Womble Perspectives
Welcome to Womble Perspectives, where we explore a wide range of topics from the latest legal updates to industry trends to the business of law. Our team of lawyers, professionals and occasional outside guests will take you through the most pressing issues facing businesses today and provide practical and actionable advice to help you navigate the ever-changing legal landscape. With a focus on innovation, collaboration and client service, we are committed to delivering exceptional value to our clients and to the communities we serve.
Womble Perspectives
Amazon’s Data Harvesting Lawsuit and Its Implications for Enterprise Privacy
On February 10, 2025, Amazon was hit with a class-action lawsuit under Washington’s groundbreaking MY Health MY Data Act. This is the very first case filed under the Act, marking a pivotal moment in data privacy litigation. Today, we’ll break down what this case is about, how Amazon’s use of Software Development Kits, commonly abbreviated as SDKs, plays into it, and what this could mean for businesses, consumers, and the future of SDK-related claims.
Read the full article
First Class Action Filed Under Washington’s MY Health MY Data Act Draws Parallels to Previous SDK Litigation
About the author
Ryan D. Ellard, CIPP/US
Welcome to Womble Perspectives, where we explore a wide range of topics, from the latest legal updates to industry trends to the business of law. Our team of lawyers, professionals and occasional outside guests will take you through the most pressing issues facing businesses today and provide practical and actionable advice to help you navigate the ever changing legal landscape.
With a focus on innovation, collaboration and client service. We are committed to delivering exceptional value to our clients and to the communities we serve. And now our latest episode.
On February 10, 2025, Amazon was hit with a class-action lawsuit under Washington’s groundbreaking MY Health MY Data Act. This is the very first case filed under the Act, marking a pivotal moment in data privacy litigation. Today, we’ll break down what this case is about, how Amazon’s use of Software Development Kits, commonly abbreviated as SDKs, plays into it, and what this could mean for businesses, consumers, and the future of SDK-related claims.
First, let's set the stage. On February 10, a plaintiff named Cassaundra Maxwell brought a class-action complaint against Amazon and its advertising arm, claiming the company was collecting and monetizing location data without users’ consent. This practice allegedly involved embedding SDKs in third-party apps like the Weather Channel and OfferUp.
SDKs allowed Amazon to collect incredibly detailed data, including precise location information and even consumer health data, as defined under the Washington MY Health MY Data Act. These allegations fall under seven causes of action, including violations of the Federal Wiretap Act, the Stored Communications Act, and of course, the Act we're discussing today.
If you’re not a developer, you may be wondering, what exactly is an SDK? SDKs, or Software Development Kits, are bundles of pre-written software code that developers can use to streamline app creation. They’re like ready-made building blocks to save time and effort.
Unfortunately, there’s a catch. Many SDKs come with hidden functionalities, like data collection tools. And that’s where the controversy lies. According to the lawsuit, Amazon’s SDKs harvested location data, allegedly breaching the trust of app users who had no idea this was happening behind the scenes. It’s a classic case of convenience vs. privacy.
Enacted on March 31, 2024, Washington’s MY Health MY Data Act aims to protect consumer health data, which can include personal information like location data tied to healthcare activities. The law requires businesses to get clear, consumer consent before collecting such data, provide standalone privacy policies, and avoid practices like geofencing near sensitive locations.
What truly makes the MHMDA groundbreaking is its private right of action. This means that consumers—not just government entities or regulators—can sue businesses for any violations. It’s a powerful tool for individuals like Cassaundra Maxwell, who filed her lawsuit against Amazon under this law. Unlike some other data privacy laws, the MY Health MY Data Act is setting a precedent for more direct accountability.
The bigger question remains though, is this case unique or part of a broader trend in SDK-related lawsuits?
The case against Amazon isn’t happening in isolation. Similar lawsuits against SDK-related data collection practices have already surfaced. Take, for instance, Greenley v. Kochava. Filed in California in 2023, this case accused Kochava of embedding SDKs into apps to collect location data and then monetizing this data for advertising purposes.
Another case, Xu v. Reuters News, dealt with the collection of IP addresses but was dismissed when it failed to show concrete harm. Similarly, Gabrielli v. Insider emphasized limits on what constitutes personal identifiers. What makes Maxwell v. Amazon distinct, however, is its use of the MY Health MY Data Act, showing a shift in leverage for consumers.
The implications of this case extend far beyond Amazon. It highlights recurring privacy concerns with SDK use and signals a shift toward more robust consumer protections. For businesses, especially those handling sensitive health data, the takeaway is clear. Proactive compliance isn’t optional; it’s critical.
Here are three key points to keep in mind:
First, businesses must adapt. Companies dealing with customer data need stricter internal policies around SDK use.
Second, privacy legislation is expanding: Laws like the MHMDA may serve as templates for future privacy regulations.
And lastly, the legal landscape is evolving: Courts will play a pivotal role in shaping the outcomes of these lawsuits, which will, in turn, influence how companies handle data moving forward.
While this case is ongoing, Amazon’s response will set a precedent for how big tech navigates emerging privacy laws.
If you’re a business leader, tech enthusiast, or an everyday consumer, stay informed about developments in data privacy laws. For those in the tech space, now is the time to audit your SDKs and ensure full compliance with new laws such as the MY Health MY Data Act.
Thank you for listening to Womble Perspectives. If you want to learn more about the topics discussed in this episode, please visit The Show Notes, where you can find links to related resources mentioned today. The Show Notes also have more information about our attorneys who provided today's insights, including ways to reach out to them.
Don't forget to subscribe via your podcast player of choice so that you never miss an episode. Thank you again for listening.