Privacy Laws in Washington State: My Health My Data and Beyond (2026)

Washington State has taken a different path than its West Coast neighbors on privacy legislation. While California passed the CCPA and Oregon enacted the OCPA, Washington focused on health data — the category the federal HIPAA law leaves most exposed. The My Health My Data Act (MHMDA), combined with sector-specific laws and a strong Attorney General's office, gives Washingtonians powerful protections that go beyond traditional healthcare contexts.

Washington's privacy landscape

Washington does not yet have a comprehensive consumer privacy law like California's CCPA. Instead, Washingtonians are protected by several overlapping statutes:

• My Health My Data Act (MHMDA) — Chapter 19.373 RCW, focused on consumer health data
• Biometric Identifiers Act — restricts commercial use of biometric data
• Washington Data Breach Notification Law — requires breach notification within 30 days
• Consumer Protection Act — general anti-deceptive-practices law used for privacy enforcement

This guide focuses on MHMDA, the most impactful of the four.

What is the My Health My Data Act?

The MHMDA, signed into law in April 2023 and in full effect since June 2024, is the first U.S. state privacy law specifically targeting consumer health data that falls outside HIPAA. It was designed to close the massive gap left by the federal law, which only covers doctors, hospitals, insurers, and their direct vendors — not the thousands of apps, websites, and devices that collect health data today.

What counts as "consumer health data" under MHMDA?

The definition is extremely broad. It includes any information linkable to a consumer that identifies past, present, or future physical or mental health status — including:

• Health conditions, diagnoses, and treatments
• Prescription and over-the-counter medication use
• Reproductive or sexual health information
• Gender-affirming care data
• Mental health information
• Biometric and genetic data
• Precise location data tied to health-related facilities
• Data that can be used to infer any of the above

Your rights under MHMDA

Washington consumers have the right to:

• Access — A copy of your consumer health data
• Know third parties — A list of every affiliate, contractor, and third party that has received your data, along with contact information
• Withdraw consent — Revoke consent for collection and sharing at any time
• Delete — Have your health data permanently erased

What makes MHMDA unique

No revenue or size threshold

Unlike most state privacy laws, MHMDA applies to any business that conducts business in Washington or targets Washington consumers — regardless of revenue or customer count. A small mental-health app startup is covered just as much as UnitedHealth Group.

Affirmative opt-in consent

Businesses must obtain express, opt-in consent before collecting or sharing health data. This is stronger than the opt-out model used by most U.S. state laws.

Separate authorization to sell

Even after getting consent to collect, a business must obtain a separate, signed authorization before selling health data. This is an extraordinarily high bar that effectively ends most commercial health-data sales for Washington residents.

Geofencing ban

MHMDA prohibits geofencing within 2,000 feet of any in-person healthcare facility if the geofence is used to identify consumers, track them, send them advertisements, or collect their data. This directly targets practices like anti-abortion groups geofencing Planned Parenthood clinics.

How to exercise your rights under MHMDA

1. Find the business's consumer health data privacy policy. MHMDA requires a separate health privacy policy, linked from the homepage, that is distinct from the general privacy policy.
2. Submit a rights request. Use the designated method (usually a form or email) to request access, deletion, or a third-party disclosure list.
3. Wait 45 days. Businesses have 45 days to respond.
4. Appeal or file suit. If denied or ignored, you can file a complaint with the Washington Attorney General or bring a private lawsuit.

MHMDA and data brokers

Many data brokers that aggregate health-adjacent information — pharmacy loyalty data, wellness app data, fitness tracker feeds — are subject to MHMDA. Submitting a deletion request citing MHMDA is particularly powerful because of the law's private right of action.

Comprehensive Privacy Act (pending)

A comprehensive Washington Privacy Act has been introduced in the state legislature multiple times. As of 2026, it has not yet passed, but similar proposals are expected in upcoming sessions. Washingtonians should follow legislative efforts closely — a comprehensive law would add access, delete, correct, and opt-out-of-sale rights for all personal data, not just health data.

How PrivacyOn helps Washington residents

Until a comprehensive Washington Privacy Act passes, MHMDA plus overlapping federal laws (FTC Section 5, CFPB rules, FCRA) provide the legal basis for most broker opt-outs. PrivacyOn includes all 100+ major consumer data brokers in its continuous-monitoring coverage, uses the strongest applicable law for each request, and includes family plans for up to five members at $8.33/month per person.

Final checklist for Washington residents

• Audit every health app, wearable, and wellness service for its MHMDA-compliant privacy policy
• Withdraw consent from apps you no longer use
• Request a list of third parties that have received your health data
• Enable Global Privacy Control in your browser
• Freeze your credit at all three bureaus
• Consider continuous monitoring to handle data broker re-ingestion

Washington's privacy patchwork is unusual — strong on health data, weaker on other categories — but MHMDA is one of the most powerful single-issue privacy laws in the country. Use it.