Washington Privacy Law Attorneys

Washington Privacy Law Overview

Washington has not enacted a general comprehensive privacy law, but its My Health My Data Act (MHMDA) is one of the most consequential privacy statutes in the country because it regulates a broad category of "consumer health data" and — uniquely among recent state laws — carries a private right of action. Combined with a longstanding biometric statute and breach-notification rules, Washington presents significant litigation exposure for businesses handling health-adjacent data.

Sector-Specific Privacy Laws in Washington

My Health My Data Act (MHMDA)

Effective March 31, 2024 for most entities, the MHMDA regulates "consumer health data" — defined broadly to include any data linked to past, present or future physical or mental health. It requires opt-in consent to collect or share such data, a separate authorization to sell it, a published consumer-health-data privacy policy, and bans geofencing around health-care facilities. Critically, the MHMDA is enforceable through Washington's Consumer Protection Act, giving consumers a private right of action — a feature that has already driven a wave of class-action filings.

Biometric Privacy (RCW 19.375)

Washington prohibits enrolling a biometric identifier in a database for a commercial purpose without notice and consent. It is enforced by the Attorney General under the Consumer Protection Act; unlike Illinois's BIPA, it does not provide a standalone private right of action.

Data Breach Notification in Washington

Washington's breach-notification statute (RCW 19.255) requires notice to affected consumers and, for larger breaches, to the Attorney General within 30 days.

Deadline to notify residents: No later than 30 days after the breach is discovered
Attorney General notice: Notify the Washington Attorney General if more than 500 residents are affected, within 30 days
Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)

Recent Enforcement in Washington

MHMDA class-action wave (2024-2026): Because the My Health My Data Act is enforceable by private plaintiffs, dozens of class actions have targeted website tracking technologies (pixels, SDKs) that allegedly share health-related browsing data without consent.

Federal Privacy Laws That Apply in Washington

Even where Washington law is silent, residents and businesses are covered by federal privacy statutes:

HIPAA — health information held by providers, plans and their vendors
GLBA — privacy and safeguards rules for financial institutions
FERPA — student education records
FCRA — consumer reporting agencies and background screening
COPPA — online collection of data from children under 13
FTC Act §5 — unfair or deceptive privacy and data-security practices

Industry-Specific Privacy Requirements in Washington

Many Washington businesses face privacy obligations that flow from their industry rather than from a single state statute:

Healthcare

Providers, health plans and their vendors must comply with HIPAA and with any state medical-confidentiality rules when handling patient information in Washington.

Financial Services

Banks, credit unions, lenders and insurers are subject to the Gramm-Leach-Bliley Act privacy and safeguards rules in addition to Washington consumer-protection requirements.

Technology & Online Services

Companies serving users in other states may owe duties under California's CCPA/CPRA and other comprehensive laws even while Washington itself has none — making multi-state compliance the practical reality for most online businesses.

Retail

Retailers handling payment-card data must meet PCI DSS contractual standards and Washington's breach-notification law if customer information is exposed.

Where to File a Privacy Complaint in Washington

Washington residents who believe a business has mishandled their personal information can file a complaint with the Washington Attorney General, which enforces the state's consumer-protection and data-breach laws. Complaints involving federally regulated data — health, financial, credit or children's information — can also be directed to the Federal Trade Commission or the relevant federal regulator. An attorney can help you assess whether you have a claim and choose the best venue to pursue it.

Washington Privacy Law FAQ

Can I be sued personally under the My Health My Data Act?

Yes. The MHMDA is enforceable through Washington's Consumer Protection Act, which means consumers can bring private lawsuits — including class actions — in addition to enforcement by the Attorney General. This private right of action is what makes the MHMDA unusually high-risk for businesses.

What counts as 'consumer health data' under the MHMDA?

The definition is very broad: any personal information linked to a consumer's past, present or future physical or mental health status. It can reach data far beyond traditional medical records, including app usage, location near health facilities, and purchases that imply a health condition.

How a Washington Privacy Attorney Can Help

For Businesses

Build and audit a privacy compliance program
Draft privacy policies, notices and vendor contracts
Respond to consumer rights requests
Manage data-breach response and notification
Defend regulatory investigations and enforcement

For Consumers

Enforce your privacy rights against non-compliant businesses
Pursue or join data-breach litigation
File complaints with the Washington Attorney General
Seek damages for identity theft and fraud
Stop unlawful data sales and unwanted marketing

Need a Washington Privacy Attorney?

Whether you are a business working toward compliance or a Washington resident whose privacy has been violated, our network of Washington-licensed attorneys can help.

Find a Washington Privacy Attorney

Quick Facts

MHMDA

Consumer health-data law

Mar 31, 2024

MHMDA effective date

Private suits

Enforceable by consumers

30 days

Breach-notice deadline