Washington Data Privacy Laws: My Health My Data Act & More (2026)

Washington has no comprehensive consumer privacy law as of 2026, but the My Health My Data Act (Chapter 19.373 RCW) fills a critical gap: it covers health data far beyond HIPAA's reach, bans geofencing near healthcare facilities, and gives consumers a private right of action through the Washington Consumer Protection Act.

Overview of Data Privacy Law in Washington State

Washington state occupies a unique position in the American data privacy landscape. Despite being home to some of the largest technology companies in the world, the state has repeatedly failed to enact a comprehensive consumer privacy law similar to the California Consumer Privacy Act or Virginia Consumer Data Protection Act.

Washington has not left its residents without protections, however. The state has enacted several targeted privacy statutes addressing specific categories of data and practices. These include one of the strongest health data privacy laws in the nation, a biometric identifier protection statute, and robust data breach notification requirements.

This article covers every major data privacy law currently in effect in Washington, the history of failed comprehensive legislation, what may change in the 2025-2026 legislative session, and the federal overlay that applies to Washington residents regardless of state law.

The Washington My Health My Data Act (MHMDA)

What the Law Covers

The Washington My Health My Data Act, codified as Chapter 19.373 RCW, was signed into law by Governor Jay Inslee on April 27, 2023. It took effect for most regulated entities on March 31, 2024, with small businesses given until June 30, 2024, to comply. The geofencing prohibition took effect earlier, on July 23, 2023.

The MHMDA was passed largely in response to the U.S. Supreme Court decision in Dobbs v. Jackson Women's Health Organization, which overturned Roe v. Wade. Lawmakers were concerned that health data collected by apps, websites, and other digital services could be used to identify individuals seeking reproductive healthcare.

Extremely Broad Definition of Consumer Health Data

The MHMDA defines consumer health data far more broadly than traditional health privacy laws like HIPAA. Under RCW 19.373.010, consumer health data means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.

The statute provides a nonexhaustive list of categories that qualify as health data, including:

• Health conditions, treatments, diseases, or diagnoses
• Social, psychological, behavioral, and medical interventions
• Surgeries, procedures, and use of prescribed medications
• Bodily functions, vital signs, and symptoms
• Reproductive and sexual health information
• Biometric data used in a health context
• Gender-affirming care information
• Data that identifies a consumer seeking healthcare services
• Precise location information that could reveal health-related visits
• Any data derived or inferred from non-health information that relates to health

This broad scope means the law reaches far beyond traditional healthcare providers. Any company that collects data that could reveal something about a person's health status, even indirectly, may be subject to the MHMDA.

Key Consumer Rights Under the MHMDA

The law grants Washington consumers several important rights regarding their health data:

Right to Confirmation. Consumers can ask whether a regulated entity is collecting, sharing, or selling their consumer health data.

Right to Deletion. Consumers can request that a regulated entity delete their consumer health data.

Right to Withdraw Consent. Consumers can withdraw previously given consent for collection and sharing of their health data.

Consent Requirements

The MHMDA imposes strict consent requirements on regulated entities. Before collecting consumer health data, a business must obtain the consumer's consent for the specific purpose of collection. Before sharing consumer health data, the business must obtain separate and distinct consent from the consent given for collection.

This dual-consent model means blanket privacy policy acceptance is not sufficient. Companies need clear, affirmative, and purpose-specific consent for both collecting and sharing health data.

Consumer Health Data Privacy Policy

Every regulated entity and small business must maintain a publicly available consumer health data privacy policy. This policy must clearly disclose:

• The categories of consumer health data collected and the purpose for each
• The categories of sources from which consumer health data is collected
• The categories of consumer health data that is shared
• A list of the categories of third parties and specific affiliates that receive shared data

Geofencing Ban Near Healthcare Facilities

One of the most notable provisions of the MHMDA is an absolute ban on geofencing near healthcare facilities. Under RCW 19.373.060, it is unlawful for any person to implement a geofence around an entity that provides in-person healthcare services where that geofence is used to:

• Identify or track consumers seeking healthcare services
• Collect consumer health data from consumers
• Send notifications, messages, or advertisements to consumers related to their health data or healthcare services

The law defines geofence as technology that uses GPS coordinates, cell tower connectivity, cellular data, RFID, Wi-Fi data, or any other spatial or location detection method to establish a virtual boundary within 2,000 feet of a healthcare facility.

This prohibition has no exceptions. Even consumer consent cannot authorize geofencing near healthcare facilities for these purposes.

Private Right of Action and Enforcement

The MHMDA is enforced through the Washington Consumer Protection Act (CPA), Chapter 19.86 RCW. A violation of the MHMDA is a per se violation of the CPA, meaning no additional proof of unfair or deceptive conduct is required.

