Washington compliance for small-scale IT companies

Summary of research and consolidated compliance guidance for small-scale IT companies (Washington state) Steps taken and sources consulted: - Searched official Washington state resources (business.wa.gov, Department of Revenue, Secretary of State, L&I, Employment Security, Paid Family & Medical Leave, Attorney General) plus city-level resources (City of Seattle).

Collected statute language (RCW) and official guidance pages about taxation, licensing, employer obligations, and data breach/notification requirements. Reviewed DOR guidance specific to information technology, digital products, and new sales-taxation changes effective Oct 1, 2025.

Reviewed Attorney General resources on data breach notification and RCW 19.

Summary of research and consolidated compliance guidance for small-scale IT companies (Washington state) Steps taken and sources consulted: - Searched official Washington state resources (business.wa.gov, Department of Revenue, Secretary of State, L&I, Employment Security, Paid Family & Medical Leave, Attorney General) plus city-level resources (City of Seattle).

Collected statute language (RCW) and official guidance pages about taxation, licensing, employer obligations, and data breach/notification requirements. Reviewed DOR guidance specific to information technology, digital products, and new sales-taxation changes effective Oct 1, 2025.

Reviewed Attorney General resources on data breach notification and RCW 19.

Key findings and practical checklist (actionable steps for small-scale IT companies/LLCs doing business in Washington)

Forming and maintaining your business entity (LLC / Corporation) - File Certificate of Formation / Articles with Washington Secretary of State; obtain UBI (Unified Business Identifier). Keep required LLC records (Certificate of Formation, operating agreement, annual report), and maintain a registered agent. (See WA Small Business Guide / SOS guidance.) - Resources

WA Secretary of State and business.wa.gov Business Licensing Wizard to determine required endorsements and permits.

Register for state accounts & business license - Every business meeting certain thresholds (e.g., gross income $12,000+/yr, hiring employees, sales subject to sales tax) must apply for a Washington business license via the Business License Application (DOR). The application establishes accounts with DOR, Employment Security (unemployment insurance), and L&I (workers’ comp). Use the Business Licensing Wizard to identify local/city endorsements (Seattle, Bellevue, etc.). 3) Taxes

B&O tax, sales tax/use tax, taxability of software/SaaS/digital services - Washington levies a Business & Occupation (B&O) gross receipts tax; classification and rate depend on the activity. DOR provides classification definitions and lists of rates. Many IT activities are taxed under specific classifications. - DOR guidance: charges for prewritten computer software and hardware are generally subject to retail sales/use tax when separately stated; custom software/coding is usually not subject to retail sales/use tax when separately stated. Digital products and remote access software (RAS), including some SaaS/digital products, have specific sourcing and classification rules. - Important update: DOR published notice that certain IT, website, and software development services became subject to retail sales tax effective Oct 1, 2025; review DOR’s “Information technology, website, and software development services now subject to sales tax” special notice and the IT products/services guidance to determine whether your offering (hosting, development, SaaS, maintenance, support) is taxable. - Practical steps: (a) Determine product/service breakdown on invoices (itemize to separate taxable vs non-taxable charges); (b) register with DOR and request a binding ruling if unsure; (c) determine filing frequency and remit B&O and sales taxes as required.

Local (city) taxes & licenses - Cities like Seattle require a business license tax certificate and may levy their own gross receipts (B&O-style) taxes; these are separate from state B&O tax and often require quarterly filings. Use FileLocal to apply/renew for Seattle and check city rules for home-based or server-location nexus.

Employer obligations (if you hire staff or contractors working in WA) - Register as an employer via the Business License Application (triggers L&I and ESD accounts). Employers must set up workers’ compensation (L&I), unemployment insurance (ESD), and participate in Paid Family & Medical Leave (PFML) reporting—PFML applies to most employers and requires quarterly reporting and premium collection responsibilities. - Payroll & reporting

report new hires to DSHS new hire registry within 20 days; follow L&I and ESD instructions for quarterly wage reports; understand unemployment & workers’ comp premium calculation rules and officer/member coverage options. 6) Data breach notification and privacy compliance - Washington’s data breach notification law (RCW 19.255) requires businesses that own or license personal information to notify affected Washington residents when unsecured personal information is acquired by an unauthorized person and the breach is likely to cause harm. Notification must be provided in the most expedient time possible and generally within 30 days of discovery. If more than 500 Washington residents are affected in a single breach, the Attorney General must be notified within 30 days. - The WA Attorney General provides a Data Breach Resource Center, a breach notification web form, and annual data breach reporting resources. - Practical steps: maintain an incident response plan that complies with RCW 19.255 (plain-language notices, required content), keep records of incidents, and submit notice to the AGO when thresholds are exceeded. - Note: Washington has had significant recent activity on state privacy laws; consult the Attorney General and legislative updates for any new compliance obligations (and consider privacy policies and data minimization practices as a best practice).

Cybersecurity and data handling best practices (practical guidance) - Even where not legally required beyond breach-notification law, implement reasonable security measures

encryption for stored/transmitted personal data, access controls, logging and monitoring, vendor/third-party due diligence, employee training, and an incident response plan that aligns with RCW timing and content requirements.

Contracts, export controls, and regulated data (HIPAA, etc.) - If you handle regulated categories of data (healthcare PHI, financial data), confirm whether federal rules (HIPAA) or sector-specific controls apply. Include appropriate contractual protections (data processing addenda), liability caps, and security clauses for clients. - If you work with government contracts or export software/crypto, check relevant federal export control rules.

Ongoing compliance

filings and renewals - File required annual reports with the Secretary of State, renew Seattle (or other city) business license annually by Dec. 31, and file state tax returns and employer reports at required frequencies. Keep bookkeeping/tax records and consult a CPA for tax planning around B&O exposures and credits. Primary official resources (URLs compiled in citations list below) and recommended next actions: - Use the Business License Wizard (Business.Licensing via DOR) and business.wa.gov start/run guides to identify required endorsements and step-by-step registrations. - Read DOR guidance for IT products/services, digital products, and the special notice on services subject to retail sales tax (effective Oct 1, 2025) to classify your offerings for sales/B&O tax treatments. - Review RCW 19.255 and Attorney General data breach resources; if a breach occurs, follow the AGO web form and notification rules. - Register for employer accounts and understand L&I, ESD, and PFML obligations when you plan to hire.