Washington educational resource

Washington MHMDA for Sleep Tracking Apps: Sleep Stages and Apnea Inferences Are Consumer Health Data

Sleep tracking apps generate one of the densest streams of physiological data per night per user: stages (REM, deep, light, awake), heart rate trends, breathing rate, snoring audio, restless-movement scoring, oxygen saturation in some products, and the derived sleep score the app surfaces in the morning. Under RCW 19.373.010, that record is consumer health data, full stop. The Washington My Health My Data Act reaches any personal information reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, and explicitly extends to inferences derived from non-health information. A "possible sleep apnea" flag, an "insomnia pattern" tag, or a "circadian rhythm misaligned" alert is consumer health data even if the underlying inputs are accelerometer and microphone signals.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov.

What sleep data MHMDA reaches

Sleep stage classification (REM, deep, light, awake) and the time series across the night.
Heart rate and heart rate variability during sleep.
Breathing rate and snoring audio (when the app records microphone input).
Oxygen saturation if the app reads SpO2 from a wearable.
Bedroom temperature, humidity, ambient noise (when paired with a smart sensor).
AI inferences: "possible sleep apnea," "insomnia pattern," "sleep debt accumulating," "circadian rhythm disruption," "REM-suppressing pattern."
Mood and stress self-reports the app correlates against sleep quality.
Medication-tracking integrations (melatonin, sleep aids, prescriptions) where present.

The four MHMDA hooks for sleep apps

1. Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Sleep apps generally have one privacy policy that says "we collect sleep data" in a paragraph. That fails. The statute requires a standalone document with five substantive disclosures, including the categories of consumer health data collected, the purposes, the sources, the categories shared, the list of specific affiliates and categories of third parties, and the rights-exercise mechanism. The homepage link must be prominent and survive mobile collapse.

2. Two-layer consent under RCW 19.373.030. Sleep apps often share with sleep-coaching marketplaces, mattress affiliate programs, sleep-aid supplement brands, and corporate-wellness employers. Each receiving entity needs a separate sharing consent on top of the collection consent. The sharing consent must disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism. A bundled signup acceptance does not satisfy the sharing prong.

3. Microphone-recording disclosures. Apps that record audio for snoring detection are collecting one of the more sensitive data types. The recording itself can reveal household composition, language, distress signals, and (in some cases) speech content. The disclosure obligations under RCW 19.373.020 require listing this category explicitly, naming the purpose (snoring detection, apnea inference), naming third parties (cloud audio processor, AI inference vendor), and explaining retention. Audio that is fed to a third-party AI vendor without a binding processor contract under RCW 19.373.060 is a defensible per se violation candidate.

4. Employer and insurance sharing. Sleep apps integrated with corporate-wellness programs or insurance discount programs sit at the highest-risk intersection of MHMDA. The moment an employer or insurer receives derived inferences ("user is sleep-deprived," "high apnea risk"), the receiving entity is a third party that must be disclosed and consented to under RCW 19.373.020 and RCW 19.373.030. If the sleep app receives consideration from the employer or insurer, the transfer is a "sale" under RCW 19.373.010 and requires the nine-element authorization under RCW 19.373.070.

The per se CPA hook

RCW 19.373.090 converts any MHMDA violation into a per se CPA violation. Actual damages, discretionary treble damages capped at $25,000 on the enhancement, one-way attorney's fees under RCW 19.86.090, public-interest and unfair-or-deceptive elements declared by statute, four-year SOL under RCW 19.86.120. A single Washington user with a sleep-data complaint is a candidate plaintiff.

The wearable-OEM angle. Many sleep apps depend on data from Apple Watch, Oura, Whoop, Fitbit, or Garmin. The OEM may have its own MHMDA exposure, but pulling its data into your app and applying your purposes and means makes you a controller for that data. The exemptions under RCW 19.373.100 are data-specific, not entity-blanket.

What I review when you send me a sleep-app matter

Current privacy policy URL plus the separate Consumer Health Data Privacy Policy if one exists.
Signup flow screenshots, consent banner, sharing toggles, withdrawal mechanism.
Data inventory: raw signals (accelerometer, microphone, heart rate), derived inferences (sleep score, apnea flag, insomnia pattern), and storage/retention.
Vendor list: AI inference vendor, cloud audio processor, analytics SDK, advertising attribution, any wearable integration.
Any corporate-wellness, insurance, or coaching-marketplace sharing flow and the contracts behind it.
Processor and sub-processor list plus current DPA template.

Service tiers

$125 written email evaluation. Two-business-day turnaround.
$499 MHMDA scope memo. Determination plus top compliance gaps.
$900 MHMDA review with DPA and vendor language.
$1,500 MHMDA compliance package. Scope memo, DPA language, drafted standalone Consumer Health Data Privacy Policy.

Sergei's practical note

Sleep apps are higher-risk than the team usually assumes because the data is dense, continuous, sensitive (sleep audio in particular), and often shared downstream to coaches, employers, and ad partners. The apnea-inference angle is the part I look at first; an app that surfaces "possible apnea" or "high apnea risk" is generating a health-condition inference under RCW 19.373.010 and triggers the strongest part of the statute. Send the privacy policy, the consent flow, the vendor list, and a brief product description. Regulatory advisory work under California license; not Washington representation.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. Self-assess via the Wellness App MHMDA Risk Checker. Adjacent verticals: wellness apps, fitness apps, meditation, and health coaching.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.