Washington educational resource

My fertility app reaches Washington users. What does the My Health My Data Act actually require?

A fertility app is a difficult MHMDA fact pattern. The data set combines cycle dates, ovulation predictions, sexual activity logs, basal body temperature, partner data, IVF or IUI clinic events, pregnancy outcomes, and pregnancy-loss events. Most apps also pull location, device IDs, and behavioral signals into the same product. Each one of those is consumer health data under Chapter 19.373 RCW, and the combination creates a risk profile that a generic privacy policy almost never addresses. This page is the practical compliance map I work from when a fertility-app operator asks whether they are exposed.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. MHMDA reaches out-of-state companies that conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of processing consumer health data.

Why fertility data sits at the high-risk end of MHMDA

"Consumer health data" under RCW 19.373.010 includes data that identifies a consumer's past, present, or future physical or mental health status, including reproductive or sexual health information and any inference about health drawn from non-medical signals. A cycle-tracker entry is direct reproductive health data. An ovulation prediction is an inference about reproductive health derived from prior entries. A pregnancy-test result logged in the app is health-status data. A location ping near a fertility clinic is a precise location near a healthcare facility. Each category is in scope, and a fertility app typically holds all of them on the same user record.

The combination matters because MHMDA's per-se Consumer Protection Act bridge under RCW 19.373.090 turns every category-specific failure into the same litigation theory: a Washington consumer pleads a violation of any subsection and the public-interest and unfair-or-deceptive elements are supplied by the statute. Injury and causation still must be pled and proved, but the framework is sympathetic to reproductive-data plaintiffs in the post-Dobbs litigation environment.

The separate Consumer Health Data Privacy Policy (RCW 19.373.020)

RCW 19.373.020 requires a standalone consumer-health-data privacy policy, clearly and conspicuously published with five substantive disclosures: categories of consumer health data collected and the purposes for which it is used, categories of sources, categories of data shared, the list of categories of third parties and specific affiliates with whom the data is shared, and how a consumer exercises rights under RCW 19.373.040. The policy must be prominently linked from the homepage in a way that survives mobile collapse.

For a fertility app this means a dedicated document that names the cycle data, the symptom logs, the pregnancy-status logs, the partner data, the device and location signals, and the inferences derived from those entries. It names the analytics platforms, the ad SDKs, the cloud processors, and the partner labs or clinics by category and by specific affiliate. A generic privacy policy that lumps "health data" into a single paragraph almost never satisfies this rule, and bundling MHMDA into a general policy is the single most common compliance gap I see on operator-side reviews.

Two-layer consent for collection and sharing (RCW 19.373.030)

RCW 19.373.030 requires affirmative opt-in consent for collection of consumer health data and a separate, distinct consent for sharing with third parties. The two consents cannot be bundled into a single terms-of-service acceptance. For a fertility app this typically means two friction points the product team will resist: one consent when the user logs the first reproductive-health entry, and a second consent at the point any sharing flow (analytics, ad partner, partner clinic) takes the data outside the app. The authorization request must disclose data categories, purpose and usage methods, receiving entities, and the withdrawal mechanism. A CCPA-style banner is not enough.

The 2,000-foot geofence prohibition (RCW 19.373.080)

RCW 19.373.080 bans implementing a geofence around any entity that provides in-person healthcare services when the geofence is used to identify or track consumers, collect consumer health data, or send notifications, messages, or advertisements related to consumer health data or healthcare services. "Geofence" under RCW 19.373.010 is a virtual boundary within 2,000 feet of the perimeter of the physical location. For a fertility app, the practical effect is that a campaign targeting users who entered the area around a fertility clinic, an OB-GYN office, an abortion provider, an IVF center, or any hospital running a reproductive-health line is exposed. The prohibition is categorical; there is no consent override.

Practical note on adtech. Many fertility apps embed third-party SDKs (Facebook Pixel, Google Ads, AppsFlyer, Branch) that perform location-based attribution or audience-building. If the SDK collects location data near a healthcare facility for ad targeting on the app's behalf, the operator is on the hook. The 2,000-foot perimeter sweeps in vendor-side conduct that the operator may not have explicitly authorized.

Sale of consumer health data and written authorization (RCW 19.373.070)

RCW 19.373.070 makes it unlawful to sell consumer health data without a written authorization signed by the consumer with all nine elements: specific identification of the data, name and contact details of the seller, name and contact details of the buyer, description of purpose including how data will be gathered and used, a statement that provision of goods or services may not be conditioned on signing, the revocation right and instructions, notice that purchased data may be subject to redisclosure, expiration one year from signature, and the consumer's signature and date. A fertility app's data-monetization partnership or research-data sale that misses any element is invalid as authorization.

Sergei's practical note

Fertility apps are the cluster where the gap between actual data practices and the MHMDA text is widest. The app I review is usually built on a generic SaaS privacy template, an embedded ad SDK or two, and an analytics pipeline that flows reproductive entries into a third-party warehouse. None of those vendors prepared for a separate-policy rule, a two-layer consent flow, a 2,000-foot geofence audit, or a nine-element sale authorization. The fix is not a single document; it is a coordinated change to the policy, the consent UX, the ad partnership configuration, and the processor contract stack. Send the current policy, the consent screenshots, the SDK inventory, and a description of the data flow, and I will tell you which tier of work fits.

Related Washington resources

For the full statutory walkthrough, see my Washington My Health My Data Act resource. To run the cross-product triage, see my MHMDA Scope Analyzer and the reproductive-health-specific Reproductive Health Data Risk Checker. For privacy-policy gap analysis, see my MHMDA Privacy Policy Gap Checker. Related cluster pages: Period-tracking apps, Reproductive-health apps, Reproductive-health geofencing ban.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. A Washington-admitted attorney should verify operative statute text and any case citations before relying on them in a live matter.