Washington educational resource

Washington MHMDA for Sleep Tracking Apps: Sleep Stages and Apnea Inferences Are Consumer Health Data

Sleep tracking apps generate one of the densest streams of physiological data per night per user: stages (REM, deep, light, awake), heart rate trends, breathing rate, snoring audio, restless-movement scoring, oxygen saturation in some products, and the derived sleep score the app surfaces in the morning. Under RCW 19.373.010, that record is consumer health data, full stop. The Washington My Health My Data Act reaches any personal information reasonably linkable to a consumer that identifies past, present, or future physical or mental health status, and explicitly extends to inferences derived from non-health information. A "possible sleep apnea" flag, an "insomnia pattern" tag, or a "circadian rhythm misaligned" alert is consumer health data even if the underlying inputs are accelerometer and microphone signals.

AI Legal Analyst

Ask my AI Legal Analyst about Washington consumer health data and MHMDA?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.

Common Washington consumer-health-data questions, always free

Does Washington MHMDA even apply to my product? I am not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? What happens if I get this wrong?

Loading the AI Legal Analyst...

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov.

What sleep data MHMDA reaches

Sleep stage classification (REM, deep, light, awake) and the time series across the night.
Heart rate and heart rate variability during sleep.
Breathing rate and snoring audio (when the app records microphone input).
Oxygen saturation if the app reads SpO2 from a wearable.
Bedroom temperature, humidity, ambient noise (when paired with a smart sensor).
AI inferences: "possible sleep apnea," "insomnia pattern," "sleep debt accumulating," "circadian rhythm disruption," "REM-suppressing pattern."
Mood and stress self-reports the app correlates against sleep quality.
Medication-tracking integrations (melatonin, sleep aids, prescriptions) where present.

The four MHMDA hooks for sleep apps

1. Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Sleep apps generally have one privacy policy that says "we collect sleep data" in a paragraph. That fails. The statute requires a standalone document with five substantive disclosures, including the categories of consumer health data collected, the purposes, the sources, the categories shared, the list of specific affiliates and categories of third parties, and the rights-exercise mechanism. The homepage link must be prominent and survive mobile collapse.

2. Two-layer consent under RCW 19.373.030. Sleep apps often share with sleep-coaching marketplaces, mattress affiliate programs, sleep-aid supplement brands, and corporate-wellness employers. Each receiving entity needs a separate sharing consent on top of the collection consent. The sharing consent must disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism. A bundled signup acceptance does not satisfy the sharing prong.

3. Microphone-recording disclosures. Apps that record audio for snoring detection are collecting one of the more sensitive data types. The recording itself can reveal household composition, language, distress signals, and (in some cases) speech content. The disclosure obligations under RCW 19.373.020 require listing this category explicitly, naming the purpose (snoring detection, apnea inference), naming third parties (cloud audio processor, AI inference vendor), and explaining retention. Audio that is fed to a third-party AI vendor without a binding processor contract under RCW 19.373.060 is a defensible per se violation candidate.

4. Employer and insurance sharing. Sleep apps integrated with corporate-wellness programs or insurance discount programs sit at the highest-risk intersection of MHMDA. The moment an employer or insurer receives derived inferences ("user is sleep-deprived," "high apnea risk"), the receiving entity is a third party that must be disclosed and consented to under RCW 19.373.020 and RCW 19.373.030. If the sleep app receives consideration from the employer or insurer, the transfer is a "sale" under RCW 19.373.010 and requires the nine-element authorization under RCW 19.373.070.

The per se CPA hook

RCW 19.373.090 converts any MHMDA violation into a per se CPA violation. Actual damages, discretionary treble damages capped at $25,000 on the enhancement, one-way attorney's fees under RCW 19.86.090, public-interest and unfair-or-deceptive elements declared by statute, four-year SOL under RCW 19.86.120. A single Washington user with a sleep-data complaint is a candidate plaintiff.

The wearable-OEM angle. Many sleep apps depend on data from Apple Watch, Oura, Whoop, Fitbit, or Garmin. The OEM may have its own MHMDA exposure, but pulling its data into your app and applying your purposes and means makes you a controller for that data. The exemptions under RCW 19.373.100 are data-specific, not entity-blanket.

What I review when you send me a sleep-app matter

Current privacy policy URL plus the separate Consumer Health Data Privacy Policy if one exists.
Signup flow screenshots, consent banner, sharing toggles, withdrawal mechanism.
Data inventory: raw signals (accelerometer, microphone, heart rate), derived inferences (sleep score, apnea flag, insomnia pattern), and storage/retention.
Vendor list: AI inference vendor, cloud audio processor, analytics SDK, advertising attribution, any wearable integration.
Any corporate-wellness, insurance, or coaching-marketplace sharing flow and the contracts behind it.
Processor and sub-processor list plus current DPA template.

Service tiers

$240 Written Attorney Consultation. Two-business-day turnaround.
$499 MHMDA scope memo. Determination plus top compliance gaps.
$900 MHMDA review with DPA and vendor language.
$1,500 MHMDA compliance package. Scope memo, DPA language, drafted standalone Consumer Health Data Privacy Policy.

Sergei's practical note

Sleep apps are higher-risk than the team usually assumes because the data is dense, continuous, sensitive (sleep audio in particular), and often shared downstream to coaches, employers, and ad partners. The apnea-inference angle is the part I look at first; an app that surfaces "possible apnea" or "high apnea risk" is generating a health-condition inference under RCW 19.373.010 and triggers the strongest part of the statute. Send the privacy policy, the consent flow, the vendor list, and a brief product description. Regulatory advisory work under California license; not Washington representation.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The Written Attorney Consultation is a flat $240. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. Self-assess via the Wellness App MHMDA Risk Checker. Adjacent verticals: wellness apps, fitness apps, meditation, and health coaching.

Want a written attorney read on your situation? The $240 Written Attorney Consultation

Send your question, a short factual summary, and your key documents. You get a written attorney response identifying the main legal issues, the risks, and the practical next steps, so you know whether you have a real exposure and what to do about it. Provided under my California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this consultation · $240

See the full Washington MHMDA resource → or email me directly for a scoped quote.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.