This matters because the CPA provides both public and private enforcement:

Attorney General Enforcement. The Washington Attorney General can bring enforcement actions under the CPA for MHMDA violations.

Private Right of Action. Individual consumers who are injured by a violation can file a civil lawsuit seeking injunctive relief, actual damages, and reasonable attorney fees and costs. Courts may award treble damages up to $25,000.

The inclusion of a private right of action makes the MHMDA significantly stronger than many other state privacy laws. It means companies face litigation risk not only from the state but from individual consumers and class action plaintiffs.

MHMDA Private Litigation: First Cases (2025)

The MHMDA's private right of action produced its first class action cases in 2025, more than a year after the law's March 31, 2024, effective date.

Amazon SDK Lawsuit (February 2025). On February 10, 2025, a Washington resident filed the first class action under the MHMDA in the Western District of Washington. The complaint alleges that Amazon.com, Inc. and Amazon Advertising, LLC collected location data from tens of millions of users through Amazon's software development kits (SDKs) without affirmative consent and used that information for targeted advertising and third-party data sales. The lawsuit also asserts claims under the federal Wiretap Act and Washington's Consumer Protection Act. As of May 2026, the case is pending.

Uncle Ike's Cannabis Retailer Lawsuit (November 2025). A second class action was filed against Uncle Ike's, a Seattle-area cannabis retailer, alleging the company configured website tracking pixels and cookies to transmit customers' personally identifiable information to Google and other third parties without consent. The complaint specifically alleges the trackers captured details about medical marijuana card appointments and specific products purchased. This case presents a significant question about whether location and purchase data at a cannabis retailer constitutes "consumer health data" under RCW 19.373.010.

The Washington Legislature anticipated private litigation volume. RCW 44.28.819 requires the Joint Legislative Audit and Review Committee to compile a report on enforcement actions brought under the MHMDA and submit findings to the Governor and relevant legislative committees by September 30, 2030.

Small Business Provisions

The MHMDA defines a small business as one that satisfies both of the following: it collects, processes, sells, or shares the consumer health data of fewer than 100,000 consumers during a calendar year, and it either derives less than 50% of gross revenue from the collection, processing, selling, or sharing of consumer health data or processes data of fewer than 25,000 consumers.

Small businesses received an extended compliance deadline of June 30, 2024, rather than the March 31, 2024, date that applied to larger regulated entities.

Washington Biometric Privacy Law (RCW 19.375)

Scope and Definitions

Washington enacted its biometric privacy law through House Bill 1493, which was signed on May 16, 2017, and is codified as Chapter 19.375 RCW.

Under RCW 19.375.010, a biometric identifier is defined as data generated by automatic measurements of an individual's biological characteristics, including:

• Fingerprints
• Voiceprints
• Eye retinas and irises
• Other unique biological patterns or characteristics used to identify a specific individual

The definition explicitly excludes physical or digital photographs, video or audio recordings (and data generated from them), and information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.

Notice, Consent, and Enrollment Requirements

Under RCW 19.375.020, a person may not enroll a biometric identifier in a database for a commercial purpose without first:

• Providing notice to the individual
• Obtaining consent from the individual
• Providing a mechanism to prevent the subsequent use of the biometric identifier for a commercial purpose

The notice requirement is satisfied through a disclosure that is reasonably designed to be readily available to affected individuals. The form and manner of the notice and consent depend on the context.

Retention and Security Requirements

Any person who possesses biometric identifiers enrolled for a commercial purpose must:

• Take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers
• Retain biometric identifiers no longer than is reasonably necessary to comply with a court order, statute, or public records retention schedule, or to protect against or prevent actual or potential fraud and criminal activity

Enforcement: No Private Right of Action

A critical distinction between Washington's biometric law and the Illinois Biometric Information Privacy Act (BIPA) is that Washington law has no private right of action. A violation of RCW 19.375 is an unfair or deceptive act under the Consumer Protection Act (RCW 19.86), but enforcement is limited to the Attorney General.

This means individual consumers cannot sue businesses directly for violations of the biometric privacy law. Only the Washington Attorney General can bring enforcement actions.

Exemptions

The biometric privacy law does not apply to:

• Financial institutions or their affiliates subject to Title V of the federal Gramm-Leach-Bliley Act of 1999
• Activities subject to Title V of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996

Data Breach Notification Law (RCW 19.255)

Notification Requirements

Washington's data breach notification law is codified as Chapter 19.255 RCW. It requires any person or business that conducts business in Washington and owns or licenses data containing personal information to notify affected individuals following the discovery of a security breach.

Under RCW 19.255.010, notification must be made to any Washington resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and was not secured through encryption or other methods.

