Washington tool

Reproductive Health Data Risk Checker

Reproductive-health data creates a different risk profile because it can combine health status, location, timing, search behavior, app activity, and third-party advertising infrastructure on the same user record. A generic privacy policy usually does not answer the My Health My Data Act questions. This tool triages your product against Chapter 19.373 RCW and returns a risk score, the specific exposure points, and the recommended next step.

This is a triage tool, not legal advice. Citations verified against Chapter 19.373 RCW on app.leg.wa.gov. MHMDA reaches out-of-state companies that conduct business in Washington or target products or services to Washington consumers and determine the purposes and means of processing consumer health data.

1App or business type

Which best describes your product or business?

Fertility, IVF, or trying-to-conceive app Period or menstrual-cycle tracking app Pregnancy or postpartum app Abortion-adjacent platform (information, navigation, telehealth) Contraception or birth-control product Menopause or perimenopause platform Sexual-health or STI platform Clinic-adjacent vendor or SaaS (scheduling, telehealth, partner integration) Adtech, SDK, or analytics vendor serving the above

2Location data collected

Do you collect location data from users?

Yes, precise location (GPS, beacons, Wi-Fi) Coarse location only (IP, region, city) No location data collected

3Location SDKs

Does your product embed third-party location SDKs?

Yes, third-party location SDKs are embedded Yes, but the SDK inventory was audited against the perimeter No third-party location SDKs Not sure (no SDK inventory exists)

4Ads or retargeting

Do you serve ads or retargeting to users?

Yes, ads or retargeting in a reproductive-health context Yes, but only generic ads, no reproductive context No ads or retargeting

5Clinic-proximity targeting

Do you target users by proximity to healthcare facilities?

Yes, targeting includes clinic-area proximity No, healthcare facility geographies are excluded No proximity-based targeting at all Not sure (need to audit campaign configurations)

6Sharing with analytics or adtech

Do you share reproductive-health data or inferences with analytics or adtech partners?

Yes, with no separate sharing consent Yes, with a separate sharing consent No sharing with analytics or adtech Not sure (need data-flow inventory)

7Consumer deletion process

Do you have a documented consumer deletion process?

Yes, documented and tested Partial (deletion exists but downstream propagation is unclear) No documented deletion process

8Written authorization for sale

If you sell consumer health data, do you obtain a written authorization with the nine required elements?

Yes, all nine elements collected Partial (some elements missing or unclear) No written authorization (consent flow only) I do not sell consumer health data

9Washington users

Do you have Washington users or target Washington consumers?

Yes, I have Washington users or target Washington consumers National audience including Washington (no geo-blocking) No Washington users or targeting

How the score is calculated

The score weighs the elements that drive reproductive-health MHMDA exposure. Weights total 100 points.

Product type: up to 18 points. Fertility, period, abortion-adjacent, and pregnancy products score highest because the data set is reproductive by design.
Geofencing exposure (location + SDK + clinic-proximity): up to 28 points. The 2,000-foot prohibition under RCW 19.373.080 is categorical and there is no consent override.
Adtech and retargeting in reproductive context: up to 18 points. Prong (3) of RCW 19.373.080 reaches notifications, messages, and advertisements related to consumer health data or healthcare services.
Sharing without separate consent: up to 14 points. RCW 19.373.030 requires affirmative opt-in for collection and a separate, distinct consent for sharing.
Sale-authorization gap: up to 12 points. RCW 19.373.070's nine-element authorization is rarely fully implemented.
Washington-user nexus and deletion-process posture: up to 10 points.

The four verdict bands are 80 to 100 (Significant exposure; remediation required before continued operation), 60 to 79 (Material gaps in geofence, consent, or sale posture), 30 to 59 (Discrete gaps to close), and 0 to 29 (Compliant or out of scope on the current record).

Authority notes

Citations from RCW 19.373.010 (definitions including geofence and consumer health data), RCW 19.373.020 (separate privacy policy and homepage link), RCW 19.373.030 (two-layer consent), RCW 19.373.040 (consumer rights and 45-day deletion window), RCW 19.373.060 (processor obligations), RCW 19.373.070 (nine-element written authorization for sale), RCW 19.373.080 (2,000-foot geofence prohibition), and RCW 19.373.090 (per-se CPA bridge).

For background, see my Washington My Health My Data Act resource and the cluster pages: Fertility apps, Period-tracking apps, Reproductive-health geofencing ban, Geofencing risk for adtech.

Reproductive Health Data Risk Checker

Reproductive-health classification

Specific exposure points

Per-se CPA exposure (RCW 19.373.090)

Recommended next step

How the score is calculated

Authority notes