Washington Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Washington state has established one of the most aggressive data privacy regulatory environments in the United States. While the state legislature has not yet passed a comprehensive consumer privacy law comparable to California's CCPA, Washington has enacted several targeted statutes that, taken together, create substantial compliance obligations for businesses operating in or serving residents of the state. The My Health My Data Act, signed into law in 2023, is nationally significant — it is the most expansive state health data privacy law in the country and includes a private right of action that gives individual consumers the power to sue.

For Washington businesses, this patchwork approach means that compliance requires understanding multiple overlapping laws rather than a single framework. From breach notification timelines to biometric data restrictions to health data consent requirements, the obligations are real and the penalties for noncompliance are meaningful. This guide covers each major law, its requirements, and practical steps for building a compliance program. Understanding Washington's breach history makes it clear why these protections exist and why the legislature continues to expand them.

Washington Data Privacy and Cybersecurity Laws

RCW 19.255.010 — Data Breach Notification

Washington's data breach notification law, codified in RCW 19.255.010, is the foundation of the state's cybersecurity regulatory framework. Originally enacted in 2005 and significantly amended in 2015 and 2019, the law imposes notification obligations on any person or business that conducts business in Washington and owns or licenses computerized data containing personal information of Washington residents.

Key requirements include:

• 30-day notification deadline — businesses must notify affected individuals no more than 30 days after the breach is discovered, one of the shortest windows in the country

• Attorney General notification — if a breach affects more than 500 Washington residents, the organization must also notify the Washington Attorney General within 30 days

• Expanded definition of personal information — the 2019 amendment added biometric data, full dates of birth combined with last four digits of Social Security numbers, and username/password combinations to the categories of protected information

• Content requirements — notifications must include a description of the incident, the type of personal information involved, and contact information for the reporting entity

• Enforcement — violations are treated as unfair or deceptive practices under the Washington Consumer Protection Act (RCW 19.86), allowing the AG to seek penalties, injunctive relief, and attorney fees

My Health My Data Act (2023)

The My Health My Data Act, signed by Governor Inslee in April 2023 and largely effective March 31, 2024, is one of the most significant state privacy laws enacted in the United States. The law was passed in direct response to the U.S. Supreme Court's Dobbs decision overturning Roe v. Wade, with legislators seeking to protect health data — particularly reproductive health information — from being used to target individuals. However, the law's scope extends far beyond reproductive health to cover virtually all consumer health data.

The Act applies to 'regulated entities' and 'small businesses' that collect, share, or sell consumer health data of Washington residents. Critically, it applies regardless of whether the entity is covered by HIPAA, filling a major gap in federal health privacy protections. Key provisions include:

• Broad definition of consumer health data — includes any information that identifies or is reasonably linkable to a consumer and relates to past, present, or future physical or mental health status. This covers data about diagnoses, treatments, diseases, social conditions related to health, bodily functions, reproductive health, biometric data, genetic data, precise geolocation that could reveal health-related visits, and data derived from non-health information that is used to associate or identify a consumer with health data

• Consent requirements — regulated entities must obtain affirmative consent before collecting or sharing consumer health data, with separate consent required for each category of data and each category of third party

• Consumer rights — consumers have the right to know what health data has been collected, who it has been shared with, and to withdraw consent. Entities must delete health data upon request within 30 days

• Prohibition on geofencing — the law prohibits the use of geofencing around healthcare facilities for the purpose of collecting consumer health data, identifying consumers, or sending health-related notifications

• Private right of action — unlike most state privacy laws, the My Health My Data Act allows individual consumers to bring lawsuits for violations. This is enormously significant because it means enforcement does not depend solely on the Attorney General's office — any affected consumer can sue, and the law permits recovery of actual damages, attorney fees, and up to $25,000 per violation

• No HIPAA exemption for non-covered entities — while HIPAA-covered entities are exempt from some provisions for data already protected by HIPAA, the Act captures health data held by apps, websites, fitness trackers, and other technology companies that fall outside HIPAA's scope

The private right of action makes the My Health My Data Act one of the most consequential privacy laws in the country for businesses. Unlike laws enforced solely by attorneys general, this statute creates direct litigation risk from consumers and class-action plaintiffs' attorneys. Companies that collect any form of health-related data from Washington residents — including through mobile apps, websites, or wearable devices — should treat compliance as an urgent priority.

