Washington Data Privacy Laws: My Health My Data Act & More (2026)
Overview of Data Privacy Law in Washington State
Washington state occupies a unique position in the American data privacy landscape. Despite being home to some of the largest technology companies in the world, the state has repeatedly failed to enact a comprehensive consumer privacy law similar to California CCPA or Virginia CDPA.
However, Washington has not left its residents without protections. The state has enacted several targeted privacy statutes that address specific categories of data and practices. These include one of the strongest health data privacy laws in the nation, a biometric identifier protection statute, and robust data breach notification requirements.
This guide covers every major data privacy law currently in effect in Washington, the history of failed comprehensive legislation, and what may be coming next.
The Washington My Health My Data Act (MHMDA)
What the Law Covers
The Washington My Health My Data Act, codified as Chapter 19.373 RCW, was signed into law by Governor Jay Inslee on April 27, 2023. It took effect for most regulated entities on March 31, 2024, with small businesses given until June 30, 2024, to comply.
The MHMDA was passed largely in response to the U.S. Supreme Court decision in Dobbs v. Jackson Women Health Organization, which overturned Roe v. Wade. Lawmakers were concerned that health data collected by apps, websites, and other digital services could be used to identify individuals seeking reproductive healthcare.
Extremely Broad Definition of Consumer Health Data
The MHMDA defines consumer health data far more broadly than traditional health privacy laws like HIPAA. Under RCW 19.373.010, consumer health data means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer past, present, or future physical or mental health status.
The statute provides a nonexhaustive list of categories that qualify as health data, including:
- Health conditions, treatments, diseases, or diagnoses
- Social, psychological, behavioral, and medical interventions
- Surgeries, procedures, and use of prescribed medications
- Bodily functions, vital signs, and symptoms
- Reproductive and sexual health information
- Biometric data used in a health context
- Gender-affirming care information
- Data that identifies a consumer seeking healthcare services
- Precise location information that could reveal health-related visits
- Any data derived or inferred from non-health information that relates to health
This broad scope means the law reaches far beyond traditional healthcare providers. Any company that collects data that could reveal something about a person health status, even indirectly, may be subject to the MHMDA.
Key Consumer Rights Under the MHMDA
The law grants Washington consumers several important rights regarding their health data:
Right to Confirmation. Consumers can ask whether a regulated entity is collecting, sharing, or selling their consumer health data.
Right to Deletion. Consumers can request that a regulated entity delete their consumer health data.
Right to Withdraw Consent. Consumers can withdraw previously given consent for collection and sharing of their health data.
Consent Requirements
The MHMDA imposes strict consent requirements on regulated entities. Before collecting consumer health data, a business must obtain the consumer consent for the specific purpose of collection. Before sharing consumer health data, the business must obtain separate and distinct consent from the consent given for collection.
This dual-consent model means blanket privacy policy acceptance is not sufficient. Companies need clear, affirmative, and purpose-specific consent for both collecting and sharing health data.
Consumer Health Data Privacy Policy
Every regulated entity and small business must maintain a publicly available consumer health data privacy policy. This policy must clearly disclose:
- The categories of consumer health data collected and the purpose for each
- The categories of sources from which consumer health data is collected
- The categories of consumer health data that is shared
- A list of the categories of third parties and specific affiliates that receive shared data
Geofencing Ban Near Healthcare Facilities
One of the most notable provisions of the MHMDA is an absolute ban on geofencing near healthcare facilities. Under RCW 19.373.060, it is unlawful for any person to implement a geofence around an entity that provides in-person healthcare services where that geofence is used to:
- Identify or track consumers seeking healthcare services
- Collect consumer health data from consumers
- Send notifications, messages, or advertisements to consumers related to their health data or healthcare services
The law defines geofence as technology that uses GPS coordinates, cell tower connectivity, cellular data, RFID, Wi-Fi data, or any other spatial or location detection method to establish a virtual boundary within 2,000 feet of a healthcare facility.
This prohibition has no exceptions. Even consumer consent cannot authorize geofencing near healthcare facilities for these purposes. The geofencing ban took effect on July 23, 2023, before the rest of the law compliance deadlines.