An exception exists where notice is not required if the breach is not reasonably likely to subject consumers to a risk of harm.

What Constitutes Personal Information

Under RCW 19.255.005, personal information includes an individual's first name or first initial and last name combined with any of the following:

• Social Security number
• Driver license or state identification card number
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password
• Full date of birth
• Health insurance policy number or subscriber identification number combined with a unique identifier used by an insurer
• Student, military, or passport identification number
• Any information about a consumer's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional

Attorney General Notification

When a breach affects more than 500 Washington residents, the person or business must notify the Washington Attorney General within 30 days of discovering the breach.

Content of Notice

Breach notifications must be written in plain language and include, at minimum:

• The name and contact information of the reporting entity
• A list of the types of personal information involved in the breach
• The toll-free telephone numbers and addresses of major credit reporting agencies (if the breach exposed financial data)

Law Enforcement Delay

Notification may be delayed if a law enforcement agency determines that the notification would impede a criminal investigation. Once law enforcement determines notification will not compromise the investigation, the notice must be sent.

Liability

Under RCW 19.255.020, a processor, business, or vendor that experiences a breach is liable for damages from any person injured by the breach when the breach was caused by the processor, business, or vendor, or a third party acting on their behalf.

The Failed Washington Privacy Act

Legislative History

Washington came closer than almost any other state to passing a comprehensive consumer privacy law, yet the effort failed three consecutive years:

SB 5376 (2019). Introduced by Senator Reuven Carlyle, this was the first version of the Washington Privacy Act. It passed the Senate but died in the House in April 2019. The primary disagreement was whether the bill should include a private right of action allowing consumers to sue for violations.

SB 6281 (2020). A revised version was introduced for the 2020 session. It again passed the Senate but failed in the House over the same enforcement dispute.

SB 5062 (2021). The third attempt was introduced in January 2021. The Senate version would not have allowed consumers to sue, while the House advanced a version that included private enforcement. The two chambers could not reach a compromise, and the bill died when the legislative session ended on April 25, 2021.

Why the Bills Failed

The central dispute in every iteration was whether to include a private right of action. The Senate consistently favored Attorney General-only enforcement, arguing that a private right of action would lead to excessive litigation. The House insisted that meaningful enforcement required giving consumers the ability to sue directly.

Consumer advocacy groups, including Consumer Reports and the ACLU of Washington, opposed the bills in their Senate forms, arguing they were too weak without private enforcement and contained broad exemptions that would have limited their effectiveness.

What the Bills Would Have Done

Despite their failure, the proposed Washington Privacy Act would have been a significant step. Key provisions included:

• Right to access, correct, and delete personal data
• Right to opt out of data sales and targeted advertising
• Data protection assessments for high-risk processing activities
• Privacy notice requirements for all covered businesses
• Reasonable data security standards

Current Legislative Efforts: HB 1671 (2025-2026)

House Bill 1671, titled the People's Privacy Act, is the most significant development in Washington comprehensive privacy legislation in years. The bill would apply to persons conducting business in Washington or targeting Washington residents who collect or process personal data.

HB 1671 is modeled on the EPIC and Consumer Reports model state privacy bill and includes data minimization provisions that meaningfully limit the collection and use of personal data. The bill incorporates consumer health data definitions consistent with the existing MHMDA.

The bill's progress in the 2025-2026 session represents the furthest any Washington comprehensive privacy bill has advanced. On February 14, 2026, the House Committee on Technology, Economic Development, and Veterans took executive action and voted with a "do pass as substituted" recommendation, referring the bill to the Appropriations Committee. As of May 2026, the bill is in the Appropriations Committee.

Washington's history of failed comprehensive privacy bills means passage is not assured. The same enforcement disputes that derailed earlier efforts could resurface in floor votes or Senate consideration.

Washington Attorney General: Data Privacy Enforcement

The Washington Attorney General's Office plays a central role in enforcing the state's data privacy laws. Nick Brown took office as Washington's 19th Attorney General in January 2025, succeeding Bob Ferguson who became Governor.

Notable Enforcement Actions

Google Location Tracking ($39.9 Million). In one of the most significant state-level privacy enforcement actions in U.S. history, former Attorney General Bob Ferguson obtained a $39.9 million settlement from Google over deceptive location tracking practices. Washington filed its own lawsuit and recovered more than double what it would have received from joining a multistate settlement. Google was also required to implement court-ordered transparency reforms.

Data Privacy Survey (July 2025). AG Brown's office launched a Data Privacy Survey to learn about the data privacy concerns and challenges facing Washington residents. The results are expected to inform future legislative and enforcement priorities under the MHMDA and other state privacy laws.

Breach Notification Oversight. The AG maintains a public Data Breach Notifications Directory where consumers can see reported breaches affecting Washington residents.

