# Washington Consumer Privacy Law (My Health My Data Act)[^about] Washington has no comprehensive consumer-privacy statute, but the My Health My Data Act (ch. 19.373 RCW) reaches biometrics, precise location, and health inferences across most consumer businesses — and a violation is a per se Consumer Protection Act violation that consumers can sue over. ## Which privacy laws apply to your business in Washington? {#which-privacy-laws-apply} **Short answer.** Washington has no comprehensive consumer-privacy statute, but the My Health My Data Act (MHMDA), chapter 19.373 RCW, functions as a near-comprehensive law in practice. It covers any legal entity that conducts business in Washington or targets products or services to Washington consumers and that determines the purpose and means of collecting, processing, sharing, or selling *consumer health data* [^q1-regulated-entity] — and it defines that data to reach far beyond health companies: reproductive and sexual health information, biometric data, genetic data, precise location information that could indicate an attempt to obtain health services, and data identifying a consumer seeking health care services all qualify [^q1-chd-definition], as do inferences about health derived or extrapolated from non-health information by algorithms or machine learning [^q1-chd-inference]. The legislature enacted the MHMDA to close the gap left by HIPAA, which protects health data only when specific health care entities hold it — health data collected by non-covered entities such as apps and websites had no equivalent protection [^q1-mhmda-intent]. The result is that an ad-tech platform, a retailer with a wellness aisle, a fitness or period-tracking app, or a data broker can be a *regulated entity* even though it would never think of itself as a health business. The act also protects more than Washington residents: a *consumer* is a Washington resident or any natural person whose consumer health data is collected in Washington, acting in an individual or household context — employees acting in an employment context are excluded [^q1-consumer-def]. There is no revenue floor. A *small business* — one that handles consumer health data of fewer than 100,000 consumers a year, or derives less than half its revenue from such data and handles fewer than 25,000 consumers' data — is covered rather than exempt [^q1-small-business]. Many core duties, including policy, collection and sharing, rights, security, processor-contract, and sale-authorization duties, had section-specific June 30, 2024 dates for small businesses [^q1-policy-small-business-date] [^q1-collection-small-business-date] [^q1-rights-small-business-date] [^q1-security-small-business-date] [^q1-processor-small-business-date] [^q1-sale-small-business-date]; the geofencing ban is not written with that same small-business delay [^q1-geofence-ban]. The exemptions are framed around categories of information rather than whole entities: information that is protected health information under HIPAA is outside the act [^q1-exemptions-phi], and personal information governed by the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or FERPA is likewise exempt [^q1-exemptions-federal]. A HIPAA-covered business is not exempt as an entity; only its exempt data sets, such as PHI and the other categories listed in RCW 19.373.100, fall outside the act [^q1-exemptions-health]. Two older statutes round out the state framework. Chapter 19.375 RCW restricts enrolling a *biometric identifier* in a database for a commercial purpose without notice, consent, or an opt-out mechanism [^q1-biometric-enroll], and chapter 19.255 RCW requires any person or business doing business in Washington to notify residents when unsecured personal information is breached [^q1-breach-duty]. The breach statute is covered below; chapter 19.375 matters chiefly as an AG-only biometric contrast. Washington has no standalone direct-to-consumer genetic-testing privacy statute; genetic data is instead regulated as *consumer health data* under the MHMDA's definition [^q1-chd-definition]. Washington came close to flipping to a comprehensive regime: the People's Privacy Act (House Bill 1671) would have imposed data-minimization duties and opt-in consent across all personal data, but it died in the House Appropriations Committee when the Legislature adjourned sine die on March 12, 2026. Sponsors are expected to try again, so the MHMDA-centered framework described here is what governs for now — and a program built to the MHMDA's consent-first architecture would already satisfy much of what a future omnibus law would likely ask. ## What must your Washington consumer health data privacy policy contain? {#privacy-policy-contents} **Short answer.** Washington requires a dedicated *consumer health data privacy policy*, with contents fixed by statute. Beginning March 31, 2024, a regulated entity must maintain a policy that clearly and conspicuously discloses: the categories of consumer health data collected and the purposes for which they are collected, including how the data will be used; the categories of sources; the categories of consumer health data shared; a list of the categories of third parties *and the specific affiliates* with whom the data is shared; and how consumers can exercise their statutory rights [^q2-policy-contents]. The business must also prominently publish a link to that policy on its homepage [^q2-homepage-link]. Small businesses had until June 30, 2024 to comply [^q2-small-business-date]. Treat the statutory list as a drafting checklist — each of the five items must appear on the face of the policy. Note one element that goes beyond the generic state-law pattern: third parties may be disclosed by category, but affiliates that receive consumer health data must be listed specifically. The homepage link rule is broader than a root landing page: *homepage* includes any webpage where personal information is