Private Right of Action and Enforcement
The MHMDA is enforced through the Washington Consumer Protection Act (CPA), Chapter 19.86 RCW. A violation of the MHMDA is a per se violation of the CPA, meaning no additional proof of unfair or deceptive conduct is required.
This matters because the CPA provides both public and private enforcement:
Attorney General Enforcement. The Washington Attorney General can bring enforcement actions under the CPA for MHMDA violations.
Private Right of Action. Individual consumers who are injured by a violation can file a civil lawsuit seeking injunctive relief, actual damages, and reasonable attorney fees and costs. Courts may award treble damages up to $25,000.
The inclusion of a private right of action makes the MHMDA significantly stronger than many other state privacy laws. It means companies face litigation risk not only from the state but from individual consumers and class action plaintiffs.
Small Business Provisions
The MHMDA defines a small business as one that satisfies both of the following: it collects, processes, sells, or shares the consumer health data of fewer than 100,000 consumers during a calendar year, and it either derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data or processes data of fewer than 25,000 consumers.
Small businesses received an extended compliance deadline of June 30, 2024, rather than the March 31, 2024, date that applied to larger regulated entities.
Washington Biometric Privacy Law (RCW 19.375)
Scope and Definitions
Washington enacted its biometric privacy law through House Bill 1493, which was signed by the governor on May 16, 2017, and is codified as Chapter 19.375 RCW.
Under RCW 19.375.010, a biometric identifier is defined as data generated by automatic measurements of an individual biological characteristics, including:
- Fingerprints
- Voiceprints
- Eye retinas and irises
- Other unique biological patterns or characteristics used to identify a specific individual
The definition explicitly excludes physical or digital photographs, video or audio recordings (and data generated from them), and information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
Notice, Consent, and Enrollment Requirements
Under RCW 19.375.020, a person may not enroll a biometric identifier in a database for a commercial purpose without first:
- Providing notice to the individual
- Obtaining consent from the individual
- Providing a mechanism to prevent the subsequent use of the biometric identifier for a commercial purpose
The notice requirement is satisfied through a disclosure that is reasonably designed to be readily available to affected individuals. The form and manner of the notice and consent depends on the context.
Retention and Security Requirements
Any person who possesses biometric identifiers enrolled for a commercial purpose must:
- Take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers
- Retain biometric identifiers no longer than is reasonably necessary to comply with a court order, statute, or public records retention schedule, or to protect against or prevent actual or potential fraud and criminal activity
Enforcement: No Private Right of Action
A critical distinction between Washington biometric law and Illinois Biometric Information Privacy Act (BIPA) is that Washington law has no private right of action. A violation of RCW 19.375 is an unfair or deceptive act under the Consumer Protection Act (RCW 19.86), but enforcement is limited to the Attorney General.
This means individual consumers cannot sue businesses directly for violations of the biometric privacy law. Only the Washington Attorney General can bring enforcement actions.
Exemptions
The biometric privacy law does not apply to:
- Financial institutions or their affiliates subject to Title V of the federal Gramm-Leach-Bliley Act of 1999
- Activities subject to Title V of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996
Data Breach Notification Law (RCW 19.255)
Notification Requirements
Washington data breach notification law is codified as Chapter 19.255 RCW. It requires any person or business that conducts business in Washington and owns or licenses data containing personal information to notify affected individuals following the discovery of a security breach.
Under RCW 19.255.010, notification must be made to any Washington resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and was not secured through encryption or other methods.
An exception exists where notice is not required if the breach is not reasonably likely to subject consumers to a risk of harm.
What Constitutes Personal Information
Under RCW 19.255.005, personal information includes an individual first name or first initial and last name combined with any of the following:
- Social Security number
- Driver license or state identification card number
- Account number, credit card number, or debit card number in combination with any required security code, access code, or password
- Full date of birth
- Health insurance policy number or subscriber identification number combined with a unique identifier used by an insurer
- Student, military, or passport identification number
- Any information about a consumer medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
Attorney General Notification
When a breach affects more than 500 Washington residents, the person or business must notify the Washington Attorney General within 30 days of discovering the breach.
Content of Notice
Breach notifications must be written in plain language and include, at minimum:
- The name and contact information of the reporting entity
- A list of the types of personal information involved in the breach
- The toll-free telephone numbers and addresses of major credit reporting agencies (if the breach exposed financial data)
Law Enforcement Delay
Notification may be delayed if a law enforcement agency determines that the notification would impede a criminal investigation. Once law enforcement determines notification will not compromise the investigation, the notice must be sent.
