Amazon is facing a lawsuit for its software development kit (SDK), which allegedly unlawfully obtained consumers’ medical and location information violating government rules and consumer privacy regulations in Washington. An SDK is a collection of software development applications, including compilers, debuggers, and code libraries, that enables software programmers to create applications consistently. The Amazon SDK is loaded in many third-party apps and operates in the background, allowing Amazon to get data like location information from consumer devices. The data obtained by Amazon is utilized for promotional purposes, and the information can be marketed to other people. The lawsuit claims the Amazon SDK is built into over 10,000 different applications.
On February 20, 2025, on behalf of plaintiff Cassaundra Maxwell and likewise impacted persons, the legal action was filed in the U.S. District Court for the Western District of Washington at Seattle. The lawsuit states Amazon is illegally tracking, acquiring, and cashing in on users’ location information, violating the Federal Wiretap Act, Computer Fraud and Abuse Act, Stored Communications Act, the Washington My Health My Data Act, and the Washington Consumer Protection Act. In addition, the lawsuit asserts claims of unjust enrichment and privacy invasion.
According to the plaintiff, the apps installed on her phone integrated the Amazon SDK, which includes the OfferUp and Weather Channel apps. She claims the Amazon SDK integrated into those applications has obtained her personal information without her awareness or authorization. Amazon has utilized that data for its profit and has offered that information to others. The information alleged to have been obtained by Amazon consists of the plaintiff’s health information, biometric information, and exact location details. The lawsuit states that the location information obtained by the Amazon SDK can reasonably show a consumer’s attempt to obtain or get medical services or supplies.
Based on the lawsuit, Amazon didn’t get permission to gather consumer information, didn’t conspicuously make known the categories of consumer information gathered and shared, didn’t state the reason for gathering the data, nor the types of organizations that would get the information and how customers can withdraw permission to avoid data collection in the future. These failures are purported to have violated the Washington My Health My Data Act. The lawsuit also claimed that Amazon deliberately, knowingly, and maliciously used unfair and deceitful acts, which violated the Washington Consumer Protection Act.
Although certain state privacy legislations lack a private cause of action, people can file suit against companies for Washington My Health My Data Act violations. The plaintiff, individually and on behalf of likewise affected individuals, wants all monetary and non-monetary relief permitted by law, consequential, compensatory, general, and nominal damages, injunctive relief to stop Amazon from carrying on with its illegal business tactics, attorneys’ fees, and civil penalties.
Amazon claims consumer privacy is the company’s top priority and the lawsuit statements aren’t accurate. Additionally, the company states its contracts with publishers forbid them from transmitting any consumer health information protected by the Washington My Health My Data Act and publishers are forbidden from sending biometric information and exact location information. When any forbidden data is transmitted, Amazon discards the data and does not use it at all.
This is the first lawsuit that claimed violations of the Washington My Health My Data Act. This act became effective on March 31, 2024. Identical lawsuits were filed in other states claiming state privacy law violations and/or HIPAA violations with the use of trackers and pixels that could gather sensitive user and location information.
Image credits: logo©amazon / Winyou, AdobeStock