collected and, for a mobile app, the platform or download page plus an in-app link [^q2-homepage-definition]. The policy is also a ceiling on conduct, not just a disclosure exercise. A business may not collect, use, or share additional categories of consumer health data, or use existing data for additional purposes, without first disclosing the addition and obtaining the consumer's affirmative consent [^q2-new-categories] [^q2-new-purposes], and it is a violation of the act to contract with a processor to process consumer health data in a manner inconsistent with the policy [^q2-processor-consistency]. The statute names a distinct policy and a distinct homepage link, so a conservative approach is to publish the consumer health data privacy policy as its own standalone document with its own homepage link, rather than folding the disclosures into a general privacy notice [^q2-homepage-link]. No Washington statute fixes the contents of a *general* consumer privacy policy. For data outside the MHMDA, the operative discipline is the federal one: under Section 5 of the FTC Act, a published policy that misstates how you actually collect, use, or share data can be treated as deceptive [^q2-ftc5]. The practical rule for the general policy is therefore accuracy; the practical rule for the consumer health data policy is the statutory checklist. ## When do you need consent — and when a signed authorization — to handle health data in Washington? {#consent-and-authorization} **Short answer.** The MHMDA runs on a two-tier opt-in structure, with a third, stricter tier for sales. For regulated entities after March 31, 2024, and small businesses after June 30, 2024, a business may not *collect* consumer health data except with the consumer's consent for a specified purpose, or to the extent necessary to provide a product or service the consumer requested [^q3-collection-consent] [^q3-small-business-date]. It may not *share* that data except with a consent that is separate and distinct from the collection consent, or again as necessary to provide the requested product or service [^q3-sharing-consent]. And it is unlawful for any person to *sell* consumer health data without first obtaining a valid authorization signed by the consumer — separate and distinct from both consents [^q3-sale-authorization]. Consent under the act is demanding. It means a clear affirmative act signifying freely given, specific, informed, opt-in, voluntary, and unambiguous agreement — and the statute expressly disqualifies acceptance of broad terms of use, hovering over or closing content, and agreement obtained through deceptive designs [^q3-consent-definition]. The consent request itself has fixed contents: it must be obtained before the collection or sharing and must clearly and conspicuously disclose the categories of data, the purpose and specific ways the data will be used, the categories of recipients, and how to withdraw consent [^q3-consent-request]. A pre-checked box, nudging cookie banner, or buried onboarding clause is high-risk under that standard. The sale tier is closer to a HIPAA-style authorization than to an opt-out. The signed authorization must be a plain-language document that identifies the specific consumer health data sold, the seller and purchaser contact information, the sale purpose, how the data will be gathered, and how the purchaser will use it. It also must say that goods or services cannot be conditioned on signing, explain revocation, warn about redisclosure, expire one year from signature, and include the consumer's signature and date [^q3-authorization-contents]. The authorization is invalid if it is expired, incomplete, revoked, combined with other documents, or made a condition of goods or services; a copy must go to the consumer, and the seller and purchaser must retain authorizations for six years [^q3-authorization-contents]. Because *sale* means an exchange for monetary or other valuable consideration, routine data-monetization arrangements involving consumer health data are effectively gated behind annual, revocable, signed paperwork — which in practice means most businesses simply do not sell such data. ## What must your contracts with vendors and processors say? {#vendor-contracts} **Short answer.** For consumer health data, a written contract is a statutory requirement. A processor may process such data only pursuant to a binding contract that sets forth the processing instructions and limits the actions the processor may take with the data it handles on the business's behalf [^q4-processor-contract]. The act adds three teeth to that baseline. The processor must assist the business, through appropriate technical and organizational measures, in fulfilling the business's own MHMDA obligations [^q4-processor-duties]. A processor that departs from the instructions or processes data outside the scope of its contract stops being a processor — it is treated as a regulated entity itself, subject to the full statute for that data [^q4-outside-scope]. And on the controller side, contracting with a processor to process consumer health data in a manner inconsistent with the published consumer health data privacy policy is itself a violation [^q4-policy-consistency] — so the DPA and the policy have to be drafted against each other, not in separate silos. The same operating model has a security duty. A covered business must restrict employee, processor, and contractor access to consumer health data to what is necessary for the consented purposes or for a requested product or service, and it must maintain administrative, technical, and physical data-security practices that satisfy at least the reasonable standard of care in its industry [^q4-security-duty]. Small businesses had until June 30, 2024 to comply with that data-security section [^q4-security-small-business-date]. Outside the MHMDA, Washington has no omnibus data-processing-agreement statute; vendor terms for ordinary personal data are driven by the sectoral overlay and by contract practice. The GLBA Safeguards Rule requires financial institutions to bind service providers by contract to implement and maintain safeguards [^q4-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection terms before protected health information is shared [^q4-hipaa-baa]. A practical template for Washington vendors carries the MHMDA elements — documented instructions, scope limits, assistance duties — across the whole engagement, since the same vendor often touches both health and non-health data. ## What rights can Washington consumers exercise over their health data? {#consumer-rights} **Short answer.