Washington privacy compliance requirements

What matters (core Washington requirements you must know) - My Health My Data Act (Chapter 19.373 RCW) — scope and basics - Protects “consumer health data” broadly defined; applies to any legal entity that conducts business in Washington or targets Washington consumers and that determines purpose/means of processing consumer health data.

Effective dates: certain sections effective July 23, 2023; regulated entities (non-small) must comply by March 31, 2024; small businesses by June 30, 2024. - Mandatory consumer health data privacy policy: beginning March 31, 2024, regulated entities and small businesses must maintain a consumer health data privacy policy that clearly discloses categories of health data collected and uses, sources, categories shared, categories of third parties/affiliates receiving the data, and how consumers exercise rights.

A prominent link to this policy must be on the homepage. - Collection/use/sharing restrictions: Consumer health data may only be collected with specified consent for a purpose or to the extent necessary to provide a requested product/service.

Separate/affirmative consent is required to share or sell consumer health data in many circumstances. - Individual rights and data security: Consumers have access, deletion and other rights; regulated entities must maintain reasonable data security and limit internal access. - Processors and vendor management: Written contracts required with processors; processors’ noncompliance can convert them into regulated entities in some circumstances. - Geofencing ban: The Act prohibits use of geofencing around in-person health-care service providers for tracking/collecting health data or sending related ads (the AG and commentary treat the geofence prohibition as effective). - Enforcement and private action: Violations of the Act are treated as per se violations of the Washington Consumer Protection Act (RCW 19.86).

The Attorney General may enforce and consumers also have a private right of action (CPA-based), meaning litigation risk (potential damages/fees) exists. - Washington biometric law (Chapter 19.375 RCW) - Requires notice and consent before enrolling a biometric identifier in a database for a commercial purpose; limitations on sale/disclosure and retention; reasonable care to protect biometric identifiers; AG enforcement under Consumer Protection Act (RCW 19.86). - The My Health My Data Act’s broader health-data definition may also capture biometric data; businesses must consider both regimes. - Data breach notification & disposal obligations (AG guidance & RCWs referenced) - Washington’s breach-notification regime requires notification “in the most expedient time possible” and no more than 30 days after discovery; if a breach affects >500 Washington residents, the Attorney General’s Office must also be notified (AG provides an electronic form). (AG guidance cites RCW 19.255.010 and RCW 42.56.590.) - Disposal: RCW 19.215 requires businesses to take all reasonable steps to destroy or arrange destruction of personal financial and health information and personal identification numbers.

How enforcement works and litigation risk - The My Health My Data Act ties violations to the Consumer Protection Act (CPA), creating state enforcement by the AG plus a private right of action under CPA.

CPA actions require proof of injury to business or property for damages, but risks of class litigation and statutory trebling under some CPA remedies were highlighted by commentators. RCW 19.375 (biometric) historically enforced solely by AG, but MHMD may create private actions for health-related biometric claims in many scenarios.

Practical compliance checklist for business owners / LLC founders (recommended next steps)

What matters (core Washington requirements you must know)

19.373 RCW) — scope and basics - Protects “consumer health data” broadly defined; applies to any legal entity that conducts business in Washington or targets Washington consumers and that determines purpose/means of processing consumer health data.

Effective dates: certain sections effective July 23, 2023; regulated entities (non-small) must comply by March 31, 2024; small businesses by June 30, 2024. - Mandatory consumer health data privacy policy: beginning March 31, 2024, regulated entities and small businesses must maintain a consumer health data privacy policy that clearly discloses categories of health data collected and uses, sources, categories shared, categories of third parties/affiliates receiving the data, and how consumers exercise rights.

A prominent link to this policy must be on the homepage.

19.86). The Attorney General may enforce and consumers also have a private right of action (CPA-based), meaning litigation risk (potential damages/fees) exists.

19.375 RCW)

19.86).