Washington Biometric Identifier Law (RCW 19.375)

Enacted in 2017, Washington's biometric identifier law (House Bill 1493) regulates the collection, use, and storage of biometric identifiers including fingerprints, voiceprints, retina or iris scans, and other biological patterns used for identification purposes. The law requires businesses to:

• Provide notice and obtain consent before enrolling biometric identifiers in a database

• Disclose the purpose and duration of biometric data collection

• Implement reasonable care standards to protect biometric data, using protections at least as rigorous as those applied to other confidential information

• Not sell, lease, or otherwise commercially use biometric identifiers without consent

Unlike the Illinois Biometric Information Privacy Act (BIPA), Washington's biometric law does not include a private right of action. Enforcement is exclusively through the Attorney General under the Consumer Protection Act. However, the law still carries significant compliance implications for businesses using facial recognition, fingerprint scanners, or other biometric systems — particularly in the technology and retail sectors that are heavily represented in Washington.

Data Broker Registration Requirements

Washington enacted a data broker transparency law requiring data brokers — entities that knowingly collect and sell the personal data of consumers with whom they have no direct relationship — to register annually with the Washington Secretary of State. The law, effective March 31, 2024, requires data brokers to:

• Register and pay a fee with the Secretary of State on an annual basis

• Provide their name, primary address, and contact information

• Disclose whether they permit consumers to opt out of data collection or sales

• Describe the methods consumers can use to exercise opt-out rights

While the registration requirement itself is relatively straightforward, it signals increasing legislative attention to the data broker industry. Businesses that aggregate and sell consumer data should evaluate whether they meet the definition of a data broker under this law and plan for ongoing compliance.

Industry-Specific Compliance in Washington

Washington's industry composition creates additional compliance layers beyond state privacy laws. Organizations in the state's key sectors must navigate overlapping federal and industry-specific requirements.

HIPAA and the My Health My Data Act — Healthcare Organizations

Washington healthcare providers, insurers, and their business associates must comply with both HIPAA and state-specific requirements. The My Health My Data Act is particularly important because it captures health data held by entities that HIPAA does not cover — health apps, fitness platforms, telehealth startups, and consumer technology companies. Organizations that handle health-related data in any form should conduct a gap analysis to determine where the My Health My Data Act imposes requirements beyond their existing HIPAA compliance programs.

CMMC — Defense and Aerospace Contractors

Washington's defense and aerospace sector, anchored by Boeing and hundreds of suppliers, faces Cybersecurity Maturity Model Certification (CMMC) requirements for handling controlled unclassified information. CMMC 2.0 Level 2 requires implementation of the 110 security controls in NIST SP 800-171 and third-party assessment. Many aerospace supply chain companies are also manufacturers, making manufacturing IT security a relevant compliance and operational consideration.

FTC Act — Technology Companies

Washington's technology companies, from global giants to startups, are subject to Federal Trade Commission enforcement under Section 5 of the FTC Act, which prohibits unfair or deceptive practices. The FTC has increasingly used this authority to bring enforcement actions related to data security failures and privacy misrepresentations. Companies making privacy promises in their terms of service or privacy policies must ensure their actual practices match those representations.

DOE Requirements — Hanford and Nuclear Facilities

The Hanford Nuclear Reservation and other Department of Energy facilities in Washington operate under DOE-specific cybersecurity requirements, including DOE Order 205.1C for information technology management and NIST SP 800-53 controls. Contractors and subcontractors supporting these facilities face stringent security clearance and data handling requirements that extend to their information systems and personnel.

Washington Compliance Checklist for Businesses

The following checklist addresses core requirements across Washington state laws and the most common federal frameworks affecting Washington businesses:

• Audit all health-related data collection — identify every system, app, website, and device that collects data that could qualify as consumer health data under the My Health My Data Act. This includes fitness tracking features, health-related surveys, appointment scheduling systems, and location data near healthcare facilities

• Implement consent mechanisms for health data — the My Health My Data Act requires affirmative, granular consent. Update consent flows to provide separate consent for each category of health data and each category of third party

• Prepare for 30-day breach notification — build incident response procedures specifically designed to meet Washington's aggressive 30-day timeline. This includes pre-drafted notification templates, pre-identified legal counsel, and tested communication channels

• Evaluate biometric data practices — if your organization uses fingerprint scanners, facial recognition, voiceprints, or other biometric identifiers, ensure compliance with RCW 19.375 including notice, consent, and reasonable care requirements

• Determine data broker registration obligations — if your business collects and sells personal data of consumers with whom you have no direct relationship, register with the Secretary of State

• Inventory all personal information — create a data map covering what personal information you collect, where it is stored, who has access, and how long it is retained