Liability
Under RCW 19.255.020, a processor, business, or vendor that experiences a breach is liable for damages from any person injured by the breach when the breach was caused by the processor, business, or vendor, or a third party acting on their behalf.
The Failed Washington Privacy Act
Legislative History
Washington came closer than almost any other state to passing a comprehensive consumer privacy law, yet the effort failed three consecutive years:
SB 5376 (2019). Introduced by Senator Reuven Carlyle, this was the first version of the Washington Privacy Act. It passed the Senate but died in the House in April 2019. The primary disagreement was over whether the bill should include a private right of action allowing consumers to sue for violations.
SB 6281 (2020). A revised version was introduced for the 2020 session. It again passed the Senate but failed in the House over the same enforcement dispute.
SB 5062 (2021). The third attempt at a comprehensive privacy act was introduced in January 2021. The Senate version would not have allowed consumers to sue, while the House advanced a version that included private enforcement. The two chambers could not reach a compromise, and the bill died when the legislative session ended on April 25, 2021.
Why the Bills Failed
The central dispute in every iteration was the same: whether to include a private right of action. The Senate consistently favored Attorney General-only enforcement, arguing that a private right of action would lead to excessive litigation. The House insisted that meaningful enforcement required giving consumers the ability to sue directly.
Consumer advocacy groups, including Consumer Reports and the ACLU of Washington, opposed the bills in their Senate forms, arguing they were too weak without private enforcement and contained broad exemptions that would have limited their effectiveness.
What the Bills Would Have Done
Despite their failure, the proposed Washington Privacy Act would have been a significant step. Key provisions included:
- Right to access, correct, and delete personal data
- Right to opt out of data sales and targeted advertising
- Data protection assessments for high-risk processing activities
- Privacy notice requirements for all covered businesses
- Reasonable data security standards
Current Legislative Efforts: HB 1671 (2025-2026)
Washington lawmakers have not given up on comprehensive privacy legislation. House Bill 1671, titled the People Privacy Act, was introduced in the 2025 session. The bill would apply to persons conducting business in Washington or targeting Washington residents that collect or process personal data.
HB 1671 notably aligns with the existing My Health My Data Act by incorporating consumer health data into its definitions. However, the bill failed to advance before Washington crossover deadline of March 12, 2025. It was reintroduced and retained in present status on January 12, 2026, keeping it alive for the remainder of the 2025-2026 session.
As of March 2026, the bill prospects remain uncertain. Washington history of failed comprehensive privacy bills suggests that passing HB 1671 will require bridging the same enforcement disputes that have derailed previous attempts.
Federal Privacy Framework
In the absence of a comprehensive state law, several federal statutes provide baseline privacy protections for Washington residents:
Health Insurance Portability and Accountability Act (HIPAA). Protects health information held by covered entities such as healthcare providers, health plans, and healthcare clearinghouses. HIPAA does not cover many of the entities and data types that fall under Washington MHMDA.
Gramm-Leach-Bliley Act (GLBA). Requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Washington biometric law explicitly exempts entities subject to the GLBA.
Children Online Privacy Protection Act (COPPA). Protects the online privacy of children under 13 by requiring parental consent for data collection.
Fair Credit Reporting Act (FCRA). Regulates the collection, dissemination, and use of consumer credit information.
Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA). Provide federal protections for electronic communications, though these statutes have not kept pace with modern technology.
These federal laws provide important but incomplete protections. Washington targeted state laws, particularly the MHMDA, fill gaps that federal law does not address.
Washington Attorney General: Data Privacy Enforcement
The Washington Attorney General Office plays a central role in enforcing the state data privacy laws. The AG has been active in pursuing companies that violate Washington consumer protection laws through deceptive data practices.
Notable Enforcement Actions
Google Location Tracking ($39.9 Million). In one of the most significant state-level privacy enforcement actions in U.S. history, former Attorney General Bob Ferguson obtained a $39.9 million settlement from Google over deceptive location tracking practices. Rather than joining a multistate settlement, Washington filed its own lawsuit and recovered more than double what it would have received from the joint action. Google was also required to implement court-ordered transparency reforms.
