Washington educational resource

My adtech stack collects location data. Where does the Washington geofencing ban reach?

The 2,000-foot geofence prohibition under RCW 19.373.080 is the section of Washington's My Health My Data Act with the cleanest operational consequence for adtech vendors and operators with embedded SDKs. The prohibition is categorical, the 2,000-foot perimeter is mechanically broad, and the three prohibited uses (identification, collection, notification) cover most of the configurations adtech vendors actually use. Treating it as a check-the-box compliance task is the failure mode.

Last legally reviewed: 2026-05-19. Citation verified against RCW 19.373.080 on app.leg.wa.gov.

The text and definitions that drive the adtech exposure

RCW 19.373.080 bans implementing a geofence around an entity that provides in-person healthcare services where the geofence is used to identify or track consumers seeking healthcare services, collect consumer health data, or send notifications, messages, or advertisements related to consumer health data or healthcare services. "Geofence" under RCW 19.373.010 is a virtual boundary within 2,000 feet of the perimeter of the physical location, using GPS, cell tower, cellular data, RFID, Wifi, or any other spatial or location detection.

The breadth of the definition matters. "Any other spatial or location detection" reaches IP-geolocation, beacon detection, cross-app device tracking, and any other technical mechanism that draws a virtual perimeter around the facility. The 2,000-foot rule is measured from the perimeter of the physical location, not the centroid, which means urban hospitals with multiple connected buildings can present a perimeter that is significantly larger than the building footprint.

The configurations that are usually exposed

Custom audiences built from location. An audience defined as "users who entered the geographic area around clinic X" is a geofence under the statute. The audience does not need to be used for active notifications; the identification of the user as someone present in the perimeter is itself a prohibited use under prong (1) ("identify or track consumers seeking health care services").

Lookalike audiences seeded from clinic-visit data. If the seed audience was identified by clinic-area presence, the lookalike audience inherits the underlying problem. The seeding configuration is itself the violation.

Retargeting pixels on clinic-related landing pages. A pixel that fires on a reproductive-health landing page and then targets the user with reproductive-health content is "send notifications, messages, or advertisements related to consumer health data or health care services" under prong (3) of RCW 19.373.080. The pixel does not need to know the user's location; the targeting context supplies the connection.

SDK-level location collection. An app SDK that collects location continuously and reports it to the ad platform for attribution is collecting consumer health data under prong (2) ("collect consumer health data from consumers") when the user is inside the perimeter. The SDK configuration is the operator's responsibility, even where the operator did not explicitly request the location collection.

"Geo-conquesting" of competitor clinics. A campaign that targets users who visited a competitor clinic is geofencing under the statute, even where the operator is itself a healthcare entity.

The "no consent override" rule

Unlike collection under RCW 19.373.030 and sale under RCW 19.373.070, the geofence prohibition is categorical. A consumer's affirmative opt-in does not save a geofence configuration that falls inside the perimeter and serves one of the three prohibited uses. The implication for the adtech operator is that the fix is configurational, not contractual: the configuration must be changed or disabled, not papered over with a consent flow.

The "we exclude healthcare from targeting" defense usually fails on inspection. The ad-platform interface frequently does not expose a granular "do not target within 2,000 feet of healthcare" toggle. Operators that rely on a negative-targeting rule (excluding "healthcare and medical" interest categories) often miss the location-based targeting that runs in parallel. The operative test is the actual targeting behavior, not the platform setting.

What the audit looks like

I treat the geofence audit as a four-step process. First, compile the list of in-person healthcare facilities serving Washington consumers in the campaign footprint. Reproductive-health facilities get priority because they drive the litigation risk, but the perimeter applies to all healthcare facilities. Second, pull the current configurations from every ad SDK, ad platform, and partner relationship: custom audiences, lookalike audiences, retargeting pixels, SDK location-collection rules, partner integrations. Third, map each configuration against the 2,000-foot perimeter around each facility. Fourth, reconfigure or disable each configuration that falls inside the perimeter for a prohibited purpose.

Per-se Consumer Protection Act exposure (RCW 19.373.090)

RCW 19.373.090 makes any MHMDA violation a per-se Washington CPA violation. The remedy under RCW 19.86.090 is actual damages, discretionary trebling up to $25,000, and one-way attorney's fees. The four-year SOL under RCW 19.86.120 applies. A geofence violation under RCW 19.373.080 produces a clean plaintiff theory because the underlying conduct is categorical; the operator's realistic defense is on injury and causation, not on the underlying conduct.

Sergei's practical note

The geofence-for-adtech matter is the cluster where I see the biggest gap between operator perception and actual exposure. The operator believes the campaign targets "interested users"; the platform's underlying configuration targets "users in this geographic area"; the SDK's location collection is buried in the partner relationship. The audit reconstructs the actual data flow against the 2,000-foot perimeter and produces an operational change list. Send the SDK inventory, the ad-platform configurations, the partner list, and the campaign documentation, and I will scope the work.

Related Washington resources

For the full statutory walkthrough, see my Washington My Health My Data Act resource. The Reproductive-Health Geofencing Ban page covers the operative text of RCW 19.373.080 in more depth. The Abortion-Travel Data Privacy page applies the section to a specific fact pattern. To run the triage, see my Reproductive Health Data Risk Checker.

Educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship or is Washington legal advice.