2025 Brings Heightened Focus on Location Data and Online Tracking Through Increased Enforcement and Litigation

If the first quarter of 2025 tells us anything about privacy litigation and enforcement trends for the remainder of the year, it is that there will be increased attention on companies’ use of online tracking technologies and geolocation data. So far this year, consumers brought the first federal class action complaint under the Washington My Health My Data Act (MHMDA), Honda entered into a settlement with the California Privacy Protection Agency (CPPA) over privacy violations, the CPPA announced an investigative sweep of the location data industry, and the Texas Attorney General brought his first enforcement action under the state’s broadly applicable consumer privacy law.

These developments underscore the need for companies to periodically evaluate their compliance practices related to tracking technologies and the collection and use of location data. Because such technologies and practices are critical business tools, companies should create a process to implement them effectively and safely, with an eye to an evolving privacy-protective landscape. We discuss each of these developments in detail below.

First Federal Class Action Under the MHMDA

On February 10, 2025, consumers filed a class action complaint against Amazon.com, Inc. and Amazon Advertising, LLC (Amazon) under the MHMDA. The complaint, filed in federal court in the Western District of Washington, was the first federal lawsuit brought under the MHMDA. The MHMDA, itself a first-of-its-kind statute, broadly restricts how regulated entities may collect, share, and sell consumer health data that is not protected under the Health Insurance Portability and Accountability Act (HIPAA) or other privacy regimes, such as those governing the use of health data in some clinical trials.

The complaint alleges that Amazon unlawfully collected and monetized consumer geolocation data using certain online tracking technologies integrated into more than 10,000 Android and iPhone mobile applications. Specifically, the plaintiff claims that Amazon’s software development kit (SDK), which was embedded in these mobile applications, collected location data and ad IDs in violation of the MHMDA, as well as the Federal Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, and certain common law privacy claims. Some of the geolocation data allegedly collected provides insights into a consumer’s health, including visits to clinics, health behaviors like eating fast food or going to the gym, social determinants of health including the environment in which a consumer lives and works, and social networks that may influence health. (The complaint does not contain details as to how the location data revealed health information about the individual plaintiff.) Amazon allegedly did not give notice of or obtain consumers’ consent prior to the collection and sharing of this data, in violation of the MHMDA.

While similar state health privacy laws, like those in Connecticut and Nevada, do not contain a private right of action, the MHMDA provides that consumers who suffer injury from a violation of the statute may sue for damages under Washington’s Consumer Protection Act (CPA). To prevail on a CPA claim based on a violation of the MHMDA, a plaintiff must establish the underlying MHMDA violation, causation, and damages, and a prevailing plaintiff may recover actual damages, costs of suit, reasonable attorneys’ fees, and treble damages per plaintiff not to exceed $25,000.

First Enforcement Action Under Texas’ Broad Consumer Privacy Law

The MHMDA lawsuit comes just a month after Texas Attorney General Ken Paxton announced his first enforcement action under the Texas Data Privacy and Security Act (TDSPA) against the Allstate Corporation and Allstate Vehicle and Property Insurance Company (Allstate) for allegedly collecting, using, and selling the geolocation of drivers without proper notice and consent. Allstate allegedly collected trillions of miles worth of location data from over 45 million consumers to create the “world’s largest driving behavior database,” which Allstate not only used for its own insurance underwriting but also sold to other insurers. According to the complaint, insurers would use this data to justify increasing car insurance premiums or denying consumers’ coverage. The Texas Attorney General claimed that Allstate violated the TDSPA (in addition to violating other laws) by failing to provide a reasonably accessible privacy notice stating how consumers may exercise their rights under the TDPSA and to disclose material information about Allstate’s practices with respect to targeted advertising and sales of personal data.

The enforcement action comes approximately six months after the Texas Attorney General announced that he would initiate investigations into several car manufacturers after “widespread reporting that they have secretly been collecting mass amounts of data about drivers directly from their vehicles and then selling that data to third parties — including to insurance providers.”

California Regulator Actions: Honda Settlement and Investigative Sweep of Location Data Industry

Honda’s Settlement With the CPPA

On March 7, 2025, the CPPA issued a decision requiring American Honda Motor Company (Honda) to revise its privacy-related business practices and pay a $632,500 fine to resolve claims that Honda violated the California Consumer Privacy Act (CCPA).

Almost two years earlier, the CPPA announced that it was reviewing data privacy practices by connected vehicle manufacturers, which included Honda and ultimately led to the March 2025 decision. The CPPA found that Honda (1) sought too much personal information from consumers when they exercised their rights to opt out of Honda’s sale of their personal information, of their personal information for cross-context behavioral advertising, or the use of their sensitive personal information for purposes not specified in the statute; and (2) made it difficult for consumers to use authorized agents to exercise their privacy rights. The CPPA also found that Honda’s online privacy management tool failed to offer privacy choices in a symmetrical manner. Specifically, Honda allegedly required consumers to go through two steps to opt out of the use of advertising cookies but only one step to accept the use of such cookies. Citing the CCPA regulations, the decision reinforced that a choice for consumers regarding such uses and disclosures is not symmetrical if it requires more steps to opt out than to opt in. The CPPA further asserted that privacy-protective contracts were not in place with some of Honda’s service providers that were accessing consumer personal data, including vendors providing online tracking tools.

In its settlement, Honda agreed to: (1) implement a new and simpler process for Californians to exercise their privacy rights; (2) certify its compliance, train its employees, and consult a user-experience designer to evaluate its methods for consumers to submit privacy-related requests; (3) change its contracting process to ensure appropriate mechanisms are in place to protect personal information; and (4) pay an administrative fine of $632,500.

Investigative Sweep of Location Data Industry

On March 10, 2025, California Attorney General Rob Bonta announced an “investigative sweep” into the location data industry. Attorney General Bonta’s office sent letters to advertising networks, mobile app providers, and data brokers warning them about their obligations under the CCPA. The CCPA has special protections for data classified as “sensitive” (e.g., health or location data), including granting consumers the right to limit the use of sensitive personal data to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer. For example, if a consumer exercises the right to limit a business’ use of the consumer’s sensitive personal data, the business may not exchange that data with non-vendor third parties. Attorney General Bonta noted that “location data is deeply personal, [it] can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements,” and that businesses accordingly must take the responsibility to protect location data seriously, particularly in light of “the federal assaults on immigrant communities, as well as gender-affirming healthcare and abortion.”

Key Takeaways

The first federal MHMDA lawsuit and the CPPA’s and Texas Attorney General’s investigations, settlements, and actions in the first quarter of 2025 indicate a continued litigation and enforcement focus on online tracking technologies and location data in particular.

Organizations should be vigilant in evaluating the manner in which they use tracking technologies on their website and within products, as well as their collection and use of geolocation data. Companies using tracking technologies should ensure that they, among other efforts:

• Provide consumers with clear and sufficient notice of the use of such data
• Limit collection of such data to that reasonably necessary to perform the specific purposes for which the data is processed
• Create processes for authorized agents to submit data subject requests
• Obtain consent to and/or provide the right to opt out of the processing of sensitive information (including location data), depending on the jurisdiction
• Contractually require vendors to protect and limit their use of personal information in accordance with applicable law

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.