Washington cannabis dispensary Uncle Ike’s is subject to a proposed class action in federal court alleging that it shared information on consumer purchases with Google and other third parties through its use of website tracking tools. 

Allegations

Plaintiffs claim that their personal information, including information regarding their medical marijuana appointments and purchases, were disclosed to third parties without consent. The complaint alleges that Uncle Ike’s:

• Configured website tracking tools to “capture and transmit the sensitive information” communicated during appointment scheduling

• Configured trackers to transmit information beyond default categories, including information regarding specific products added to shopping charts or purchased, the scheduling of medical marijuana card appointments, and the entering of medical marijuana card numbers

• Posted a defective privacy policy that incorrectly “assure[d] their customers that [defendant would] keep their sensitive information private and secure and…only disclose sensitive information under certain circumstances” 

Plaintiffs brought several claims including invasion of privacy, breach of confidence, negligence, breach of implied contract, unjust enrichment act, violations of the Electronic Communications Privacy Act, and violations of MHMD Act (brought under the Washington Consumer Protection Act). 

Washington’s My Health My Data Act 

As we have written before, the Washington My Health My Data (“MHMD”) Act broadened protections for health-related information beyond HIPAA’s scope, extending enforcement to a broad variety of data types and businesses. The MHMD Act requires organizations to obtain opt in consent from consumers for the collection or sharing of health data. Separate signed authorization is needed for any sales of health data. Consumer health data is defined broadly in the act and includes all “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” 

Takeaways

The MHMD Act requires that consumers suing under the law’s private right of action prove actual injury as a result of the business’s practices. The complaint alleges that plaintiffs suffered “numerous injuries” including a diminution of value of their sensitive information. The complaint also alleges that defendants “received substantial, quantifiable value from their use of…sensitive information without providing any value or benefit to plaintiffs” and “failed to provide plaintiffs…with the full value of the services for which they paid.”

It is not yet clear whether the Washington court will be receptive to these claims of financial injury. The determination could significantly alter the enforcement of the MHMD Act by creating a clearer path for private claims, beyond Attorney General enforcement. 

Companies with websites or apps that touch Washington’s expansive definition of health-related products and data should conduct a thorough evaluation of their practices, including their targeted advertising practices. And, companies should review their privacy policies and other documentation to confirm it aligns with their actual practices.