Washington

Privacy Law Status

Comprehensive Privacy Law

Washington currently operates under a sectoral approach to data privacy rather than having one comprehensive privacy law covering all personal data. The state’s primary privacy protection is the My Health My Data Act (MHMDA), which took effect in March 2024 and specifically protects consumer health data beyond what federal HIPAA regulations cover[1][2]. This law applies broadly to any personal information linked to a Washington consumer that identifies their past, present, or future physical or mental health status, including data from fitness apps, nutrition tracking, and wellness services[1].

Unlike comprehensive privacy laws in states like California or Virginia, Washington’s current framework focuses specifically on health-related information rather than all personal data. However, the state also maintains robust data breach notification requirements that apply to all businesses and government agencies handling personal information of Washington residents[3][4].

Legislative Activity

During the 2025 legislative session, Washington considered several comprehensive privacy bills that would have expanded protections beyond health data. The most prominent was HB 1671, known as the People’s Privacy Act, which was introduced by Representative Shelley Kloba and based on model legislation from EPIC and Consumer Reports[5][6][7]. This bill included data minimization requirements, prohibited the sale of sensitive data, and would have banned targeted advertising to minors under 18.

Unfortunately, HB 1671 died in the House Appropriations Committee in February 2025 without receiving a hearing or vote, ending its chances for the current legislative session[8][9]. The bill had an estimated budget requirement of $825,000 annually for 4.7 positions in the Attorney General’s Office for enforcement[8].

Implementation Timeline

The My Health My Data Act began enforcement on March 31, 2024, for most “regulated entities” doing business in Washington or targeting Washington residents[1][10]. Small businesses had additional time to comply, with their deadline set for June 30, 2024[1]. The law includes significant enforcement mechanisms, including private right of action allowing consumers to sue companies directly for violations, as well as enforcement by the Washington Attorney General’s office[10][11].

Washington’s data breach notification laws, which require businesses and agencies to notify residents of security breaches involving personal information, have been in effect since 2015 with updates made in 2019[3]. These laws require notification to affected residents and the Attorney General’s office within 30 days of discovering a breach affecting more than 500 Washington residents[3][12].

Your Rights as a Washington Resident

Your privacy rights in Washington depend on the type of data involved and which law applies to your situation.

Right to know what health data is collected – Under the My Health My Data Act, you can request information about what consumer health data companies collect about you, including data from fitness apps, wellness services, and health-related purchases[1][2]
Right to delete health information – You can request deletion of your consumer health data, though companies may retain some information for legal compliance or security purposes[1]
Right to opt out of health data sales – Companies cannot sell your consumer health data without your explicit consent, and you can withdraw that consent at any time[1][2]
Right to correct inaccurate health data – You can request corrections to incorrect consumer health information that companies maintain about you[1]
Right to non-discrimination for health data – Companies cannot treat you differently for exercising your rights under the My Health My Data Act[1][2]
Right to be notified of data breaches – You must be notified if your personal information is compromised in a security breach, typically within 30 days of discovery[3][12]

Note that these rights currently apply primarily to health-related data under the My Health My Data Act. Washington does not yet have comprehensive rights covering all types of personal data like some other states.

Business Requirements

Companies operating in Washington face different obligations depending on the type of data they handle and their business activities.

Health data processors must comply with MHMDA – Any business that collects, shares, sells, or processes consumer health data of Washington residents must follow the My Health My Data Act, regardless of where the company is located[1][10]
Explicit consent required for sensitive health data – Companies must obtain clear, informed consent before collecting or sharing consumer health data, and cannot sell such data without explicit permission[1][2]
Data breach notifications mandatory – All businesses must notify affected Washington residents and the Attorney General’s office of data breaches involving personal information, typically within 30 days[3][4][12]
Consumer request response procedures – Under MHMDA, companies must establish processes to respond to consumer requests for access, deletion, correction, and opt-out within reasonable timeframes[1]
Security safeguards required – Businesses must implement appropriate technical and organizational measures to protect personal data from unauthorized access or disclosure[1][3]
Non-discrimination policies – Companies cannot penalize consumers for exercising their privacy rights under applicable Washington laws[1][2]

Practical Impact

Health and wellness data gains protection – Your information from fitness trackers, mental health apps, telehealth services, nutrition programs, and even health-related purchases at stores receives legal protection under the My Health My Data Act[1][2]
Private right of action enables lawsuits – Unlike many state privacy laws, Washington’s My Health My Data Act allows you to sue companies directly for violations, potentially recovering damages and attorney fees without waiting for government enforcement[10][11]
Data breach transparency increases – You receive timely notification when your personal information is compromised, allowing you to take protective steps like monitoring accounts or changing passwords[3][12]
Limited coverage beyond health data – Protection for other types of personal data like shopping history, social media activity, or general web browsing remains limited compared to comprehensive privacy states[1]
Enforcement challenges may arise – The broad definitions in the My Health My Data Act may lead to complex litigation as courts interpret what constitutes “consumer health data” and which businesses must comply[10][11]

