Washington Marijuana Retailer Sued Under My Health My Data Act for Website Pixel Use

in , ,

by Sam Castic and Felicity Slater

A class action suit was recently filed against the companies that operate Uncle Ike's, a Seattle-area marijuana retailer. The suit filed in Washington federal court alleges common law tort claims, ECPA claims, and a claim under the My Health My Data Act (‘MHMDA’ or ‘the Act’). 

Unlike the MHMDA claims that have been brought to-date against other companies that seem to allege MHMDA violations as something of an afterthought, the complaint brought against Uncle Ike’s makes a number of allegations in support of the MHMDA claim. In particular, the complaint alleges that:

  • the Uncle Ike's website accepted online purchases of marijuana products, including medical marijuana products, and permitted medical marijuana card appointment scheduling;

  • information about these transactions was shared with Google via pixels and other tracking technologies; and

  • Uncle Ike’s online privacy policy said that sensitive personal data would be kept private.

To bring a claim under MHMDA, plaintiffs must demonstrate that they have suffered a "harm to business or property" under the Washington Consumer Protection Act (WCPA) that was caused by defendant's violation of MHMDA. Here, plaintiffs allege that Uncle Ike’s disclosure of their sensitive information without consent has caused “numerous injuries,” including “invasion of medical privacy,” “diminution of value of the[ir] Sensitive Information,” and “continued and ongoing risk to their Sensitive Information.” The court’s receptivity to these allegations of harm will be significant and may create a playbook for future MHMDA plaintiffs.

If your company has a website or app that sells even tangentially health-related products, shares medical or health related content, or allows appointment scheduling for medical appointments, this lawsuit is a good reminder to:

  • Assess which data involved in these activities is "health data" under laws like the MHMDA; and

  • Confirm that appropriate consents and authorizations are obtained before that data is "sold" to third parties, including for targeted advertising purposes (under MHMDA, the required authorizations may be impractical to obtain in the website or mobile app context).

You can read the plaintiff law firm's announcement here. If you need a refresh on MHMDA, check out our blog series here.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.