Data Privacy Survey (2025). In July 2025, the Attorney General Office launched a Data Privacy Survey to learn about the data privacy concerns and challenges facing Washington residents. The results are expected to inform future legislative and enforcement priorities.
Breach Notification Oversight. The AG maintains a public Data Breach Notifications Directory where consumers can see reported breaches affecting Washington residents.
Practical Compliance Guidance
For Businesses Operating in Washington
Companies that collect data from Washington residents should evaluate their obligations under each of the state privacy laws:
Step 1: Assess MHMDA Applicability. Determine whether your business collects any data that could be considered consumer health data under the MHMDA broad definition. Remember that location data, biometric data, and inferred health information all qualify.
Step 2: Implement Dual Consent. If the MHMDA applies, implement separate consent mechanisms for collecting and sharing consumer health data. General privacy policy acceptance is insufficient.
Step 3: Publish a Health Data Privacy Policy. If you collect consumer health data, publish a dedicated privacy policy that meets the MHMDA specific disclosure requirements.
Step 4: Review Biometric Practices. If your business uses fingerprints, facial recognition, iris scans, or other biometric identifiers for commercial purposes, ensure you are providing notice and obtaining consent under RCW 19.375.
Step 5: Update Breach Response Plans. Ensure your incident response plan accounts for Washington 30-day AG notification requirement when 500 or more residents are affected.
Step 6: Avoid Geofencing Near Healthcare Facilities. If your business uses location-based targeting, ensure no geofences are set within 2,000 feet of any facility providing in-person healthcare services in Washington.
For Washington Residents
Washington residents have several rights under existing law:
- You can request confirmation of whether a company collects your health data and ask for its deletion under the MHMDA
- You can withdraw consent for health data collection and sharing at any time
- You must be notified if your personal information is compromised in a data breach
- You can file a private lawsuit if a company violates the MHMDA
To report potential violations of Washington data privacy laws, contact the Washington Attorney General Office.
More Washington Laws
- Washington Hit and Run Laws
- Washington Dog Bite Laws
- Washington Recording Laws
- Washington Statute of Limitations
- Washington Lemon Laws
- Washington Whistleblower Laws
- Washington Child Support Laws
- Washington Car Seat Laws
Sources and References
- Chapter 19.373 RCW: Washington My Health My Data Act - Washington State Legislature
- Chapter 19.375 RCW: Biometric Identifiers - Washington State Legislature
- Chapter 19.255 RCW: Personal Information - Notice of Security Breaches - Washington State Legislature
- RCW 19.375.020: Enrollment, Disclosure, and Retention of Biometric Identifiers - Washington State Legislature
- HB 1155: My Health My Data Act Bill Summary - Washington State Legislature
- SB 5376: Washington Privacy Act (2019) - Washington State Legislature
- SB 5062: Washington Privacy Act (2021) - Washington State Legislature
- HB 1671: People Privacy Act (2025) - Washington State Legislature
- Data Privacy Hub - Washington Attorney General
- Protecting Washingtonians Personal Health Data and Privacy - Washington Attorney General
- AG Ferguson Lawsuit Forces Google to Pay Nearly $40M - Washington Attorney General
- Data Breach Notifications Directory - Washington Attorney General
Sources and References
- Chapter 19.373 RCW: Washington My Health My Data Act(leg.wa.gov).gov
- Chapter 19.375 RCW: Biometric Identifiers(leg.wa.gov).gov
- Chapter 19.255 RCW: Breach Notification(leg.wa.gov).gov
- RCW 19.375.020: Enrollment, Disclosure, and Retention(leg.wa.gov).gov
- HB 1155: My Health My Data Act(leg.wa.gov).gov
- SB 5376: Washington Privacy Act (2019)(leg.wa.gov).gov
- SB 5062: Washington Privacy Act (2021)(leg.wa.gov).gov
- HB 1671: People Privacy Act (2025)(leg.wa.gov).gov
- Data Privacy Hub - WA Attorney General(atg.wa.gov).gov
- Protecting Washingtonians Health Data and Privacy(atg.wa.gov).gov
- AG Ferguson Google $40M Settlement(atg.wa.gov).gov
- Data Breach Notifications Directory(atg.wa.gov).gov