• Implement and document security controls — reasonable security measures are expected under both breach notification law and the Consumer Protection Act. Adopt a recognized framework such as NIST CSF, CIS Controls, or ISO 27001

• Train employees on Washington-specific obligations — ensure staff understand the 30-day notification window, health data consent requirements, and biometric data handling rules

• Review third-party vendor agreements — ensure vendors that process personal information or health data on your behalf meet your compliance obligations and are contractually required to notify you promptly of incidents

• Retain compliance documentation — maintain records of consent, data processing activities, security assessments, and incident response actions for regulatory review

How Washington Businesses Stay Compliant

Health Data Compliance Programs

The My Health My Data Act requires a fundamentally different approach to health data than HIPAA alone. Organizations must map all health-related data flows — not just those involving HIPAA-covered protected health information — and implement consent management systems that capture granular, affirmative consent. This is especially challenging for technology companies whose products may collect health-adjacent data (location near clinics, search queries about symptoms, fitness metrics) without having been designed as health data systems. Companies should engage privacy counsel familiar with the Act to conduct a comprehensive health data audit.

Incident Response Readiness

Washington's 30-day notification window leaves no room for delayed investigation. Organizations need incident response plans that are tested, not theoretical. Tabletop exercises should simulate a breach discovery with the clock running: can your team investigate, scope the incident, prepare notifications, and file with the Attorney General within 30 days? Many organizations discover during exercises that their investigation and legal review processes alone consume most of the available window.

Continuous Monitoring and Documentation

Both the Attorney General and private plaintiffs under the My Health My Data Act will look for evidence that a business maintained reasonable security and handled data according to its consent promises. Many Washington businesses work with managed IT services providers and managed security services firms to maintain continuous monitoring, log retention, and compliance documentation. Small businesses in particular benefit from outsourced compliance support, as building these capabilities internally requires significant investment.

Frequently Asked Questions

Does the My Health My Data Act apply to businesses outside Washington?

Yes. The Act applies to any entity that collects, shares, or sells consumer health data of Washington residents, regardless of where the business is physically located. This means a California-based health app that has Washington users must comply with the law. The extraterritorial reach, combined with the private right of action, makes this law relevant to virtually any company that handles health-related data and has users or customers in Washington.

How does the My Health My Data Act differ from HIPAA?

HIPAA applies only to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. The My Health My Data Act applies to any entity that collects consumer health data, including technology companies, fitness apps, wellness programs, and consumer devices that HIPAA does not reach. The Act also defines health data more broadly, covering reproductive health data, geolocation near health facilities, and data derived from non-health sources. Critically, the Act provides a private right of action — HIPAA does not allow individuals to sue directly.

What triggers Washington's 30-day breach notification requirement?

The 30-day clock starts when the business discovers the breach — specifically, when it knows or should have known that personal information was acquired by an unauthorized person. Unlike some states that start the clock when an investigation concludes, Washington's timeline begins at discovery. This means organizations cannot extend the timeline by delaying their investigation. A business must begin notifying affected individuals and, if applicable, the Attorney General within 30 days of that discovery date.

Are there penalties for violating Washington biometric data law?

Violations of Washington's biometric identifier law (RCW 19.375) are enforceable as violations of the Consumer Protection Act (RCW 19.86). The Attorney General can seek civil penalties of up to $7,500 per violation, injunctive relief, and attorney fees. While there is no private right of action under the biometric law itself, the CPA framework provides substantial enforcement leverage. Businesses using biometric systems for employee time tracking, customer authentication, or security access should ensure they have proper notice and consent procedures in place.

What must data brokers disclose when registering in Washington?

Data brokers must register annually with the Washington Secretary of State and disclose their name, primary address, contact information, whether they permit consumers to opt out of data collection or sales, and the methods consumers can use to exercise opt-out rights. Failure to register can result in enforcement action under the Consumer Protection Act. The registration requirement is designed to increase transparency in an industry that has historically operated with minimal oversight.

Does Washington have a comprehensive consumer privacy law like California's CCPA?

As of 2025, Washington does not have a single comprehensive consumer privacy law. The legislature has considered multiple privacy bills in recent sessions, including the Washington Privacy Act, but none have passed. Instead, Washington has enacted targeted laws addressing specific categories of data — health data (My Health My Data Act), biometric data (RCW 19.375), breach notification (RCW 19.255.010), and data broker transparency. This patchwork approach requires businesses to track compliance across multiple statutes rather than a single framework. Reviewing the Washington threat landscape provides additional context for why comprehensive legislation continues to be debated.