Comparison Context

Health data protection leads nationally – Washington’s My Health My Data Act provides stronger protection for health-related information than most other states, covering data beyond traditional HIPAA protections[1][2]
Missing comprehensive coverage – States like California, Virginia, Colorado, and others provide broader privacy rights covering all personal data, while Washington currently focuses primarily on health information
Strong enforcement mechanisms – Washington’s private right of action for health data violations gives consumers more direct legal recourse than many other state privacy laws that rely mainly on attorney general enforcement[7][10]
Limited consumer control rights – Residents lack comprehensive rights to access, delete, or control non-health personal data that are available in other leading privacy states
Sectoral approach differs from trends – While most states adopting privacy laws create comprehensive frameworks, Washington has focused on specific data categories, starting with health information[1][2]

Action Steps for Residents

Review health app and service privacy policies – Check how fitness trackers, telehealth providers, mental health apps, and wellness services collect and share your consumer health data[1]
Exercise your health data rights – Contact companies to request information about, deletion of, or corrections to your consumer health data, or to opt out of data sales[1][2]
Document privacy violations – Keep records of any problems exercising your rights under the My Health My Data Act, as you may have grounds to file a lawsuit[10][11]
Stay informed about legislative developments – Monitor future legislative sessions for comprehensive privacy bills that could expand your rights beyond health data[8]
Report data breaches promptly – If you suspect your personal information has been compromised, report it to relevant authorities and monitor your accounts for unauthorized activity[3][12]
Contact legislators about privacy priorities – Express your views on privacy legislation to your state representatives, especially during legislative sessions when privacy bills are being considered[13][14]

Official Resources and Contact Information

Washington State Legislature

Contact your state representatives about privacy legislation and policy priorities. You can find your specific legislators by entering your address on the Washington State Legislature’s district finder website at https://app.leg.wa.gov/districtfinder/[15]. The legislative hotline operates Monday through Friday from 8 AM to 7 PM at 1-800-562-6000, where you can leave messages for your state Senator and Representatives about specific bills or issues[13][14].

For general legislative information, contact the Legislative Information Center at 360-786-7573. You can also submit written comments on specific bills through the legislature’s website at https://leg.wa.gov/ by searching for the bill number and clicking “Comment here” on the right side of the bill page[13][16].

Washington State Attorney General’s Office

The Attorney General’s Office handles privacy enforcement and maintains several resources for consumers. Their Data Privacy Hub provides information about Washington’s privacy laws and includes a consumer survey about data privacy experiences at https://www.atg.wa.gov/data-privacy [17]. For questions about the My Health My Data Act, visit https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy [2].

Data Breach Reporting

If you experience a data breach affecting your personal information, you can report it using the Attorney General’s data breach notification web form. Businesses and agencies are required to notify the Attorney General’s office of breaches affecting more than 500 Washington residents. Access the reporting form and additional breach resources at https://www.atg.wa.gov/data-breach-resource-center [12].

Consumer Protection and Complaints

For general consumer protection issues that may relate to privacy violations, you can file complaints with the Attorney General’s Consumer Protection Division. Information about filing complaints and additional consumer resources are available through the main Attorney General website at https://www.atg.wa.gov/.

Sources and Citations

[1] www.gunder.com/en/news-insights/insights/data-privacy-insight-broad-sweeping-privacy-law-takes-effect-in-washington

[2] www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy

[3] www.atg.wa.gov/washington-s-data-breach-notification-laws

[4] www.atg.wa.gov/identity-theft-and-privacy-guide-businesses

[5] epic.org/washington-committee-votes-to-advance-strong-privacy-bill/

[6] epic.org/peoples-privacy-act-introduced-in-washington-state/

[7] epic.org/documents/testimony-on-washington-peoples-privacy-act-hb-1671/

[8] wa-privacy.net/dying-in-appropriations/

[9] app.leg.wa.gov/billsummary

[10] www.clarkhill.com/news-events/news/its-here-the-who-what-and-how-of-washingtons-new-my-health-my-data-act-and-its-private-right-of-action/

[11] cdp.cooley.com/washington-states-my-health-my-data-act-faq-part-three-enforcement-risks-2/

[12] www.atg.wa.gov/data-breach-resource-center

[13] zerowastewashington.org/how-to-contact-your-legislators/

[14] leg.wa.gov/help/contact-us/

[15] app.leg.wa.gov/districtfinder/

[16] leg.wa.gov/about-the-legislature/house-of-representatives/

[17] www.atg.wa.gov/data-privacy

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.