rather than BIPA's per-violation statutory damages). Treat them as two separate compliance tracks that happen to overlap on biometric data.

Compliance Checklist for AI Product Teams

Start with data mapping — most exposure comes from not realizing what counts as "health data."

Map every data signal your model uses that could reveal or infer a health status — not just data labeled 'health'Start here
Implement affirmative opt-in consent flows before collecting consumer health dataEssential
Build a separate authorization flow for any sale or sharing of consumer health data, including with AI/analytics vendorsEssential
Audit location-based features for geofencing near health facilities and remove any that qualifyEssential
Build deletion workflows that reach training data and derived inferences, not just raw stored recordsEssential
Review vendor and data-processing agreements for MHMDA-specific consumer health data termsVendor risk
Don't assume BIPA compliance covers MHMDA — run a separate gap analysisCommon mistake

Compliance gaps rarely stop at one law

If you're auditing MHMDA exposure, your consent flows and disclosure pages are also where accessibility complaints originate. RatedWithAI scans your site for free.

Scan Your Site for Free →

Frequently Asked Questions

Is my company covered even if we're not based in Washington?

Yes. MHMDA applies to entities that conduct business in Washington or process the consumer health data of Washington residents, regardless of where the company is headquartered — the same territorial logic as most modern US state privacy laws.

Does MHMDA only apply to obvious health apps?

No. Its definition of consumer health data extends to information that could reasonably be used to infer a health condition, which reaches fitness trackers, mood or sleep tracking, biometric wearables, and behavioral-inference AI products that never market themselves as health apps.

Can consumers really sue directly under MHMDA?

Yes. Unlike most state privacy statutes that route enforcement only through the attorney general, MHMDA authorizes a private right of action through Washington's Consumer Protection Act, giving individual consumers standing to sue over violations directly.

How does MHMDA treat data used to train AI models?

If the training data qualifies as consumer health data, the same consent, sale-authorization, and deletion obligations apply to it as to any other consumer health data the company holds — including, where feasible, honoring deletion requests that touch data used in model training or fine-tuning.

Related Guides