- Washington’s breach-notification regime requires notification “in the most expedient time possible” and no more than 30 days after discovery; if a breach affects >500 Washington residents, the Attorney General’s Office must also be notified (AG provides an electronic form). (AG guidance cites RCW 19.255.010 and RCW 42.56.590.)

19.215 requires businesses to take all reasonable steps to destroy or arrange destruction of personal financial and health information and personal identification numbers. How enforcement works and litigation risk

19.375 (biometric) historically enforced solely by AG, but MHMD may create private actions for health-related biometric claims in many scenarios. Practical compliance checklist for business owners / LLC founders (recommended next steps)

• My Health My Data Act (Chapter
• Collection/use/sharing restrictions: Consumer health data may only be collected with specified consent for a purpose or to the extent necessary to provide a requested product/service. Separate/affirmative consent is required to share or sell consumer health data in many circumstances.
• Individual rights and data security: Consumers have access, deletion and other rights; regulated entities must maintain reasonable data security and limit internal access.
• Processors and vendor management: Written contracts required with processors; processors’ noncompliance can convert them into regulated entities in some circumstances.
• Geofencing ban: The Act prohibits use of geofencing around in-person health-care service providers for tracking/collecting health data or sending related ads (the AG and commentary treat the geofence prohibition as effective).
• Enforcement and private action: Violations of the Act are treated as per se violations of the Washington Consumer Protection Act (RCW
• Washington biometric law (Chapter
• Requires notice and consent before enrolling a biometric identifier in a database for a commercial purpose; limitations on sale/disclosure and retention; reasonable care to protect biometric identifiers; AG enforcement under Consumer Protection Act (RCW
• The My Health My Data Act’s broader health-data definition may also capture biometric data; businesses must consider both regimes.
• Data breach notification & disposal obligations (AG guidance & RCWs referenced)
• Disposal: RCW
• The My Health My Data Act ties violations to the Consumer Protection Act (CPA), creating state enforcement by the AG plus a private right of action under CPA. CPA actions require proof of injury to business or property for damages, but risks of class litigation and statutory trebling under some CPA remedies were highlighted by commentators. RCW

Scope & data map

Inventory personal data you collect and determine whether any of it qualifies as “consumer health data” (broad definition includes inferred/derived health-related information, reproductive info, genetic, biometric, precise location tied to health services, etc.). Include data collected about Washington residents or data collected while a consumer is physically in Washington.

Determine role

Are you a regulated entity (controller) or a processor? If you process for others, ensure you meet processor obligations and have compliant contracts.

Build/update consumer health data privacy policy

Draft a standalone consumer-health-data policy satisfying RCW 19.373.020 disclosures and place a prominent homepage link and on any page collecting personal info.

Consent & notices

Implement affirmative, specific opt-in consent for collection/sharing/sale of consumer health data when required; ensure consent cannot be obtained via deceptive design or blanket terms of use.

Minimize collection & retention

Limit collection to what is necessary to provide requested services; set retention schedules and ensure disposal procedures (RCW 19.215) for financial/health information.

Vendor contracts

Add required contractual terms to processor/service provider agreements: permitted uses, security obligations, deletion/return on request, audit/cooperation obligations, and prohibition on processing inconsistent with your policy.

Access controls & security

Restrict internal access to those who need it, implement reasonable industry-standard security measures, and document them (incident response plans, logs, training).

Geofence & targeted advertising

If you use geofencing around health-care locations or targeted ads tied to health data, suspend the practice or get legal review—geofence prohibitions can be enforced.

Incident response & notification plan

Prepare breach detection/response playbook; notifications to consumers “in the most expedient time possible” and no more than 30 days after discovery; notify WA AG when >500 residents affected using the AG web form. 10. Consumer requests process: Implement procedures for handling access, deletion, and correction requests under RCW 19.373.040, including verifying requesters and tracking fulfillment timelines.

Legal review & insurance

Consult Washington privacy counsel to review applicability (especially for borderline cases or national businesses), update contracts, and evaluate insurance/coverage for privacy litigation.