Health Privacy

Washington Marijuana Retailer Sued Under My Health My Data Act for Website Pixel Use

November 13, 2025 in Data Privacy, Health + Biotech Privacy, Personal Data

A class action suit was recently filed against the companies that operate Uncle Ike's, a Seattle-area marijuana retailer. The suit filed in Washington federal court alleges common law tort claims, ECPA claims, and a claim under the My Health My Data Act (‘MHMDA’ or ‘the Act’).

Unlike the MHMDA claims that have been brought to-date against other companies that seem to allege MHMDA violations as something of an afterthought, the complaint brought against Uncle Ike’s makes a number of allegations in support of the MHMDA claim. In particular, the complaint alleges that:

the Uncle Ike's website accepted online purchases of marijuana products, including medical marijuana products, and permitted medical marijuana card appointment scheduling;
information about these transactions was shared with Google via pixels and other tracking technologies; and
Uncle Ike’s online privacy policy said that sensitive personal data would be kept private.

To bring a claim under MHMDA, plaintiffs must demonstrate that they have suffered a "harm to business or property" under the Washington Consumer Protection Act (WCPA) that was caused by defendant's violation of MHMDA. Here, plaintiffs allege that Uncle Ike’s disclosure of their sensitive information without consent has caused “numerous injuries,” including “invasion of medical privacy,” “diminution of value of the[ir] Sensitive Information,” and “continued and ongoing risk to their Sensitive Information.” The court’s receptivity to these allegations of harm will be significant and may create a playbook for future MHMDA plaintiffs.

If your company has a website or app that sells even tangentially health-related products, shares medical or health related content, or allows appointment scheduling for medical appointments, this lawsuit is a good reminder to:

Assess which data involved in these activities is "health data" under laws like the MHMDA; and
Confirm that appropriate consents and authorizations are obtained before that data is "sold" to third parties, including for targeted advertising purposes (under MHMDA, the required authorizations may be impractical to obtain in the website or mobile app context).

You can read the plaintiff law firm's announcement here. If you need a refresh on MHMDA, check out our blog series here.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

California Prohibits AI Misrepresentations about Health Care Licenses

October 23, 2025 in Artificial Intelligence, GenAI, Health + Biotech Privacy, State Legislation

By Cameron Cantrell

On October 11, 2025, California’s Governor Newsom signed AB 489, a law designed to address health advice from artificial intelligence (“AI”). It will take effect on January 1, 2026.

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

July 09, 2025 in CCPA, Data Privacy, Health + Biotech Privacy, State Legislation

By Mason Fitch and Kate Black

The California Attorney General’s Office (“OAG”) announced an enforcement action against Healthline.com on July 1 that marks a significant development in California Consumer Privacy Act (CCPA) enforcement. This action, accompanied by the largest fine under CCPA yet at $1.55 million, highlights critical areas of consideration for any company engaging in the advertising ecosystem as well as any company that processes sensitive personal information.

Congratulations to Mason Fitch on Promotion to Of Counsel

July 09, 2025 in Hintze Law Recognitions

Hintze Law PLLC is pleased to announce Mason Fitch’s promotion to Of Counsel at the firm.

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

June 24, 2025 in Data Privacy, Health + Biotech Privacy

by Cameron Cantrell and Felicity Slater

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

Hintze & Partners Recognized by Chambers in 2025 USA Rankings

June 05, 2025 in Hintze Law Recognitions

Hintze Law PLLC is delighted to announce the Chambers & Partners recognition of Susan Hintze, Mike Hintze, Sam Castic, and Mason Fitch in its USA Guide 2025. These recognitions include the firm’s sixth year being nationally ranked in Privacy and Data Security, and third year in Privacy & Data Security: Healthcare.

Virginia Governor Signs Reproductive Health Data Restrictions into Law

April 02, 2025 in Data Privacy, Health + Biotech Privacy, State Legislation

by Cameron Cantrell and Felicity Slater

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025.

Fourth Circuit Publishes Landmark Ruling on 21st Century Cures Act “Information Blocking”

March 24, 2025 in Data Privacy, Health + Biotech Privacy

By Cameron Cantrell and Kate Black

On March 12, 2025, the Fourth Circuit Court of Appeals ruled that (1) the information blocking prohibition in the federal 21st Century Cures Act (“Cures Act”) was plausibly violated when an Electronic Health Record (EHR) provider blocked bot access to its systems without sufficient justification, and (2) this violation may support a Maryland state law unfair competition claim, despite the Cures Act not having its own private right of action. This decision notably appears to be the first Circuit Court decision concerning the information blocking prohibition and, for parties subject to the rule, raises the risk that information blocking may be enforceable through a de facto state privacy right of action.

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

February 14, 2025 in Data Privacy, State Legislation, Health + Biotech Privacy

By Felicity Slater and Kate Black

The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors.

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

February 13, 2025 in Data Privacy, Health + Biotech Privacy, Hintze Law Recognitions

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

January 22, 2025 in State Legislation, Health + Biotech Privacy

By Mike Hintze and Felicity Slater

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

December 05, 2024 in HIPAA, State Legislation, Health + Biotech Privacy

by Felicity Slater and Kate Black

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

November 19, 2024 in Health + Biotech Privacy

By Mike Hintze and Felicity Slater

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end.

Washington My Health My Data Act - Part 4: Effective Dates

April 18, 2023 in State Legislation

By Mike Hintze

Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.

Washington My Health My Data Act - Part 3: The Scope of Entities and Consumers Captured by the Act

April 17, 2023 in State Legislation

By Mike Hintze

The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.

Washington My Health My Data Act - Part 2: The Scope of “Consumer Health Data”

April 12, 2023 in State Legislation

By Mike Hintze

The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.

The Washington My Health My Data Act - Part 1: An Overview

April 10, 2023 in State Legislation

By Mike Hintze

The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.