Washington
MHMDA Consumer Rights (Washington)
Washington's My Health My Data Act (MHMDA), chapter 19.373 RCW, gives consumers four core rights over their consumer health data: the right to confirm whether a regulated entity collects, shares, or sells it, the right to access it, the right to withdraw consent, and a broad right to have it deleted. These rights are set out in RCW 19.373.040 and the consent rules in RCW 19.373.030.
As of 2026, what makes these rights unusually powerful is the enforcement behind them. Under RCW 19.373.090, a regulated entity that ignores a valid request is committing a per se violation of the Washington Consumer Protection Act (chapter 19.86 RCW), which the Attorney General enforces and which gives the individual consumer a private right of action under RCW 19.86.090.
Jurisdiction scope: This covers Washington's My Health My Data Act (chapter 19.373 RCW). It is general legal information, not legal advice.
The four core consumer rights
MHMDA's consumer rights live in RCW 19.373.040. The Act gives a Washington consumer four rights that, together, let them find out what health data an entity holds, control its use, and have it erased.
The first is the right to confirm. A consumer may confirm whether a regulated entity or small business is collecting, sharing, or selling their consumer health data. The second is the right to access: the consumer may access that data, including a list of all third parties and affiliates with whom the entity has shared or sold the data, along with an active email address or other online mechanism the consumer can use to contact those parties.
The third is the right to withdraw consent. A consumer may withdraw consent from the entity's collection and sharing of their consumer health data. The fourth is the right to delete, which is the broadest of the four and is covered in detail below. As of 2026, all four rights are fully available because every category of covered entity passed its compliance date in 2024.
For how these rights fit into Washington's wider privacy framework, see the Washington data privacy laws parent page.
The right to confirm and access
The confirmation and access rights work together. Under RCW 19.373.040, a consumer first has the right to learn whether an entity collects, shares, or sells their consumer health data at all. This is meaningful on its own, because many of the entities covered by MHMDA, such as apps, advertisers, and data brokers, are not ones a consumer would normally associate with their health information.
The access right then lets the consumer see the data itself and, critically, learn where it went. The statute requires the entity to provide a list of all third parties and affiliates with whom the consumer health data was shared or sold. This is a recipient-level disclosure, not merely a list of categories.
The access right also requires a way to reach those recipients. The entity must give the consumer an active email address or other online mechanism that the consumer may use to contact each third party or affiliate. That detail matters for the deletion right, because it gives the consumer a path to follow their data downstream.
The right to withdraw consent
Consent is the engine of MHMDA. Under RCW 19.373.030, a regulated entity generally may not collect or share consumer health data without first obtaining the consumer's consent, and the consent to share must be separate and distinct from the consent to collect. The right to withdraw consent in RCW 19.373.040 lets a consumer turn that engine off.
When a consumer withdraws consent, the entity must stop collecting and sharing the consumer's health data on that basis. Consent under RCW 19.373.010 must be a clear affirmative act that is freely given, specific, informed, opt-in, voluntary, and unambiguous, so it cannot be buried in general terms of use or inferred from a consumer hovering over, closing, or muting a banner.
Withdrawing consent is distinct from deletion. Withdrawal stops future collection and sharing going forward; it does not by itself erase data the entity already holds. A consumer who wants existing data removed needs to use the deletion right as well. The two are often exercised together.
The broad deletion right
The deletion right is MHMDA's most far-reaching consumer right. Under RCW 19.373.040, a consumer has the right to have consumer health data concerning them deleted, and the entity must honor that request by deleting the data from its records.
What makes the right broad is its downstream reach. The entity must delete the consumer health data from all parts of its own system, including archived and backup systems. The statute does allow deletion from archived or backup systems to be delayed, but only until the archived or backup system is next restored or for up to six months, whichever comes first, and the data must remain protected and unused in the meantime.
The deletion obligation also runs to everyone the data was shared or sold to. The entity must notify all affiliates, processors, contractors, and other third parties with which it shared the consumer health data of the deletion request. Those recipients must then honor the request and delete the consumer health data from their own records, including their archived and backup systems on the same terms.