** Three rights, each enforceable on a 45-day clock. A consumer has the right to confirm whether a business is collecting, sharing, or selling consumer health data about them and to access it — including a list of all third parties and affiliates that received the data and an active email address or other online mechanism for contacting those third parties [^q5-access]. A consumer may withdraw consent to collection and sharing [^q5-withdraw]. And a consumer may have the data deleted — a deletion that must reach every part of the business's network, including archived and backup systems, and that the business must propagate by notifying all affiliates, processors, contractors, and other third parties that received the data [^q5-delete]. Requests must be honored without undue delay and in all cases within 45 days of receipt, with one 45-day extension available when reasonably necessary [^q5-deadline]. For deletion, data on archived or backup systems gets a limited runway — the deletion there may be delayed up to six months from authentication of the request [^q5-delete]. The third-party-list element of the access right is unusually operational: honoring it requires recipient-level records of where consumer health data went, not just category-level disclosures. A business must also stand up an appeal process: if it refuses to act on a request, the consumer may appeal, the business must answer the appeal in writing within 45 days, and a denial must come with a way to complain to the Attorney General [^q5-appeal]. A business may not unlawfully discriminate against a consumer for exercising any right under the act [^q5-nondiscrimination]. The MHMDA does not create the targeted-advertising or profiling opt-out structure common in omnibus privacy statutes; instead, its operative rules are consent, withdrawal of consent, deletion, and sale authorization [^q5-collection-consent] [^q5-sharing-consent] [^q5-withdraw] [^q5-delete] [^q5-sale-authorization]. That means there is no universal opt-out preference signal rule such as Global Privacy Control in the MHMDA. ## Can you use geofencing near health care facilities in Washington? {#geofencing-ban} **Short answer.** No — not for anything touching consumer health data. The MHMDA makes it unlawful for *any person* to implement a geofence around an entity that provides in-person health care services where the geofence is used to identify or track consumers seeking health care services, to collect consumer health data from them, or to send them notifications, messages, or advertisements related to their health data or health care services [^q6-geofence-ban]. The ban is flat: it applies to any person, not just regulated entities; it has no consent exception — a consumer cannot agree to be geofenced out of it; and unlike the act's other duties, the section's text carries no delayed compliance date for small businesses [^q6-geofence-ban]. A *geofence* is a virtual boundary of 2,000 feet or less around a physical location, established by GPS, cell-tower connectivity, cellular data, RFID, Wi-Fi data, or any other form of spatial or location detection [^q6-geofence-def]. Note how wide the protected zone is. *Health care services* means any service to assess, measure, improve, or learn about a person's mental or physical health [^q6-hcs-def] — which reaches pharmacies, counseling offices, reproductive-health clinics, and dispensaries when they provide qualifying health-care or medication-related services, not just hospitals. Location-based advertising programs need a Washington-specific suppression rule around such facilities, because this is the one MHMDA provision that no consent flow can cure. ## When must you notify people of a data breach in Washington? {#breach-notification} **Short answer.** Any person or business that conducts business in Washington and owns or licenses data including personal information must disclose a breach of the security of the system to every Washington resident whose unsecured personal information was, or is reasonably believed to have been, acquired by an unauthorized person — though notice is not required if the breach is not reasonably likely to subject consumers to a risk of harm [^q7-breach-duty]. Notice to affected consumers must go out in the most expedient time possible and no more than 30 calendar days after the breach was discovered [^q7-thirty-days]. If a single breach requires notifying more than 500 Washington residents, the business must also notify the Attorney General within the same 30-day window [^q7-ag-notice]. *Personal information* is broader in Washington than in many breach statutes: beyond name plus Social Security, driver's license, or financial-account numbers, it includes full date of birth, electronic-signature private keys, student, military, and passport ID numbers, health-insurance IDs, medical-history information, biometric data used to identify an individual, and username-or-email plus password combinations. It also includes those listed data elements without a name if they were not rendered unusable and would enable identity theft [^q7-pi-definition]. Encryption is the main safe harbor — the duty attaches to information that was not *secured*, meaning encrypted to at least the NIST standard or otherwise rendered unusable [^q7-secured] — but even encrypted data triggers notice if the key was also compromised [^q7-breach-duty]. For health-sector businesses there is a federal bridge: a HIPAA covered entity is deemed compliant with the chapter for protected health information if it complies with the HITECH Act's breach-notification provisions, though it must still notify the Washington Attorney General [^q7-hipaa-deemed]. The AG notice itself has fixed contents — affected-resident counts, data types, exposure timeframe, containment steps, and a sample consumer notice — and must be updated if information was unknown when first due [^q7-ag-notice]. ## Can a consumer sue your business under Washington privacy law? {#consumer-lawsuit} **Short answer.