Washington educational resource

Washington MHMDA for Weight Loss Apps: Body Composition, BMI, and Goal Tags Are Consumer Health Data

Weight loss apps occupy a particularly exposed corner of the consumer wellness market. The data is intimate (body weight, BMI, body composition, body photos, eating-disorder triggers), the user base is often emotionally invested in the outcome, and the monetization model frequently relies on affiliate partnerships with supplement, meal-replacement, and prescription weight-loss medication providers. The Washington My Health My Data Act under RCW 19.373.010 treats body composition and weight-trend data as consumer health data, and the inferences a weight-loss algorithm derives ("user is in a plateau," "user is at obesity risk," "user is candidate for GLP-1 medication") are squarely within the statute. RCW 19.373.090 turns any compliance gap into a per se Consumer Protection Act violation with treble damages capped at $25,000 on the enhancement and one-way attorney's fees under RCW 19.86.090.

AI Legal Analyst

Ask my AI Legal Analyst about Washington consumer health data and MHMDA?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.

Common Washington consumer-health-data questions, always free

Does Washington MHMDA even apply to my product? I am not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? What happens if I get this wrong?

Loading the AI Legal Analyst...

Last legally reviewed: 2026-05-19. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov.

What weight-loss app data MHMDA reaches

Body weight, BMI, waist measurement, body-fat percentage, muscle mass.
Progress photos and body-composition scans.
Calorie-deficit targets, meal plans, macros.
Hunger and craving logs, "binge episode" check-ins.
Weight-management goal tags ("lose 20 lbs," "maintain," "muscle gain," "post-surgery recovery").
Eating-disorder history disclosures or risk flags.
AI inferences: "plateau pattern," "metabolic adaptation," "GLP-1 candidate," "high obesity risk," "yo-yo dieting pattern."
Connected scale or smart-mirror data (smart-scale weight, body-composition impedance).

The four MHMDA hooks for weight-loss apps

1. Separate Consumer Health Data Privacy Policy under RCW 19.373.020. Weight loss apps often have a single privacy policy and a "we collect weight and body composition" line buried in section 4. That structure fails. The statute requires a standalone document with five substantive disclosures, including the categories of consumer health data collected, the purposes, the sources, the categories shared, and the list of specific affiliates and categories of third parties.

2. Two-layer consent under RCW 19.373.030. Collection consent for weight and BMI inputs. Separate sharing consent for analytics, attribution, AI inference, affiliate programs, and any prescription telehealth integration. Sharing consent must disclose data categories, purpose and usage methods, receiving entities, and withdrawal mechanism.

3. GLP-1 and prescription telehealth integration. Weight-loss apps that integrate with telehealth prescribers (semaglutide, tirzepatide, compounded GLP-1, phentermine) sit at a regulatory intersection. The telehealth provider relationship may be HIPAA-covered for the clinical record, but the app's own data (weight trend, BMI, goal tags, eligibility screening, intake responses) is generally outside HIPAA and inside MHMDA. The exemption at RCW 19.373.100 is data-specific, not entity-blanket. The app needs to separate the HIPAA-PHI flow from the MHMDA-consumer-health-data flow and document the boundary.

4. Affiliate revenue and the sale-of-data question under RCW 19.373.070. Affiliate or referral programs with supplement vendors, meal-kit services, weight-loss medication providers, or coaching marketplaces convert routine sharing into a sale under MHMDA. The nine-element written authorization is required: specific data identification, seller contact, buyer contact, purpose, "service not conditioned" statement, revocation right, redisclosure notice, one-year expiration, consumer signature.

The eating-disorder overlay

Apps that touch eating-disorder risk, restrictive-diet coaching, or low-calorie targets for clinical populations should expect heightened scrutiny. The mental-health prong of consumer health data under RCW 19.373.010 reaches eating-disorder content. A weight-loss app that flags binge or restriction patterns is generating mental-health inferences. The Washington Attorney General can pursue AG enforcement and private plaintiffs can pursue the per se CPA path in parallel.

The per se CPA hook

RCW 19.373.090 makes any MHMDA violation a per se CPA violation. A Washington user of your weight-loss app with a documented sharing or policy gap is a candidate plaintiff. Actual damages, discretionary treble damages capped at $25,000 on the enhancement, one-way attorney's fees under RCW 19.86.090, public-interest and unfair-or-deceptive elements declared by statute, four-year SOL under RCW 19.86.120.

Progress photos are the riskiest data category most operators store. Body photos are highly identifiable, sensitive, and persistent. If your app stores progress photos and sends them to an AI body-composition vendor, a coaching marketplace, or a corporate-wellness employer, you have processor and sharing obligations under RCW 19.373.030 and RCW 19.373.060 that a generic cloud-storage DPA does not satisfy.

What I review when you send me a weight-loss app matter

Privacy policy URL plus the separate Consumer Health Data Privacy Policy if one exists.
Signup flow, consent banner, sharing toggles, "share with my coach" and "share with my prescriber" sub-flows.
Data inventory: weight inputs, body photos, derived inferences, retention.
Vendor list: AI body-composition, analytics SDK, advertising attribution, affiliate partners, telehealth integration.
Affiliate and referral program terms and the data flows behind each partner.
HIPAA-PHI boundary documentation if you integrate with a telehealth prescriber.
Processor and sub-processor list plus current DPA template.

Service tiers

$240 Written Attorney Consultation. Two-business-day turnaround.
$499 MHMDA scope memo.
$900 MHMDA review with DPA and vendor language.
$1,500 MHMDA compliance package.

Sergei's practical note

Weight-loss apps that mix consumer health data with telehealth-prescribed weight-loss medication are the matters I treat with the highest preparation overhead. The HIPAA-PHI boundary is rarely documented as cleanly as it needs to be, the affiliate-revenue flows usually invoke the sale-of-data analysis under RCW 19.373.070, and the body-photo storage almost always lacks the processor-contract discipline the statute demands. Send the privacy policy, the affiliate-partner list, the prescriber-integration architecture, and the signup flow. Regulatory advisory work under California license; not Washington representation.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The Written Attorney Consultation is a flat $240. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Related Washington resources

For the full statutory walk-through, see my Washington My Health My Data Act resource. Self-assess via the Wellness App MHMDA Risk Checker. Adjacent verticals: wellness apps, nutrition, fitness, and health coaching.

Want a written attorney read on your situation? The $240 Written Attorney Consultation

Send your question, a short factual summary, and your key documents. You get a written attorney response identifying the main legal issues, the risks, and the practical next steps, so you know whether you have a real exposure and what to do about it. Provided under my California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this consultation · $240

See the full Washington MHMDA resource → or email me directly for a scoped quote.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.