Although many states across the US have responded to increasing concerns of protecting users’ data and privacy by enacting comprehensive data protection and privacy laws, no such law has taken effect in Washington yet. To stay updated on state developments, visit our US State Privacy Laws Tracker.
The following guide provides an overview of the state’s current data protection laws and outlines primary considerations for businesses operating in Washington
The Current State of Data Protection Laws in Washington
Washington My Health My Data Act (MHMDA), RCW 19.373: The law requires a clear privacy policy, opt-in consent for collection and a separate opt-in for sharing, data-minimization, security controls, processor contracts, and a signed authorization to sell consumer health data.
Biometric Identifiers Law, RCW 19.375: This law mandates businesses to provide notice and obtain consent before enrolling a biometric identifier for a commercial purpose.
Data Breach Notification (Private Sector), RCW 19.255.010: This law outlines the breach notification requirements and timelines for private sector organizations in relation to affected Washington residents.
Unfair or Deceptive Acts & Practices (UDAP), RCW 19.86: This law provides safeguards to consumers from deceptive privacy statements or misleading data practices.Applicable Federal Laws.
Depending on the organization’s industry and data, the following federal frameworks remain relevant:
- Health Insurance Portability and Accountability Act (HIPAA) for protected health information handled by covered entities and business associates.
- Children's Online Privacy Protection Act (COPPA) for online data about children under 13.
- Gramm-Leach-Bliley Act (GLBA )for financial institutions’ customer data.
Best Practices for Businesses
Businesses operating in Washington may adopt the following best practices:
- Building an inventory of data assets across systems, vendors, and locations to understand the data collected, where it resides, and applicable obligations.
- Automating data mapping to visualize data flows, lineage, and processing purposes, which are vital for breach assessments and for honoring MHMDA consent and rights requirements and disclosure tracking.
- Implementing risk-based security controls and vendor oversight to ensure alignment with MHMDA’s “reasonable standard of care,” and to keep processor contracts in place for consumer health data.
- Publication of clear, accurate, and accessible privacy notices.
Conclusion
Organizations can efficiently navigate Washington’s privacy landscape by adhering to best practices and investing time in understanding applicable laws. While Washington lacks a comprehensive law, its My Health My Data Act, biometric identifiers law, breach-notification requirements and UDAP enforcement create meaningful obligations for businesses operating in the present landscape.