** Yes — and this is the headline risk of the MHMDA. The act declares that a violation is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the Consumer Protection Act, and that the practices it covers are matters vitally affecting the public interest [^q8-mhmda-cpa]. That per se designation plugs directly into the CPA's private remedy: any person injured in business or property by a CPA violation may sue for actual damages, costs, and attorney fees, and the court may treble damages up to $25,000 [^q8-cpa-private-action]. The CPA confirms the chain — a claimant can establish public-interest injury by showing the act violates a statute that incorporates the CPA [^q8-cpa-per-se]. The contrast with Washington's biometric chapter shows the design was deliberate: chapter 19.375 RCW says expressly that it may be enforced solely by the Attorney General [^q8-biometric-ag-only]. Unlike chapter 19.375, chapter 19.373 has no AG-only enforcement clause; private plaintiffs therefore proceed through the CPA remedy in RCW 19.86.090, subject to injury and causation [^q8-cpa-private-action]. Public enforcement runs in parallel: CPA violations can carry civil penalties of up to $7,500 per RCW 19.86.020 violation, and the Attorney General may petition to recover civil penalties [^q8-cpa-penalties]. The MHMDA contains no cure period, so there is no statutory grace window before either a consumer suit or an AG action. The central open question for private suits is the CPA's injury element: plaintiffs must still prove injury to business or property and causation [^q8-cpa-private-action], and whether unconsented collection or sharing of health data alone satisfies that element is untested. The breach statute carries its own, separate consumer remedy: an action to enforce chapter 19.255 may not be brought through the CPA's private-action section, but any consumer injured by a violation of that chapter may institute a civil action for damages directly under it [^q8-breach-pra]. So a notification failure adds direct consumer-suit exposure on top of the Attorney General's parens patriae authority. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Washington. This article synthesizes Washington primary law and is not legal advice from a Washington-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^q1-regulated-entity]: **RCW 19.373.010(23)** — "‘Regulated entity’ means any legal entity that: (a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data." *Wash. Rev. Code § 19.373.010(23).* [^q1-chd-definition]: **RCW 19.373.010(8)** — "‘Consumer health data’ means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. (b) For the purposes of this definition, physical or mental health status includes, but is not limited to: (i) Individual health conditions, treatment, diseases, or diagnosis; (ii) Social, psychological, behavioral, and medical interventions; (iii) Health-related surgeries or procedures; (iv) Use or purchase of prescribed medication; (v) Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection (8)(b); (vi) Diagnoses or diagnostic testing, treatment, or medication; (vii) Gender-affirming care information; (viii) Reproductive or sexual health information; (ix) Biometric data; (x) Genetic data; (xi) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; (xii) Data that identifies a consumer seeking health care services;" *Wash. Rev. Code § 19.373.010(8).* [^q1-chd-inference]: **RCW 19.373.010(8)(b)(xiii)** — "Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)." *Wash. Rev. Code § 19.373.010(8)(b)(xiii).* [^q1-mhmda-intent]: **RCW 19.373.005** — "However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections. Chapter 191, Laws of 2023 works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data." *Wash. Rev. Code § 19.373.005(2).* [^q1-consumer-def]: **RCW 19.373.010(7)** — "‘Consumer’ means (a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is collected in Washington. ‘Consumer’ means a natural person who acts only in an individual or household context, however identified, including by any unique identifier. ‘Consumer’ does not include an individual acting in an employment context." *Wash. Rev. Code § 19.373.010(7).* [^q1-small-business]: **RCW 19.373.010(28)** — "‘Small business’ means a regulated entity that satisfies one or both of the following thresholds: (a) Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers." *Wash. Rev. Code § 19.373.010(28).* [^q1-policy-small-business-date]: **RCW 19.373.020(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.020(2).* [^q1-collection-small-business-date]: **RCW 19.373.030(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.030(2).* [^q1-rights-small-business-date]: **RCW 19.373.040(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.040(2).* [^q1-security-small-business-date]: **RCW 19.373.050(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.050(2).* [^q1-processor-small-business-date]: **RCW 19.373.060(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.060(2).* [^q1-sale-small-business-date]: **RCW 19.373.070(6)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.070(6).