Lawsuit Filed Against Amazon Alleging Unlawful Collection of Health & Location Data
A lawsuit has been filed against Amazon alleging its software development kit (SDK) has unlawfully collected consumers’ health and location data in violation of federal laws and consumer privacy laws in Washington state. An SDK is a suite of software development tools such as compilers, code libraries, and debuggers, that allows software developers to build applications quickly and in a standardized way. The Amazon SDK is embedded in thousands of third-party applications and runs in the background, allowing Amazon to collect information such as location data directly from consumer devices. The information collected by Amazon is used for advertising purposes, and the data can be sold to others. The lawsuit alleges the Amazon SDK has been integrated into more than 10,000 different apps.
The lawsuit was filed in the U.S. District Court for the Western District of Washington at Seattle on February 20, 2025, on behalf of plaintiff Cassaundra Maxwell and similarly affected individuals. The lawsuit alleges Amazon is unlawfully tracking, collecting and profiting from users’ location data, in violation of the Federal Wiretap Act, Stored Communications Act, Computer Fraud and Abuse Act, the Washington Consumer Protection Act, and the Washington My Health My Data Act and asserts claims of invasion of privacy and unjust enrichment.
The plaintiff claims to have installed apps on her phone that incorporate the Amazon SDK, including the Weather Channel and OfferUp apps. She alleges the Amazon SDK incorporated into those apps has collected her personal data without her knowledge or consent, and Amazon has used that information for its own personal gain and has sold that data to others. The data alleged to have been collected by Amazon includes the plaintiff’s health data, biometric data, and precise location data. The lawsuit claims that the location data collected by the Amazon SDK “could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.”
According to the lawsuit, Amazon did not obtain consent to collect consumer data, did not conspicuously disclose the categories of consumer data collected and shared, did not disclose the purpose for collecting the data, nor the categories of companies that would receive the data and how consumers could withdraw consent to prevent future data collection. These failures are alleged to be violations of the Washington My Health My Data Act, and with the lawsuit claiming that Amazon “intentionally, knowingly, and maliciously” engaged in unfair and deceptive acts in violation of the Washington Consumer Protection Act.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While some state privacy laws lack a private cause of action, individuals can sue companies for violations of the Washington My Health My Data Act. The plaintiff, personally and on behalf of similarly situated individuals, seeks all monetary and non-monetary relief allowed by law, injunctive relief to prohibit Amazon from continuing to engage in unlawful business practices, compensatory, consequential, general, and nominal damages, civil penalties, and attorneys’ fees
Amazon maintains consumer privacy is a top priority for the company and the claims made in the lawsuit are not accurate. Further, the company claims its agreements with publishers prohibit them from sending any consumer health data covered by the Washington My Health My Data Act and publishers are prohibited from transmitting biometric data and precise location data. In the event that any prohibited information is transferred, the information is discarded and not used by Amazon in any way.
This is the first lawsuit to be filed alleging violations of the Washington My Health My Data Act, which came into force on March 31, 2024, although similar lawsuits have been filed in other states alleging violations of state privacy laws over the use of trackers and pixels that can collect sensitive user and location data.
