Introduction

In 2025, cannabis marketing in Washington State finds itself at the confluence of two regulatory forces: robust cannabis compliance standards and a groundbreaking privacy law—the Washington My Health My Data Act (WMHMDA). With geofencing prohibitions in force since 2023 and broad compliance obligations in effect from 2024, dispensaries, delivery platforms, and hemp-focused brands face heightened exposure under the law’s sweeping protections for broadly defined “consumer health data.” Below, we break down how this law uniquely impacts the cannabis sector, with a focus on geofencing marketing, adtech, and retargeting risks in 2025, alongside key compliance actions and strategic takeaways for Washington operators.

WMHMDA—What Cannabis Businesses Must Know

The Law: Broad Health Data Protections

Enacted in 2023 and effective in full for most regulated entities as of March 31, 2024, the Washington My Health My Data Act (see RCW 19.373) is one of the most comprehensive state-level privacy laws in the U.S. It regulates any entity conducting business in, or targeting, Washington residents and processing or sharing "consumer health data."

Key Point: For the cannabis industry, “consumer health data” means far more than HIPAA-protected records. The law covers any data that could indicate, relate to, or even infer a consumer’s physical or mental health status—including cannabis-related browsing activity, delivery app usage, dispensary visits, purchase intent, or demographic targeting that could reflect health conditions.

Who Is Covered?

Nearly every cannabis retailer, delivery service, hemp/CBD e-commerce business, and adtech company marketing to Washingtonians or processing their data—including those without a Washington physical footprint—are regulated if they:

• Collect, process, share, or sell data linked to Washington consumers
• Deploy targeting, analytics, tracking, or predictive adtech that could expose health-related interests or activities (even unintentionally)

Enforcement—A High-Risk Compliance Environment

• Violations are per se violations of the Washington Consumer Protection Act (CPA), potentially resulting in enforcement by the Attorney General and private lawsuits, including class actions.
• The law’s unique private right of action means any failure to comply—no matter how technical—is enforceable in court by consumers directly (WA AG Guidance).

Geofencing Prohibition: What’s at Stake for Cannabis Marketers

Geofencing—Strict Bans Near Care Facilities

One of the most consequential sections for cannabis operators is the outright prohibition on using geofencing or similar location-based adtech to track, identify, or send marketing messages to individuals:

• Within 1,850 feet of health care facilities—including hospitals, clinics, mental health centers, addiction treatment, reproductive health clinics, and more
• For the purpose of identifying, targeting, or inferring a consumer’s health status or seeking health-related services (see MHMD Consent Guide)

Practical Impact

• Dispensaries and digital cannabis apps: Cannot use geofence-based ad delivery or consumer analytics near any Washington health facility.
• Retargeting and lookalike audiences: If audience-building techniques are based on a consumer’s proximity to a health facility, this likely violates the act.
• Hemp and CBD marketers: Health and wellness messaging that leverages location-based or programmatic targeting needs a thorough compliance review.

Consumer Health Data—What Counts?

WMHMDA’s definition includes all information—online and offline—that can be linked or reasonably associated with a Washington consumer and which reveals, identifies, or could be used to infer health status, care, or treatment. This includes:

• Purchase history of cannabis/CBD at dispensaries and online stores
• Website browsing activity on dispensary/delivery/medical cannabis sites
• Opt-in forms referencing health conditions (pain relief, sleep, anxiety)
• Demographic or predictive analytics inferring health interests
• Location data that places a person at a dispensary, health care provider, or relevant event

Notably, internal ad network practices (such as Facebook Pixel or Google Analytics) and third-party data sharing are covered.

Consent Requirements and Privacy Policy Updates

Opt-In Consent—A High Bar

• Any collection or sharing of consumer health data beyond what is strictly necessary for providing a requested service requires previous, informed, opt-in consent.
• Consent must be specific, time-bound, and disclose exactly what data is collected, for what purpose, and with whom it will be shared (Usercentrics Guide).
• Bundled or pre-checked consents do not meet statutory requirements.

Privacy Policy and Data Maps

• Cannabis businesses must maintain a dedicated, prominent consumer health data privacy policy, linked clearly from the website/app homepage.
• The policy must explain categories of health data gathered, use cases, sharing partners, retention periods, and consumer rights—including the right to withdraw consent and request deletion.
• Entities should conduct a full audit mapping every signal, SDK, tracker, or programmatic tool that touches consumer data, especially those used in geotargeting or customer segmentation.

Action Steps for Cannabis Operators in Washington

1. Inventory and Limit Adtech/Data Signals

• Review all marketing, analytics, and customer engagement tools for health data signals.
• Disable location-based targeting near healthcare facilities.
• Avoid predictive lookalike audiences based on health-inference profiles.

2. Update Consent Mechanisms

• Ensure all data collection not strictly necessary for core transactions is subject to affirmative, opt-in consent.
• Implement granular privacy controls where possible.

3. Disclose Clearly and Prominently

• Update privacy policies for the WMHMDA’s content and visibility requirements.
• Name each third-party partner or affiliate with access to consumer health data.

4. Revisit Retargeting & Programmatic Buying

• Audit lookalike audience creation, retargeting, and cross-device tracking for potential health inferences.
• Steer clear of any advertising or analytics programs using data collected in or near healthcare facilities.

5. Staff Training & Incident Preparedness

• Train teams on new obligations—and risks of noncompliance. Include marketers, web developers, and outside vendors.
• Prepare for consumer data deletion requests and consent withdrawal procedures.

Consumer Implications

If you’re a Washington consumer:

• You have rights to know, access, delete, or withdraw consent for any consumer health data collected or shared by cannabis-related businesses.
• Data brokers and ad networks serving Washington must honor specific privacy rights—regardless of whether the business is WA-based.
• All violations are enforceable through the Attorney General and private lawsuits under the Washington Consumer Protection Act.

2025 Enforcement Trends and Litigation Risk

Key Trends

• Initial AG guidance (2024/2025) emphasizes that good-faith attempts aren’t always enough—technical and process errors still trigger liability.
• Class actions are anticipated where large numbers of consumers are exposed by non-compliant tech, data sharing, or marketing.
• Entities facing violations risk civil penalties, reputational harm, and costly remediation.

To Reduce Exposure

• Timely audits and updates are critical—especially before campaign launches or partnership onboarding.
• Vendor management must include contractual requirements for WMHMDA compliance when processing consumer health data.
• Regularly check for updated WA AG guidance and compliance resources.

Summary & Final Takeaways

Washington’s My Health My Data Act is a landmark law that profoundly changes the privacy obligations of anyone marketing cannabis, hemp, and wellness products to Washingtonians. In 2025, the most critical exposure relates to geofencing, lookalike audiences, and the handling of data that could—directly or indirectly—relate to health status. Compliance is not just about technical fixes, but ongoing consumer transparency, internal controls, and proactive vendor oversight.

Operators who fail to adopt WMHMDA-compliant practices now face legal, financial, and brand risks far greater than under prior privacy frameworks. Dispensaries, delivery services, and hemp brands should move quickly to inventory data systems, update consent flows, restrict location-based advertising, and retrain staff.

Stay ahead of Washington’s evolving cannabis compliance landscape—leverage resources, track new AG guidance, and consult compliance professionals for tailored assessments.

For more guides, updates, or to connect with trusted professionals for compliance support, visit CannabisRegulations.ai.