* [^q1-geofence-ban]: **RCW 19.373.080** — "It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services." *Wash. Rev. Code § 19.373.080.* [^q1-exemptions-phi]: **RCW 19.373.100(1)** — "This chapter does not apply to: (a) Information that meets the definition of: (i) Protected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations;" *Wash. Rev. Code § 19.373.100(1)(a)(i).* [^q1-exemptions-federal]: **RCW 19.373.100(2)** — "Personal information that is governed by and collected, used, or disclosed pursuant to the following regulations, parts, titles, or acts, is exempt from this chapter: (a) The Gramm-Leach-Bliley act (15 U.S.C. 6801 et seq.) and implementing regulations; (b) part C of Title XI of the social security act (42 U.S.C. 1320d et seq.); (c) the fair credit reporting act (15 U.S.C. 1681 et seq.); (d) the family educational rights and privacy act (20 U.S.C. 1232g; Part 99 of Title 34, C.F.R.);" *Wash. Rev. Code § 19.373.100(2).* [^q1-exemptions-health]: **RCW 19.373.100(1)** — "This chapter does not apply to: (a) Information that meets the definition of: (i) Protected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations; (ii) Health care information collected, used, or disclosed in accordance with chapter 70.02 RCW; (iii) Patient identifying information collected, used, or disclosed in accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2; (iv) Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization; the protection of human subjects under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth in this subsection; (v) Information and documents created specifically for, and collected and maintained by: (A) A quality improvement committee for purposes of RCW 43.70.510 , 70.230.080 , or 70.41.200 ; (B) A peer review committee for purposes of RCW 4.24.250 ; (C) A quality assurance committee for purposes of RCW 74.42.640 or 18.20.390 ; (D) A hospital, as defined in RCW 43.70.056 , for reporting of health care-associated infections for purposes of RCW 43.70.056 , a notification of an incident for purposes of RCW 70.56.040 (5), or reports regarding adverse events for purposes of RCW 70.56.020 (2)(b); or (E) A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when collected, used, or disclosed for purposes specified in chapter 70.02 RCW; (vi) Information and documents created for purposes of the federal health care quality improvement act of 1986, and related regulations; (vii) Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26; (viii) Information that is (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164, and (B) derived from any of the health care-related information listed in this subsection (1)(a)(viii); (b) Information originating from, and intermingled to be indistinguishable with, information under (a) of this subsection that is maintained by: (i) A covered entity or business associate as defined by the health insurance portability and accountability act of 1996 and related regulations; (ii) A health care facility or health care provider as defined in RCW 70.02.010 ; or (iii) A program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2; (c) Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514; or (d) Identifiable data collected, used, or disclosed in accordance with chapter 43.371 RCW or RCW 69.43.165 ." *Wash. Rev. Code § 19.373.100(1).* [^q1-biometric-enroll]: **RCW 19.375.020** — "A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." *Wash. Rev. Code § 19.375.020(1).* [^q1-breach-duty]: **RCW 19.255.010** — "Any person or business that conducts business in this state and that owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured." *Wash. Rev. Code § 19.255.010(1).* [^q2-policy-contents]: **RCW 19.373.020(1)(a)** — "beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) The categories of sources from which the consumer health data is collected; (iii) The categories of consumer health data that is shared; (iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) How a consumer can exercise the rights provided in RCW 19.373.040" *Wash. Rev. Code § 19.373.020(1)(a).* [^q2-homepage-link]: **RCW 19.373.020(1)(b)** — "A regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage." *Wash. Rev. Code § 19.373.020(1)(b).* [^q2-small-business-date]: **RCW 19.373.020(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.020(2).* [^q2-homepage-definition]: **RCW 19.373.010(16)** — "‘Homepage’ means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application's platform page or download page, and a link within the application, such as from the application configuration, ‘about,’ ‘information,’ or settings page." *Wash. Rev. Code § 19.373.010(16).* [^q2-new-categories]: **RCW 19.373.020(1)(c)** — "A regulated entity or a small business may not collect, use, or share additional categories of consumer health data not disclosed in the consumer health data privacy policy without first disclosing the additional categories and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data." *Wash. Rev. Code § 19.373.020(1)(c).* [^q2-new-purposes]: **RCW 19.373.020(1)(d)** — "A regulated entity or a small business may not collect, use, or share consumer health data for additional purposes not disclosed in the consumer health data privacy policy without first disclosing the additional purposes and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data." *Wash. Rev. Code § 19.373.020(1)(d).* [^q2-processor-consistency]: **RCW 19.373.020(1)(e)** — "It is a violation of this chapter for a regulated entity or a small business to contract with a processor to process consumer health data in a manner that is inconsistent with the regulated entity's or the small business's consumer health data privacy policy." *Wash. Rev. Code § 19.373.020(1)(e).* [^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q3-collection-consent]: **RCW 19.373.030(1)(a)** — "beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(a).* [^q3-small-business-date]: **RCW 19.373.030(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.030(2).