Washington educational resource

How does Washington's My Health My Data Act apply to abortion-travel data?

Abortion-travel data is the cleanest single fact pattern for Washington's My Health My Data Act. The data combines health status (the procedure sought), location (travel to and around clinics), timing (correlating with cycle, pregnancy-test, or referral entries), search behavior (queries about providers, medications, or travel logistics), and adtech infrastructure (the campaigns and analytics partners that consume the same signal stream). Each component is consumer health data under Chapter 19.373 RCW. Together they create exactly the risk profile MHMDA was drafted to address.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. MHMDA reaches out-of-state companies that conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of processing consumer health data.

The 2,000-foot geofence prohibition (RCW 19.373.080)

RCW 19.373.080 is the section that does the most work for abortion-travel privacy. It is unlawful to implement a geofence around an entity that provides in-person healthcare services where the geofence is used to identify or track consumers seeking healthcare services, collect consumer health data, or send notifications, messages, or advertisements related to consumer health data or healthcare services. "Geofence" under RCW 19.373.010 is a virtual boundary within 2,000 feet of the perimeter of the physical location.

For abortion-travel the rule reaches campaigns and SDKs that target users near an abortion provider, a Planned Parenthood clinic, a hospital running an abortion or reproductive line, a pharmacy filling medication-abortion prescriptions, or an airport or transit hub where the targeting is tied to known clinic-area arrivals. The prohibition is categorical; there is no consent override. A campaign that collects location near the facility, identifies users present in the area, or sends a notification or message related to reproductive-healthcare services is on the wrong side of the section.

Sale of consumer health data (RCW 19.373.070)

RCW 19.373.070 makes it unlawful to sell consumer health data without a written authorization with all nine elements: identification of the data, seller and buyer contact, description of purpose, statement that provision of goods or services may not be conditioned on signing, revocation right, redisclosure notice, one-year expiration, and signature plus date. "Sale" under RCW 19.373.010 includes exchanges for monetary or other valuable consideration, which sweeps in data-broker arrangements and analytics partnerships that pass abortion-travel signals downstream in exchange for services or insight.

Two-layer consent (RCW 19.373.030)

RCW 19.373.030 requires affirmative opt-in consent for collection of consumer health data and a separate, distinct consent for sharing. For abortion-travel signals collected from a Washington user, both consents are required, and a single terms-of-service or app-permission acceptance is not enough. The authorization request must disclose data categories, purpose and usage methods, receiving entities, and the withdrawal mechanism.

The per-se Consumer Protection Act bridge (RCW 19.373.090)

RCW 19.373.090 makes any MHMDA violation a per-se Washington CPA violation. A Washington consumer plaintiff pleads the public-interest and unfair-or-deceptive elements automatically; injury and causation still must be pled and proved. The remedy under RCW 19.86.090 is actual damages, discretionary trebling up to $25,000, and one-way attorney's fees to a prevailing plaintiff. The four-year SOL under RCW 19.86.120 applies. Abortion-travel matters are exactly the kind of fact pattern where the per-se framework is most likely to be tested.

Companies most exposed. The exposure here is not just on the apps that collect cycle or pregnancy data. It extends to map apps, navigation SDKs, travel-booking platforms, rideshare apps, payment apps, and any product whose ad-tracking SDK consumes location near a Washington clinic. The 2,000-foot perimeter is mechanically broad. If your product touches Washington users and your SDK inventory has not been audited against a Washington-clinic address list, this is the matter to look at first.

Sergei's practical note

Abortion-travel privacy is the area where I see the largest gap between what operators believe their stack does and what their SDKs actually do. The ad-tech vendor explanations are not always candid about the location signal flow, and the operator inherits the responsibility. The MHMDA review here is concrete: enumerate the SDKs, list the partners, map the location-signal flow against the 2,000-foot perimeter around a known list of healthcare facilities, and document where the campaign or partner relationship needs to change. Send the SDK inventory, the partner list, the ad-platform configuration, and the privacy-policy URL, and I will scope the work.

Related Washington resources

For the full statutory walkthrough, see my Washington My Health My Data Act resource. The Reproductive-Health Geofencing Ban page covers RCW 19.373.080 in more depth, and the Geofencing Risk for Adtech page applies the prohibition to specific SDK and campaign configurations. To run the triage, see my Reproductive Health Data Risk Checker.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.