This is a meaningfully stronger deletion right than many privacy laws provide, because it does not stop at the first company. It is designed to pull the data back out of the chain of recipients, not just the original collector. For consumers, that is the closest a state law comes to a true erase-everywhere right for health data.
How to exercise your MHMDA rights
To exercise a right, a consumer submits a request to the regulated entity. RCW 19.373.040 directs entities to provide one or more secure and reliable means for consumers to submit requests, and those methods must take into account how consumers normally interact with the entity, the need for secure identity verification, and accessibility for consumers with disabilities. An entity cannot require a consumer to create a new account just to make a request, though it may require use of an existing account.
The response clock is set by statute. The entity must act on a request without undue delay and in all cases within 45 days of receiving it. That period can be extended once by an additional 45 days when reasonably necessary, as long as the entity tells the consumer about the extension and the reason within the first 45 days. Information must be provided free of charge, up to twice per consumer per year.
If the entity declines to act, it must tell the consumer without undue delay and within the 45-day window, explain the reasons for the refusal, and provide instructions for how to appeal. The entity must maintain a documented appeal process, respond to an appeal in writing within 45 days, and, if the appeal is denied, give the consumer a way to submit a complaint to the Washington Attorney General. The step-by-step duties on the business side are detailed in the MHMDA business compliance guide.
A consumer rights and deadlines table
| Right | Statute | What it does | Deadline |
|---|---|---|---|
| Confirm and access | RCW 19.373.040 | Confirm collection, sharing, or sale; access the data plus a list of recipients | 45 days (one 45-day extension) |
| Withdraw consent | RCW 19.373.040 | Stop future collection and sharing of health data | Effective on withdrawal |
| Delete | RCW 19.373.040 | Erase the data, including backups, and require recipients to delete | 45 days; backups up to 6 months |
| Appeal a refusal | RCW 19.373.040 | Challenge a denied request; route to the AG if still denied | 45 days to respond to appeal |
What the private right of action means for consumers
MHMDA's enforcement is what gives these rights real force. Under RCW 19.373.090, a violation of the Act is a violation of the Washington Consumer Protection Act, chapter 19.86 RCW. The Washington Attorney General has confirmed that this makes any MHMDA violation a per se Consumer Protection Act violation, enforced by the Attorney General and through private action.
The private channel runs through RCW 19.86.090, the Consumer Protection Act's long-standing private right of action. It allows a person injured by an unfair or deceptive act to bring a civil suit and recover actual damages, plus the court may increase the award up to three times the actual damages subject to a statutory cap, together with the costs of the suit and reasonable attorney fees.
This is the feature that distinguishes MHMDA from almost every other US privacy law. Comprehensive laws in states like Virginia, Colorado, and Oregon reserve enforcement to the attorney general and bar private suits. MHMDA does not. A Washington consumer who believes a company collected, shared, or sold their health data without consent, ignored a deletion request, or geofenced a health facility has a direct path to court, not just a complaint to the state.
As of 2026, a consumer cannot, of course, be promised any particular outcome from a lawsuit, and whether a given violation caused compensable injury is a fact-specific legal question. But the existence of the private remedy means consumers are not solely dependent on the Attorney General to act, and it is why companies treat MHMDA compliance as a litigation-risk issue.
Related guides
- Washington data privacy laws parent hub
- What is MHMDA?
- MHMDA business compliance
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- RCW 19.373.040: Consumer rights and requests, refusal, appeal(app.leg.wa.gov).gov
- RCW 19.373.030: Collection or sharing of consumer health data(app.leg.wa.gov).gov
- RCW 19.373.010: Definitions (consent, consumer health data)(app.leg.wa.gov).gov
- RCW 19.373.090: Application of consumer protection act(app.leg.wa.gov).gov
- RCW 19.86.090: Consumer Protection Act private right of action(app.leg.wa.gov).gov
- RCW 19.373.070: Valid authorization to sell consumer health data(app.leg.wa.gov).gov
- Washington Attorney General: Protecting Washingtonians' Personal Health Data and Privacy(atg.wa.gov).gov