* [^q3-sharing-consent]: **RCW 19.373.030(1)(b)** — "A regulated entity or a small business may not share any consumer health data except: (i) With consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(b).* [^q3-sale-authorization]: **RCW 19.373.070(1)** — "beginning March 31, 2024, it is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorization from the consumer. The sale of consumer health data must be consistent with the valid authorization signed by the consumer. This authorization must be separate and distinct from the consent obtained to collect or share consumer health data, as required under RCW 19.373.030" *Wash. Rev. Code § 19.373.070(1).* [^q3-consent-definition]: **RCW 19.373.010(6)** — "‘Consent’ means a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means. (b) ‘Consent’ may not be obtained by: (i) A consumer's acceptance of a general or broad terms of use agreement or a similar document that contains descriptions of personal data processing along with other unrelated information; (ii) A consumer hovering over, muting, pausing, or closing a given piece of content; or (iii) A consumer's agreement obtained through the use of deceptive designs." *Wash. Rev. Code § 19.373.010(6).* [^q3-consent-request]: **RCW 19.373.030(1)(c)** — "Consent required under this section must be obtained prior to the collection or sharing, as applicable, of any consumer health data, and the request for consent must clearly and conspicuously disclose: (i) The categories of consumer health data collected or shared; (ii) the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used; (iii) the categories of entities with whom the consumer health data is shared; and (iv) how the consumer can withdraw consent from future collection or sharing of the consumer's health data." *Wash. Rev. Code § 19.373.030(1)(c).* [^q3-authorization-contents]: **RCW 19.373.070(2)** — "A valid authorization to sell consumer health data is a document consistent with this section and must be written in plain language. The valid authorization to sell consumer health data must contain the following: (a) The specific consumer health data concerning the consumer that the person intends to sell; (b) The name and contact information of the person collecting and selling the consumer health data; (c) The name and contact information of the person purchasing the consumer health data from the seller identified in (b) of this subsection; (d) A description of the purpose for the sale, including how the consumer health data will be gathered and how it will be used by the purchaser identified in (c) of this subsection when sold; (e) A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization; (f) A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to submit a revocation of the valid authorization; (g) A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section; (h) An expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization; and (i) The signature of the consumer and date. (3) An authorization is not valid if the document has any of the following defects: (a) The expiration date has passed; (b) The authorization does not contain all the information required under this section; (c) The authorization has been revoked by the consumer; (d) The authorization has been combined with other documents to create a compound authorization; or (e) The provision of goods or services is conditioned on the consumer signing the authorization. (4) A copy of the signed valid authorization must be provided to the consumer. (5) The seller and purchaser of consumer health data must retain a copy of all valid authorizations for sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later." *Wash. Rev. Code § 19.373.070(2)-(5).* [^q4-processor-contract]: **RCW 19.373.060(1)(a)** — "beginning March 31, 2024, a processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or the small business that sets forth the processing instructions and limit the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity or the small business." *Wash. Rev. Code § 19.373.060(1)(a)(i).* [^q4-processor-duties]: **RCW 19.373.060(1)(b)** — "A processor shall assist the regulated entity or the small business by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the regulated entity's and the small business's obligations under this chapter." *Wash. Rev. Code § 19.373.060(1)(b).* [^q4-outside-scope]: **RCW 19.373.060(1)(c)** — "If a processor fails to adhere to the regulated entity's or the small business's instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity or the small business, the processor is considered a regulated entity or a small business with regard to such data and is subject to all the requirements of this chapter with regard to such data." *Wash. Rev. Code § 19.373.060(1)(c).* [^q4-policy-consistency]: **RCW 19.373.020(1)(e)** — "It is a violation of this chapter for a regulated entity or a small business to contract with a processor to process consumer health data in a manner that is inconsistent with the regulated entity's or the small business's consumer health data privacy policy." *Wash. Rev. Code § 19.373.020(1)(e).* [^q4-security-duty]: **RCW 19.373.050(1)** — "beginning March 31, 2024, a regulated entity and a small business shall: (a) Restrict access to consumer health data by the employees, processors, and contractors of such regulated entity or small business to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent or where necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business; and (b) Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's or the small business's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue." *Wash. Rev. Code § 19.373.050(1).* [^q4-security-small-business-date]: **RCW 19.373.050(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.050(2).* [^q4-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^q4-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504(e)(2).