As of May 2026, no formal AG enforcement actions under the MHMDA have been publicly announced. The private litigation landscape (Amazon, Uncle Ike's) has been the primary enforcement activity to date.

Federal Privacy Framework

In the absence of a comprehensive state consumer privacy law, several federal statutes provide baseline privacy protections for Washington residents.

TAKE IT DOWN Act (Pub. L. 119-12). Congress signed this federal law on May 19, 2025. It immediately criminalized the nonconsensual publication of intimate images, including AI-generated deepfake imagery. Online platforms had one year to establish notice-and-removal processes; the FTC began enforcing platform compliance obligations on May 19, 2026. A covered platform must remove a valid takedown request's content, along with known identical copies, within 48 hours.

Health Insurance Portability and Accountability Act (HIPAA). Protects health information held by covered entities such as healthcare providers, health plans, and healthcare clearinghouses. HIPAA does not cover many of the entities and data types that fall under Washington's MHMDA, which is why the MHMDA was necessary.

Gramm-Leach-Bliley Act (GLBA). Requires financial institutions to explain their information-sharing practices and safeguard sensitive data. Washington's biometric law explicitly exempts entities subject to the GLBA.

Children's Online Privacy Protection Act (COPPA). Protects the online privacy of children under 13 by requiring parental consent before data collection.

Fair Credit Reporting Act (FCRA). Regulates the collection, dissemination, and use of consumer credit information by consumer reporting agencies.

FTC Act Section 5. Empowers the Federal Trade Commission to pursue unfair or deceptive acts or practices, including data security failures and misleading privacy representations.

American Privacy Rights Act (APRA). A bipartisan federal comprehensive privacy bill introduced in April 2024 by Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA). The bill did not pass before the 118th Congress expired in January 2025 and has not been reintroduced in the 119th Congress as of May 2026. Washington residents should not expect federal comprehensive privacy legislation in the near term.

Practical Compliance Guidance

For Businesses Operating in Washington

Companies that collect data from Washington residents should evaluate their obligations under each of the state privacy laws.

Step 1: Assess MHMDA Applicability. Determine whether your business collects any data that could be considered consumer health data under the MHMDA's broad definition. Location data, biometric data, and inferred health information all qualify. The Uncle Ike's lawsuit illustrates that cannabis retailers, medical appointment schedulers, and any business tracking health-adjacent purchases face real exposure.

Step 2: Implement Dual Consent. If the MHMDA applies, implement separate consent mechanisms for collecting and sharing consumer health data. General privacy policy acceptance is insufficient.

Step 3: Publish a Health Data Privacy Policy. If you collect consumer health data, publish a dedicated privacy policy meeting the MHMDA's specific disclosure requirements.

Step 4: Review Biometric Practices. If your business uses fingerprints, facial recognition, iris scans, or other biometric identifiers for commercial purposes, ensure you are providing notice and obtaining consent under RCW 19.375.

Step 5: Update Breach Response Plans. Ensure your incident response plan accounts for Washington's 30-day AG notification requirement when 500 or more residents are affected.

Step 6: Avoid Geofencing Near Healthcare Facilities. If your business uses location-based targeting, ensure no geofences are set within 2,000 feet of any facility providing in-person healthcare services in Washington.

Step 7: Review Third-Party SDKs and Tracking Pixels. The Amazon and Uncle Ike's lawsuits both center on third-party technology embedded in websites and apps. Audit all pixels, SDKs, and analytics tools that could transmit health-adjacent data to third parties without adequate consent.

For Washington Residents

Washington residents have several rights under existing law:

• You can request confirmation of whether a company collects your health data and ask for its deletion under the MHMDA
• You can withdraw consent for health data collection and sharing at any time
• You must be notified if your personal information is compromised in a data breach
• You can file a private lawsuit if a company violates the MHMDA, seeking actual damages, injunctive relief, attorney fees, and potential treble damages up to $25,000
• You can submit takedown requests to online platforms for nonconsensual intimate images under the federal TAKE IT DOWN Act

To report potential violations of Washington data privacy laws, contact the Washington Attorney General's Office.

More Washington Laws

• Washington AI Meeting Recording Laws
• Washington Alimony Laws
• Washington At-Will Employment Laws
• Washington Car Accident Laws
• Washington Car Seat Laws
• Washington Child Custody Laws
• Washington Child Support Laws
• Washington Common Law Marriage Laws
• Washington Deepfake Laws
• Washington Divorce Laws
• Washington Dog Bite Laws
• Washington Emancipation Laws
• Washington Expungement Laws
• Washington Hit and Run Laws
• Washington Landlord-Tenant Laws
• Washington Lemon Laws