Washington educational resource

Washington MHMDA for Nutrition Apps: Calorie Logs, Macro Targets, and Diet Inferences Are Consumer Health Data

Nutrition apps look like diet trackers from the outside: log food, count calories, hit a macro target. Inside, the system stores a continuous record of what the user eats, when they eat it, how their weight responds, and how their behavior maps to dietary patterns the app categorizes. Under RCW 19.373.010, that record is consumer health data. The Washington My Health My Data Act reaches any personal information reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, and explicitly extends to inferences derived from non-health information that put a consumer in a health-related category. A "you are tracking for weight loss" inference, a "high-sugar diet" pattern flag, a "low protein intake" alert, all of that is consumer health data even if your team thinks of it as lifestyle coaching.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov.

What nutrition data MHMDA reaches

Calorie logs and macronutrient totals (carbs, protein, fat, fiber).
Meal photos used for AI food recognition (the photo itself plus the labeled output).
Weight trends and body measurements logged in the app.
Blood glucose, ketone, or biomarker readings from a connected device.
Dietary preference and restriction tags (keto, vegan, low-FODMAP, gluten-free, diabetic).
AI inferences: "user is undereating," "macro split is off," "consistent with intermittent fasting," "pre-diabetic risk pattern."
Goal tags (weight loss, muscle gain, blood-sugar management, eating-disorder recovery).

The four MHMDA hooks for nutrition apps

1. Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Most nutrition apps bury MHMDA disclosures inside a single general privacy policy. That fails. The statute requires a standalone document with five substantive disclosures including the categories of consumer health data collected, the purposes, the sources, the categories shared, and the list of specific affiliates and categories of third parties, plus the rights-exercise mechanism. The homepage link must be prominent and survive mobile collapse.

2. Two-layer consent under RCW 19.373.030. Nutrition apps almost always have a sharing leg, because of food databases, recipe APIs, coaching marketplaces, supplement affiliate programs, and grocery-delivery integrations. Each receiving entity needs to be covered by a separate sharing consent. Collection consent must specify the purpose. Sharing consent must be distinct, disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism.

3. Sale-of-data authorization under RCW 19.373.070. The "sell" definition is broad: exchange for monetary or other valuable consideration. Affiliate or referral programs with supplement vendors, meal-kit services, grocery-delivery platforms, or diet-book publishers can convert routine sharing into a sale under MHMDA. Sale requires the nine-element written authorization, one-year expiration, revocation right, signed by the consumer. Missing one element invalidates the authorization. This is the section most nutrition apps cannot satisfy as currently designed.

4. Eating-disorder data and the precautionary line. Apps that touch eating-disorder recovery, intuitive-eating coaching, or low-calorie targets aimed at clinical populations should expect a higher scrutiny posture. The mental-health prong of consumer health data under RCW 19.373.010 reaches eating-disorder content even when the app does not formally diagnose. The Washington Attorney General can pursue both AG enforcement under RCW 19.373.090 and private plaintiffs can pursue the per se CPA path in parallel.

The per se CPA hook

RCW 19.373.090 converts any MHMDA violation into a per se Consumer Protection Act violation. A Washington consumer of your nutrition app gets actual damages, discretionary treble damages capped at $25,000 on the enhancement, and one-way attorney's fees under RCW 19.86.090, with the public-interest and unfair-or-deceptive elements declared by statute. The four-year SOL under RCW 19.86.120 applies. Affiliate-revenue nutrition apps with national footprints have outsized exposure because the sharing-and-sale flows are continuous.

The food-database vendor problem. Most nutrition apps lean on a third-party food database (Nutritionix, FatSecret, USDA, OpenFoodFacts) for nutrient values. The lookup itself is usually fine. The problem is when the user's logged meals are sent in the query, the vendor logs them, and the app does not have a processor contract limiting use to documented instructions under RCW 19.373.060. A vendor that strays outside instructions becomes a regulated entity for the data at issue.

What I review when you send me a nutrition-app matter

Current privacy policy URL plus the separate Consumer Health Data Privacy Policy if one exists.
Signup flow, consent banner, sharing toggles, withdrawal mechanism, and any "share with my coach" or "share with my dietitian" sub-flow.
Data inventory: logged inputs (food, weight, glucose, photos) and derived inferences (patterns, risk scores, dietary categories).
Vendor list: food-database API, recipe API, AI image-recognition vendor, coaching marketplace, supplement affiliate links, grocery integrations, analytics SDK, advertising attribution.
Affiliate or referral program terms and any data-sharing flow with supplement, meal-kit, or grocery partners.
Processor and sub-processor list plus current DPA template.

Service tiers

$125 written email evaluation. Two-business-day turnaround.
$499 MHMDA scope memo. Determination plus top compliance gaps.
$900 MHMDA review with DPA and vendor language. Scope memo plus the processor-contract language you need with food-database, analytics, and affiliate vendors.
$1,500 MHMDA compliance package. Scope memo, DPA language, and a drafted standalone Consumer Health Data Privacy Policy.

Sergei's practical note

Nutrition apps tend to underrate the sale-of-data exposure because the team thinks of affiliate revenue as marketing. Under RCW 19.373.070, the nine-element written authorization is required any time data is exchanged for "monetary or other valuable consideration." Affiliate commissions count. If your nutrition app has revenue-sharing flows with supplement, meal-kit, or grocery partners and is also receiving user health signals about diet, send the privacy policy, the affiliate-partner list, and the signup flow. Regulatory advisory work under California license; not Washington representation.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. To self-assess, use the Wellness App MHMDA Risk Checker or the MHMDA Scope Analyzer. Adjacent verticals: wellness apps, fitness apps, weight loss, and health coaching.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.