* [^q5-access]: **RCW 19.373.040(1)(a)** — "a consumer has the right to confirm whether a regulated entity or a small business is collecting, sharing, or selling consumer health data concerning the consumer and to access such data, including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties." *Wash. Rev. Code § 19.373.040(1)(a).* [^q5-withdraw]: **RCW 19.373.040(1)(b)** — "A consumer has the right to withdraw consent from the regulated entity's or the small business's collection and sharing of consumer health data concerning the consumer." *Wash. Rev. Code § 19.373.040(1)(b).* [^q5-delete]: **RCW 19.373.040(1)(c)** — "A consumer has the right to have consumer health data concerning the consumer deleted and may exercise that right by informing the regulated entity or the small business of the consumer's request for deletion. (i) A regulated entity or a small business that receives a consumer's request to delete any consumer health data concerning the consumer shall: (A) Delete the consumer health data from its records, including from all parts of the regulated entity's or the small business's network, including archived or backup systems pursuant to (c)(iii) of this subsection; and (B) Notify all affiliates, processors, contractors, and other third parties with whom the regulated entity or the small business has shared consumer health data of the deletion request. (ii) All affiliates, processors, contractors, and other third parties that receive notice of a consumer's deletion request shall honor the consumer's deletion request and delete the consumer health data from its records, subject to the same requirements of this chapter. (iii) If consumer health data that a consumer requests to be deleted is stored on archived or backup systems, then the request for deletion may be delayed to enable restoration of the archived or backup systems and such delay may not exceed six months from authenticating the deletion request." *Wash. Rev. Code § 19.373.040(1)(c).* [^q5-deadline]: **RCW 19.373.040(1)(g)** — "A regulated entity and a small business shall comply with the consumer's requests under subsection (1)(a) through (c) of this section [(a) through (c) of this subsection] without undue delay, but in all cases within 45 days of receipt of the request submitted pursuant to the methods described in this section. A regulated entity and a small business must promptly take steps to authenticate a consumer request but this does not extend the regulated entity's and the small business's duty to comply with the consumer's request within 45 days of receipt of the consumer's request. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the regulated entity or the small business informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension." *Wash. Rev. Code § 19.373.040(1)(g).* [^q5-appeal]: **RCW 19.373.040(1)(h)** — "A regulated entity and a small business shall establish a process for a consumer to appeal the regulated entity's or the small business's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within 45 days of receipt of an appeal, a regulated entity or a small business shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the regulated entity or the small business shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint." *Wash. Rev. Code § 19.373.040(1)(h).* [^q5-nondiscrimination]: **RCW 19.373.030(1)(d)** — "A regulated entity or a small business may not unlawfully discriminate against a consumer for exercising any rights included in this chapter." *Wash. Rev. Code § 19.373.030(1)(d).* [^q5-collection-consent]: **RCW 19.373.030(1)(a)** — "beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(a).* [^q5-sharing-consent]: **RCW 19.373.030(1)(b)** — "A regulated entity or a small business may not share any consumer health data except: (i) With consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(b).* [^q5-sale-authorization]: **RCW 19.373.070(1)** — "beginning March 31, 2024, it is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorization from the consumer. The sale of consumer health data must be consistent with the valid authorization signed by the consumer. This authorization must be separate and distinct from the consent obtained to collect or share consumer health data, as required under RCW 19.373.030" *Wash. Rev. Code § 19.373.070(1).* [^q6-geofence-ban]: **RCW 19.373.080** — "It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services." *Wash. Rev. Code § 19.373.080.* [^q6-geofence-def]: **RCW 19.373.010(14)** — "‘Geofence’ means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary. For purposes of this definition, ‘geofence’ means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location." *Wash. Rev. Code § 19.373.010(14).* [^q6-hcs-def]: **RCW 19.373.010(15)** — "‘Health care services’ means any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health, including but not limited to: (a) Individual health conditions, status, diseases, or diagnoses; (b) Social, psychological, behavioral, and medical interventions; (c) Health-related surgeries or procedures; (d) Use or purchase of medication;" *Wash. Rev. Code § 19.373.010(15).* [^q7-breach-duty]: **RCW 19.255.010(1)** — "Any person or business that conducts business in this state and that owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person." *Wash. Rev. Code § 19.255.010(1).* [^q7-thirty-days]: **RCW 19.255.010(8)** — "Notification to affected consumers under this section must be made in the most expedient time possible, without unreasonable delay, and no more than thirty calendar days after the breach was discovered, unless the delay is at the request of law enforcement as provided in subsection (3) of this section, or the delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." *Wash. Rev. Code § 19.255.010(8).