Washington educational resource

Washington MHMDA for Fitness Apps: Steps, Heart Rate, and Workout Data Are Consumer Health Data

Fitness app teams typically think of step counts, heart rate, sleep stages, and workout logs as "lifestyle" data. The Washington My Health My Data Act does not. Chapter 19.373 RCW reaches any personal information reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, and the statute extends the same treatment to model-derived inferences. The recovery score your training algorithm spits out, the "elevated resting heart rate" flag your watch surfaces, the "low cardio fitness" tag your onboarding model assigns, all of that is consumer health data under RCW 19.373.010. The fact that your team would never call it "medical" does not change the analysis.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. MHMDA has been operative against regulated entities since March 31, 2024 and against small businesses since June 30, 2024.

Why "fitness data is not medical data" is the wrong frame

The consumer-health-data definition under RCW 19.373.010 reaches inferences derived from non-health information that are used to associate or identify a consumer with a health-related category. That is the prong fitness apps miss. A raw step count is borderline; a "this user is sedentary and at cardiovascular risk" inference is clearly inside the statute. The same logic applies to:

Heart rate variability turned into a recovery or readiness score.
Sleep stages turned into a "sleep debt" or "fatigue" score.
VO2max estimate, cardio fitness band, or training load metric.
Period or cycle prediction from non-cycle inputs (workout consistency, sleep, weight).
"Injury risk" or "overtraining risk" tags surfaced in the app.
Demographic-plus-activity inferences that flag "pre-diabetic risk" or similar.

If your model takes raw fitness signal and outputs anything that categorizes the user's body or health state, the output is consumer health data even if the input was not.

The four MHMDA hooks that decide most fitness-app matters

1. Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Fitness apps are the worst offenders here in my review experience. The team writes one long "Privacy Policy" covering everything including health data, and assumes a section on health data is enough. It is not. The statute requires a separate standalone document with five substantive disclosures including the categories of consumer health data collected, the purposes, the sources, the categories shared, and the list of specific affiliates and categories of third parties, plus the rights-exercise mechanism. The link must be prominently published on the homepage. A burst-collapsed mobile footer link is often inadequate.

2. Two-layer consent under RCW 19.373.030. Collection consent and sharing consent are separate. A signup that says "I agree to the Terms of Service and Privacy Policy" does not collect either consent under MHMDA. The collection consent must specify the purpose. The sharing consent must be distinct and disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism. Most fitness apps fail the sharing prong because they treat their analytics SDK, advertising attribution platform, and AI inference vendor as part of the bundled "operating the service" disclosure.

3. Adtech and analytics audit under RCW 19.373.060 and RCW 19.373.070. If you send workout data, heart rate, or any derived inference to Meta, TikTok, Google Ads, AppsFlyer, Branch, Amplitude, Mixpanel, or a similar platform without a binding processor contract that limits processing to documented instructions, you have a processor problem. If that vendor uses the data for its own purposes (training its own model, ad targeting beyond your campaigns), you have a candidate "sale" under the broad definition in RCW 19.373.010, which requires the nine-element written authorization under RCW 19.373.070. The authorization is one year, revocable, and invalid if missing any element.

4. Geofence prohibition under RCW 19.373.080. Fitness apps with location features should map their ad-campaign geofences against the 2,000-foot perimeter around any in-person healthcare facility. The statute is a categorical ban: it is unlawful to implement a geofence around an entity that provides in-person health care services to identify or track consumers, collect consumer health data, or send notifications, messages, or advertisements related to health care. Consent does not cure the violation.

The per se CPA hook for fitness apps

RCW 19.373.090 declares an MHMDA violation a per se Consumer Protection Act violation. For a fitness app with a single Washington user that means a private plaintiff gets actual damages, discretionary treble damages capped at $25,000 on the enhancement, and one-way attorney's fees under RCW 19.86.090, with the public-interest and unfair-or-deceptive elements declared by statute. The plaintiff still pleads injury and causation. The four-year SOL under RCW 19.86.120 applies. This is the highest-leverage state health-privacy statute in the United States, and fitness apps with national footprints are squarely inside it.

The wearable-OEM problem. Many fitness apps ingest data from Apple HealthKit, Google Fit, Garmin Connect, Whoop, Oura, or Fitbit. The OEM relationship does not insulate you from MHMDA. The moment your app reads that data into your own system and applies your own purposes and means, you are a controller for that data. The OEM exemptions under RCW 19.373.100 are data-specific, not entity-blanket, and they do not transfer.

What I review when you send me a fitness-app matter

Current privacy policy URL plus a date-stamped capture, plus the separate Consumer Health Data Privacy Policy if one exists.
Homepage screenshot showing the policy link on desktop and mobile after any hamburger collapse.
Signup flow screenshots, consent banner, sharing toggles, and any withdrawal mechanism.
Data inventory: raw signals (steps, heart rate, location, sleep), derived inferences (recovery, training load, risk scores), and storage/retention.
SDK list: analytics, attribution, advertising, AI inference, customer support, and any wearable integration.
Processor and sub-processor list plus current DPA template.
Any geofence campaign configuration if you advertise location-based offers near gyms, clinics, or pharmacies.

Service tiers

$125 written email evaluation. Two-business-day turnaround. Right starting point for a written attorney read.
$499 MHMDA scope memo. Determination plus top compliance gaps. Five-business-day turnaround.
$900 MHMDA review with DPA and vendor language. Scope memo plus the processor-contract language you need with analytics, adtech, and AI vendors.
$1,500 MHMDA compliance package. Scope memo, DPA language, and a drafted standalone Consumer Health Data Privacy Policy.

Sergei's practical note

Fitness apps come to me with the same misconception: "we are not HIPAA-covered, so we are not regulated." HIPAA scope and MHMDA scope are different statutes with different reach. The MHMDA was written for exactly the data your app collects. Send the privacy policy, the signup-flow screenshots, the SDK list, and a brief product description. I will tell you whether the matter looks like a $499 scope memo or a $1,500 full package. Regulatory advisory work under California license; not Washington representation.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. To self-assess, use the Wellness App MHMDA Risk Checker or the MHMDA Scope Analyzer. Adjacent verticals: wellness apps, sleep tracking, period tracking, and weight loss.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice. A Washington-admitted attorney should verify operative statute text before relying on it in a live matter.