Washington educational resource

My adtech stack collects location data. Where does the Washington geofencing ban reach?

The 2,000-foot geofence prohibition under RCW 19.373.080 is the section of Washington's My Health My Data Act with the cleanest operational consequence for adtech vendors and operators with embedded SDKs. The prohibition is categorical, the 2,000-foot perimeter is mechanically broad, and the three prohibited uses (identification, collection, notification) cover most of the configurations adtech vendors actually use. Treating it as a check-the-box compliance task is the failure mode.

AI Legal Analyst

Ask my AI Legal Analyst about Washington consumer health data and MHMDA?

Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.

Common Washington consumer-health-data questions, always free

Does Washington MHMDA even apply to my product? I am not HIPAA-covered, am I in the clear? Are my analytics and AI-API calls sharing events? Do I need a separate consumer health data privacy policy? Is one "I agree" checkbox enough for consent? What happens if I get this wrong?

Loading the AI Legal Analyst...

Last legally reviewed: 2026-05-19. Citation verified against RCW 19.373.080 on app.leg.wa.gov.

The text and definitions that drive the adtech exposure

RCW 19.373.080 bans implementing a geofence around an entity that provides in-person healthcare services where the geofence is used to identify or track consumers seeking healthcare services, collect consumer health data, or send notifications, messages, or advertisements related to consumer health data or healthcare services. "Geofence" under RCW 19.373.010 is a virtual boundary within 2,000 feet of the perimeter of the physical location, using GPS, cell tower, cellular data, RFID, Wifi, or any other spatial or location detection.

The breadth of the definition matters. "Any other spatial or location detection" reaches IP-geolocation, beacon detection, cross-app device tracking, and any other technical mechanism that draws a virtual perimeter around the facility. The 2,000-foot rule is measured from the perimeter of the physical location, not the centroid, which means urban hospitals with multiple connected buildings can present a perimeter that is significantly larger than the building footprint.

The configurations that are usually exposed

Custom audiences built from location. An audience defined as "users who entered the geographic area around clinic X" is a geofence under the statute. The audience does not need to be used for active notifications; the identification of the user as someone present in the perimeter is itself a prohibited use under prong (1) ("identify or track consumers seeking health care services").

Lookalike audiences seeded from clinic-visit data. If the seed audience was identified by clinic-area presence, the lookalike audience inherits the underlying problem. The seeding configuration is itself the violation.

Retargeting pixels on clinic-related landing pages. A pixel that fires on a reproductive-health landing page and then targets the user with reproductive-health content is "send notifications, messages, or advertisements related to consumer health data or health care services" under prong (3) of RCW 19.373.080. The pixel does not need to know the user's location; the targeting context supplies the connection.

SDK-level location collection. An app SDK that collects location continuously and reports it to the ad platform for attribution is collecting consumer health data under prong (2) ("collect consumer health data from consumers") when the user is inside the perimeter. The SDK configuration is the operator's responsibility, even where the operator did not explicitly request the location collection.

"Geo-conquesting" of competitor clinics. A campaign that targets users who visited a competitor clinic is geofencing under the statute, even where the operator is itself a healthcare entity.

The "no consent override" rule

Unlike collection under RCW 19.373.030 and sale under RCW 19.373.070, the geofence prohibition is categorical. A consumer's affirmative opt-in does not save a geofence configuration that falls inside the perimeter and serves one of the three prohibited uses. The implication for the adtech operator is that the fix is configurational, not contractual: the configuration must be changed or disabled, not papered over with a consent flow.

The "we exclude healthcare from targeting" defense usually fails on inspection. The ad-platform interface frequently does not expose a granular "do not target within 2,000 feet of healthcare" toggle. Operators that rely on a negative-targeting rule (excluding "healthcare and medical" interest categories) often miss the location-based targeting that runs in parallel. The operative test is the actual targeting behavior, not the platform setting.

What the audit looks like

I treat the geofence audit as a four-step process. First, compile the list of in-person healthcare facilities serving Washington consumers in the campaign footprint. Reproductive-health facilities get priority because they drive the litigation risk, but the perimeter applies to all healthcare facilities. Second, pull the current configurations from every ad SDK, ad platform, and partner relationship: custom audiences, lookalike audiences, retargeting pixels, SDK location-collection rules, partner integrations. Third, map each configuration against the 2,000-foot perimeter around each facility. Fourth, reconfigure or disable each configuration that falls inside the perimeter for a prohibited purpose.

Per-se Consumer Protection Act exposure (RCW 19.373.090)

RCW 19.373.090 makes any MHMDA violation a per-se Washington CPA violation. The remedy under RCW 19.86.090 is actual damages, discretionary trebling up to $25,000, and one-way attorney's fees. The four-year SOL under RCW 19.86.120 applies. A geofence violation under RCW 19.373.080 produces a clean plaintiff theory because the underlying conduct is categorical; the operator's realistic defense is on injury and causation, not on the underlying conduct.

Sergei's practical note

The geofence-for-adtech matter is the cluster where I see the biggest gap between operator perception and actual exposure. The operator believes the campaign targets "interested users"; the platform's underlying configuration targets "users in this geographic area"; the SDK's location collection is buried in the partner relationship. The audit reconstructs the actual data flow against the 2,000-foot perimeter and produces an operational change list. Send the SDK inventory, the ad-platform configurations, the partner list, and the campaign documentation, and I will scope the work.

Payment

Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The flat fee for the Healthcare SaaS Legal Package is $2,500. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.

Delivery

Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.

Process

Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
We refine. Reasonable revision rounds are included so the final version fits how your product actually works.

Scope

This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.

Related Washington resources

For the full statutory walkthrough, see my Washington My Health My Data Act resource. The Reproductive-Health Geofencing Ban page covers the operative text of RCW 19.373.080 in more depth. The Abortion-Travel Data Privacy page applies the section to a specific fact pattern. To run the triage, see my Reproductive Health Data Risk Checker.

Need this handled end to end? The $2,500 Healthcare SaaS Legal Package

A flat-fee package for digital health and SaaS founders: HIPAA and BAA posture, Terms of Service and privacy policy, and the consumer-health-data layer that MHMDA adds on top. Reviewed under California license; for Washington court representation I coordinate with Washington-admitted counsel.

Request this package · $2,500

See the full Healthcare SaaS legal stack → or email me directly for a scoped quote.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.