* [^q7-ag-notice]: **RCW 19.255.010(7)** — "Any person or business that is required to issue a notification pursuant to this section to more than five hundred Washington residents as a result of a single breach shall notify the attorney general of the breach no more than thirty days after the breach was discovered. (a) The notice to the attorney general shall include the following information: (i) The number of Washington consumers affected by the breach, or an estimate if the exact number is not known; (ii) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach; (iii) A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; (iv) A summary of steps taken to contain the breach; and (v) A single sample copy of the security breach notification, excluding any personally identifiable information. (b) The notice to the attorney general must be updated if any of the information identified in (a) of this subsection is unknown at the time notice is due." *Wash. Rev. Code § 19.255.010(7).* [^q7-pi-definition]: **RCW 19.255.005(2)** — "An individual's first name or first initial and last name in combination with any one or more of the following data elements: (A) Social security number; (B) Driver's license number or Washington identification card number; (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account; (D) Full date of birth; (E) Private key that is unique to an individual and that is used to authenticate or sign an electronic record; (F) Student, military, or passport identification number; (G) Health insurance policy number or health insurance identification number; (H) Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or (I) Biometric data generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual; (ii) User name or email address in combination with a password or security questions and answers that would permit access to an online account; and (iii) Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if: (A) Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and (B) The data element or combination of data elements would enable a person to commit identity theft against a consumer." *Wash. Rev. Code § 19.255.005(2)(a).* [^q7-secured]: **RCW 19.255.005(3)** — "‘Secured’ means encrypted in a manner that meets or exceeds the national institute of standards and technology standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person." *Wash. Rev. Code § 19.255.005(3).* [^q7-hipaa-deemed]: **RCW 19.255.030** — "A covered entity under the federal health insurance portability and accountability act of 1996, 42 U.S.C. Sec. 1320d et seq., is deemed to have complied with the requirements of this chapter with respect to protected health information if it has complied with section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015. Covered entities shall notify the attorney general pursuant to RCW 19.255.010 (7) in compliance with the timeliness of notification requirements of section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015, notwithstanding the timeline in RCW 19.255.010 (7)." *Wash. Rev. Code § 19.255.030(1).* [^q8-mhmda-cpa]: **RCW 19.373.090** — "The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW." *Wash. Rev. Code § 19.373.090.* [^q8-cpa-private-action]: **RCW 19.86.090** — "Any person who is injured in his or her business or property by a violation of RCW 19.86.020 , 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , or any person so injured because he or she refuses to accede to a proposal for an arrangement which, if consummated, would be in violation of RCW 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , may bring a civil action in superior court to enjoin further violations, to recover the actual damages sustained by him or her, or both, together with the costs of the suit, including a reasonable attorney's fee. In addition, the court may, in its discretion, increase the award of damages up to an amount not to exceed three times the actual damages sustained: PROVIDED, That such increased damage award for violation of RCW 19.86.020 may not exceed twenty-five thousand dollars" *Wash. Rev. Code § 19.86.090.* [^q8-cpa-per-se]: **RCW 19.86.093** — "a claimant may establish that the act or practice is injurious to the public interest because it: (1) Violates a statute that incorporates this chapter;" *Wash. Rev. Code § 19.86.093.* [^q8-biometric-ag-only]: **RCW 19.375.030** — "This chapter may be enforced solely by the attorney general under the consumer protection act, chapter 19.86 RCW." *Wash. Rev. Code § 19.375.030(2).* [^q8-cpa-penalties]: **RCW 19.86.140** — "Every person who violates RCW 19.86.020 shall forfeit and pay a civil penalty of not more than $7,500 for each violation: PROVIDED, That nothing in this paragraph shall apply to any radio or television broadcasting station which broadcasts, or to any publisher, printer or distributor of any newspaper, magazine, billboard or other advertising medium who publishes, prints or distributes, advertising in good faith without knowledge of its false, deceptive or misleading character. For unlawful acts or practices that target or impact specific individuals or communities based on demographic characteristics including, but not limited to, age, race, national origin, citizenship or immigration status, sex, sexual orientation, presence of any sensory, mental, or physical disability, religion, veteran status, or status as a member of the armed forces, as that term is defined in 10 U.S.C. Sec. 101, an enhanced penalty of $5,000 shall apply. For the purpose of this section the superior court issuing any injunction shall retain jurisdiction, and the cause shall be continued, and in such cases the attorney general acting in the name of the state may petition for the recovery of civil penalties." *Wash. Rev. Code § 19.86.140.* [^q8-breach-pra]: **RCW 19.255.040** — "An action to enforce this chapter may not be brought under RCW 19.86.090 . (3)(a) Any consumer injured by a violation of this chapter may institute a civil action to recover damages." *Wash. Rev. Code § 19.255.040(2)-(3).*