February 2025 marked the first class action lawsuit under Washington’s year-old My Health My Data Act (MHMDA). This is an interesting case, not only due to its ‘first’ status, but also because it represents a new development in a longer stream of legal actions related to Software Development Kits (SDKs) and targeted advertising. Another interesting factor is that it involves Amazon – a company that most consumers do not associate with the heath industry or health information.
Also known as a devkit, an SDK is a “set of software-building tools for a specific platform, including the building blocks, debuggers, and, often, a framework or group of code libraries such as a set of routines specific to an operating system.” SDKs can help developers create apps, websites, games, and cloud computing connections. Many diverse types of organizations offer SDKs to developers to encourage those developers to use their platforms. Amazon is no exception and offers many different SDKs that wind up being present in apps, websites, and the like.
The US State of Washington created the MHMDA in an effort to protect health information that falls outside of the protections of the Federal healthcare-specific law, the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the MHMDA aims at preventing organizations from collecting and sharing sensitive health information without a consumer’s consent. As has become the trend in many US State privacy laws, Washington defines the information that it protects – health information, in this case – broadly.
According to its published information page on the MHMDA, “The definition of consumer health data includes information that is derived or extrapolated from non health data when that information is used by a regulated entity or their respective processor to associate or identify a consumer with consumer health data. This would include potential inferences drawn from purchases…”
In other words, any information that an organization uses to infer an individual’s health status, including geolocation that can identify a visit to a healthcare facility, falls under the protection of the MHMDA (assuming that HIPAA does not already cover it).
- The lawsuit: Amazon SDKs & privacy concerns
- What do companies need to do about SDKs?
- Understanding SDK use
- Carefully provide notice
- Consider consent
- Train developers on the risk
The lawsuit: Amazon SDKs & privacy concerns
Through this lawsuit with Amazon, the plaintiff claims that she and others have loaded apps, such as the Weather Channel and OfferUp apps, on their phones that include an Amazon SDK. She alleges that the Amazon SDK collected personal data, including health information, geolocation, and biometric data – all without adequate notice and consent.
Though this is the initial class action lawsuit under the MHMDA, it is interesting to note that the lawsuit also claims violations of the US Federal Wiretap Act, Stored Communications Act, and the Computer Fraud and Abuse Act. This is less surprising, as the Federal Wiretap Act and SDKS already have some history together, such as in the case of Twilio. Twilio’s suit, filed in 2022, presented similar allegations about apps with an embedded Twilio SDK that collects personal data without the user’s knowledge or permission.
What do companies need to do about SDKs?
Though the success or failure of Amazon’s response to the MHMDA allegations remains to be seen, the very nature of SDKs – their prevalence, opaqueness, and data collection abilities – makes them vulnerable to legal challenges based on privacy concerns. However, there are some actions that a company can take to guard against the SDK risk.
Understanding SDK use
With knowledge comes power. An organization that deeply understands which SDKs it has embedded in its apps and how they work will have the knowledge it needs to make sound decisions about privacy generally, and notifications and consents specifically. An organization will want to understand what those SDKs do, what data and data flows they may involve, and which organizations may receive and benefit from those data flows.
Carefully provide notice
Though privacy notices typically contain information about what data a company collects directly from users through forms and how the company shares it, it is easy for those same notices to lack good descriptions of data its applications collect automatically through technology. In a way, these less obvious data collection practices require more transparency, not less. Even well-intentioned companies can fail to provide adequate notice, mostly due to a lack of knowledge. However, once a company understands its SDK-related data collection and flows, it will be critical to clearly describe those details to the user.
Consider consent
While not all data collection and flows related to apps (and SDKs) will require explicit consent, some – especially those involving sensitive data and secondary uses – may. Once a company knows the technical details of embedded SDKs (how they work, what data they collect, how and with whom they share data, and how all recipients use the data), that company can make informed decisions about not only what disclosures to make, but also which processing activities will require opt in or opt out consent.
Train developers on the risk
Apps, websites, and technology in general change at a bullet-train pace. Privacy and Legal teams can struggle to keep up with technology and its shortening development cycles, especially if they must be involved in and understand the details to the extent that they can identify technology development issues. Moreover, apps must change frequently to add functionality that users demand. This means that technical teams are constantly making improvements that may pose privacy risk.
To avoid being a blocker to progress, Privacy and Legal can instead train developers to identify technology-driven personal data collection/use/sharing, look for issues, and escalate concerns. Armed with the right knowledge, developers are in the best position to gather the needed information and identify points at which Privacy and Legal should get involved. Privacy-savvy developers will also be able to watch out for risky SDKs and contribute accurate information for a fulsome privacy notice.
Summary
The new class action suit against Amazon and its SDKs will take some time to resolve. In the meantime, companies can take reasonable action now to reduce risk, regardless of this case’s specific outcome. As with most privacy actions, the first step is to understand the data collection, uses, and sharing associated with apps, including any embedded SDKs. Next, a company should make sure that it informs consumers of these data and data handling practices and receives the right level of consents for these practices. Finally, Privacy and Legal teams should collaborate with technical teams to educate developers on the nature of these risks and how to identify and escalate them.
