First My Health My Data Class Action Targets Amazon; EDPB Issues Age Assurance Guidelines

Want to receive these privacy recaps in your inbox each week? Subscribe here.

USA

First Washington My Health My Data Class Action Filed Against Amazon

A class action filed February 10, 2025 in the Western District of Washington (case 2:25-cv-00261) alleges that Amazon’s collection of data through its Amazon Ads SDK embedded in third-party applications violates Washington’s My Health My Data Act (MHMD), among other allegations. The complaint specifically alleges that the SDKs collect consumer health data, including biometric data and precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies and that such collection occurs without consent or disclosure required by MHMD. The lawsuit also alleges that such activity violates the Federal Wiretap Act, the Computer Fraud and Abuse Act, and the Washington Consumer Protection Act.

TAKEAWAY

Although MHMD went into effect in March 2024 and includes a private right of action for individuals to pursue damages of up to $25,000 per plaintiff, this is the first class action complaint filed under the Act. Among other requirements and restrictions, the law prohibits the collection or sharing of “consumer health data” (which is broadly defined) without separate and distinct consent that isn’t be bundled with other consents.  

Watch our webinar on-demand to learn more about navigating sensitive data requirements in the U.S.

Europe

EDPB Adopts 10 Principles of Age Assurance

In its February 11 plenary meeting, the European Data Protection Board adopted a statement on Age Assurance that includes 10 principles to design GDPR-compliant age assurance, where required or permitted under applicable law. 

The principles include consideration of the best interests of the child, implementation using a risk-based approach, ensuring age assurance does not lead to unnecessary additional risks, only processing age-related attributes as strictly necessary, evaluating the effectiveness of age assurance with consideration for accessibility, reliability, and robustness, ensuring that the processing of personal data for age assurance is lawful, fair and transparent to users, ensuring that any automated decisionmaking in the context of age assurance complies with the GDPR, application of data protection by design and default, implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and implementation of governance methods that allow service providers to be accountable for their approach to age assurance.

TAKEAWAY

As noted in the statement, a number of European laws and initiatives incorporate various age verification measures or minimum age requirements, resulting in potential for inconsistent application or conflict with the main GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, confidentiality, integrity and accountability. The principles adopted by the EDPB therefore seek to reconcile the protection of children and the protection of personal data in the context of age assurance to encourage consistent application that doesn’t lose sight of individuals’ fundamental rights and freedoms and the key principles of the GDPR.   

Watch our webinar about mobile app privacy with Baker McKenzie.

Want more of the privacy highlights that matter for consent management and digital marketing? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.