Washington educational resource

Washington MHMDA for Weight Loss Apps: Body Composition, BMI, and Goal Tags Are Consumer Health Data

Weight loss apps occupy a particularly exposed corner of the consumer wellness market. The data is intimate (body weight, BMI, body composition, body photos, eating-disorder triggers), the user base is often emotionally invested in the outcome, and the monetization model frequently relies on affiliate partnerships with supplement, meal-replacement, and prescription weight-loss medication providers. The Washington My Health My Data Act under RCW 19.373.010 treats body composition and weight-trend data as consumer health data, and the inferences a weight-loss algorithm derives ("user is in a plateau," "user is at obesity risk," "user is candidate for GLP-1 medication") are squarely within the statute. RCW 19.373.090 turns any compliance gap into a per se Consumer Protection Act violation with treble damages capped at $25,000 on the enhancement and one-way attorney's fees under RCW 19.86.090.

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov.

What weight-loss app data MHMDA reaches

Body weight, BMI, waist measurement, body-fat percentage, muscle mass.
Progress photos and body-composition scans.
Calorie-deficit targets, meal plans, macros.
Hunger and craving logs, "binge episode" check-ins.
Weight-management goal tags ("lose 20 lbs," "maintain," "muscle gain," "post-surgery recovery").
Eating-disorder history disclosures or risk flags.
AI inferences: "plateau pattern," "metabolic adaptation," "GLP-1 candidate," "high obesity risk," "yo-yo dieting pattern."
Connected scale or smart-mirror data (smart-scale weight, body-composition impedance).

The four MHMDA hooks for weight-loss apps

1. Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Weight loss apps often have a single privacy policy and a "we collect weight and body composition" line buried in section 4. That structure fails. The statute requires a standalone document with five substantive disclosures, including the categories of consumer health data collected, the purposes, the sources, the categories shared, and the list of specific affiliates and categories of third parties.

2. Two-layer consent under RCW 19.373.030. Collection consent for weight and BMI inputs. Separate sharing consent for analytics, attribution, AI inference, affiliate programs, and any prescription telehealth integration. Sharing consent must disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism.

3. GLP-1 and prescription telehealth integration. Weight-loss apps that integrate with telehealth prescribers (semaglutide, tirzepatide, compounded GLP-1, phentermine) sit at a regulatory intersection. The telehealth provider relationship may be HIPAA-covered for the clinical record, but the app's own data (weight trend, BMI, goal tags, eligibility screening, intake responses) is generally outside HIPAA and inside MHMDA. The exemption at RCW 19.373.100 is data-specific, not entity-blanket. The app needs to separate the HIPAA-PHI flow from the MHMDA-consumer-health-data flow and document the boundary.

4. Affiliate revenue and the sale-of-data question under RCW 19.373.070. Affiliate or referral programs with supplement vendors, meal-kit services, weight-loss medication providers, or coaching marketplaces convert routine sharing into a sale under MHMDA. The nine-element written authorization is required: specific data identification, seller contact, buyer contact, purpose, "service not conditioned" statement, revocation right, redisclosure notice, one-year expiration, consumer signature.

The eating-disorder overlay

Apps that touch eating-disorder risk, restrictive-diet coaching, or low-calorie targets for clinical populations should expect heightened scrutiny. The mental-health prong of consumer health data under RCW 19.373.010 reaches eating-disorder content. A weight-loss app that flags binge or restriction patterns is generating mental-health inferences. The Washington Attorney General can pursue AG enforcement and private plaintiffs can pursue the per se CPA path in parallel.

The per se CPA hook

RCW 19.373.090 makes any MHMDA violation a per se CPA violation. A Washington user of your weight-loss app with a documented sharing or policy gap is a candidate plaintiff. Actual damages, discretionary treble damages capped at $25,000 on the enhancement, one-way attorney's fees under RCW 19.86.090, public-interest and unfair-or-deceptive elements declared by statute, four-year SOL under RCW 19.86.120.

Progress photos are the riskiest data category most operators store. Body photos are highly identifiable, sensitive, and persistent. If your app stores progress photos and sends them to an AI body-composition vendor, a coaching marketplace, or a corporate-wellness employer, you have processor and sharing obligations under RCW 19.373.030 and RCW 19.373.060 that a generic cloud-storage DPA does not satisfy.

What I review when you send me a weight-loss app matter

Privacy policy URL plus the separate Consumer Health Data Privacy Policy if one exists.
Signup flow, consent banner, sharing toggles, "share with my coach" and "share with my prescriber" sub-flows.
Data inventory: weight inputs, body photos, derived inferences, retention.
Vendor list: AI body-composition, analytics SDK, advertising attribution, affiliate partners, telehealth integration.
Affiliate and referral program terms and the data flows behind each partner.
HIPAA-PHI boundary documentation if you integrate with a telehealth prescriber.
Processor and sub-processor list plus current DPA template.

Service tiers

$125 written email evaluation. Two-business-day turnaround.
$499 MHMDA scope memo.
$900 MHMDA review with DPA and vendor language.
$1,500 MHMDA compliance package.

Sergei's practical note

Weight-loss apps that mix consumer health data with telehealth-prescribed weight-loss medication are the matters I treat with the highest preparation overhead. The HIPAA-PHI boundary is rarely documented as cleanly as it needs to be, the affiliate-revenue flows usually invoke the sale-of-data analysis under RCW 19.373.070, and the body-photo storage almost always lacks the processor-contract discipline the statute demands. Send the privacy policy, the affiliate-partner list, the prescriber-integration architecture, and the signup flow. Regulatory advisory work under California license; not Washington representation.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. Self-assess via the Wellness App MHMDA Risk Checker. Adjacent verticals: wellness apps, nutrition, fitness, and health coaching.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.