Go to:

Washington State Privacy Protection Rights

Washington statewide privacy links:

Sponsored

Introduction to Washington Privacy Rights

Washington State has emerged as a national leader in privacy protection, establishing some of the most comprehensive consumer privacy rights in the United States. The state's commitment to protecting personal information reflects a growing recognition that privacy is fundamental to individual autonomy and dignity in an increasingly digital world.

Washington's privacy landscape is anchored by the My Health My Data Act (MHMDA), which became law in 2023, and the Washington Privacy Act, which provides broad consumer data protections. These laws place Washington among an elite group of states—alongside California, Virginia, Colorado, and Connecticut—that have enacted comprehensive privacy legislation. Unlike the patchwork of federal privacy laws that address specific sectors, Washington has taken a holistic approach that covers health data, consumer information, biometric data, and genetic information.

The state's privacy framework goes beyond simply restricting how businesses collect and use data. Washington law empowers residents with actionable rights: the ability to access their personal information, correct inaccuracies, delete data, and opt out of certain data processing activities. Washington also imposes strict requirements on businesses regarding data security, breach notification, and transparency about data practices.

Compared to other states, Washington's privacy protections are particularly strong in the health data sector. The My Health My Data Act extends privacy protections far beyond what federal HIPAA regulations require, covering health apps, fitness trackers, and other digital health services that traditionally fell into regulatory gaps. This positions Washington residents with some of the most robust health privacy rights in the nation, addressing modern concerns about reproductive health data, mental health information, and wellness app tracking.

Washington's State Privacy Laws

Washington has enacted multiple privacy statutes that collectively create a comprehensive privacy protection framework for residents. Understanding these laws is essential for anyone seeking to protect their personal information in the state.

My Health My Data Act (MHMDA)

The My Health My Data Act, codified in RCW 19.373, took effect in March 2024 and represents one of the nation's most expansive health privacy laws. Unlike HIPAA, which only covers "covered entities" like healthcare providers and insurers, MHMDA applies to any business that collects, shares, or sells Washington consumers' health data. This includes fitness apps, period trackers, telehealth platforms, and health-related websites.

MHMDA defines "consumer health data" broadly to include personal information linked to past, present, or future physical or mental health, including data from health apps, wearable devices, genetic testing services, and online searches for health information. The law prohibits businesses from collecting or sharing consumer health data without valid authorization, requires clear privacy policies, and gives consumers the right to withdraw consent, access their data, and request deletion.

Critically, MHMDA includes a private right of action, allowing Washington residents to sue companies directly for violations, with statutory damages ranging from $1,000 to $10,000 per violation. The Washington Attorney General also has enforcement authority under RCW 19.373.400.

Data Breach Notification Law

Washington's data breach notification requirements are established under RCW 19.255.010. This statute requires any person or entity that conducts business in Washington and owns or licenses computerized data containing personal information to notify affected Washington residents when a breach of security occurs.

Under the law, businesses must provide notification in the "most expedient time possible and without unreasonable delay," but no specific number of days is mandated. However, notification cannot be delayed beyond what is necessary to determine the scope of the breach and restore system integrity. The notification must be made to both affected individuals and the Washington Attorney General if the breach affects more than 500 Washington residents.

Personal information is defined to include a person's first name or initial and last name combined with social security number, driver's license number, state ID card number, financial account numbers, or credit/debit card numbers with security codes. The law was amended in 2015 to include usernames or email addresses combined with passwords or security questions.

Employee Privacy Rights

Washington law provides specific privacy protections for employees. RCW 49.12.240 prohibits employers from requesting access to employees' or job applicants' personal social networking accounts. Employers cannot require employees to add anyone to their contact lists, access accounts in the employer's presence, or disclose passwords.

Additionally, RCW 49.12.250 requires employers to provide notice before conducting monitoring of employee communications or internet usage on employer-provided devices or networks. Washington also protects lawful off-duty conduct under various statutes, limiting employer intrusion into employees' private lives.

Financial Privacy

Washington adopted provisions consistent with the federal Gramm-Leach-Bliley Act through state regulations, requiring financial institutions to provide privacy notices and allow consumers to opt out of certain information sharing. The Washington Department of Financial Institutions enforces these requirements for state-chartered banks, credit unions, and other financial service providers.

RCW 19.182, the Washington Consumer Credit Reporting Act, provides additional protections beyond federal law, including requirements for consumer reporting agencies operating in Washington and specific rights for consumers to dispute inaccurate information.

Biometric Privacy

Washington has enacted biometric privacy protections under RCW 19.375, which requires businesses to obtain consent before enrolling biometric identifiers in a database, provide notice about the purpose and duration of data collection, and establish retention and destruction policies. While not as stringent as Illinois' Biometric Information Privacy Act, Washington's law provides meaningful protections for fingerprints, facial recognition data, voiceprints, and other biometric information.

Freedom of Information / Open Records in Washington

Washington's public records law is known as the Public Records Act (PRA), codified primarily in RCW 42.56. This law establishes that all state and local government records are presumptively public and accessible to any person, with specific exemptions carved out to protect legitimate privacy and governmental interests.

The Public Records Act applies to all state and local agencies, including executive, legislative, and judicial branches, school districts, public universities, and special purpose districts. "Public record" is defined broadly under RCW 42.56.010 to include any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function, regardless of physical form or characteristics.

Making a Public Records Request

To request public records in Washington, you must submit a request to the appropriate agency's public records officer. Most agencies have designated public records officers and provide request forms on their websites. The request must be sufficiently clear to allow the agency to identify and locate the records sought. You do not need to provide a reason for your request or identify yourself, though some requesters provide contact information to facilitate communication.

Under RCW 42.56.520, agencies must respond to public records requests within five business days. This initial response must either provide the records, acknowledge receipt and provide a reasonable estimate of when records will be available, deny the request with specific legal exemptions cited, or seek clarification if the request is unclear. Agencies are required to provide records on a "rolling basis" as they become available rather than waiting to complete the entire search.

Exemptions to Disclosure

RCW 42.56 contains over 500 specific exemptions protecting various categories of information from disclosure. Key privacy-related exemptions include:

Fees and Costs

Under RCW 42.56.120, agencies may charge for public records but cannot charge for the first two hours of search and redaction time. After the initial two hours, agencies may charge for actual costs of searching, copying, and redacting records. Copying fees are typically $0.15 per page for standard black and white copies. Electronic records sent via email typically incur no charge. Agencies must provide the "least expensive method" of producing records.

Appeals Process

If an agency denies a public records request, the requester may seek review through several avenues. Many requesters first attempt informal resolution by contacting the agency's public records officer or supervisor. If that fails, requesters can file a lawsuit in superior court under RCW 42.56.550. Washington courts take Public Records Act violations seriously and may award penalties of between $5 and $100 per day for improper withholding, plus attorney fees and costs if the requester prevails.

The Washington Attorney General's Office provides guidance through its Open Government Resource Manual and occasionally issues advisory opinions on public records issues, though these are not binding on courts.

HIPAA and Health Privacy

The federal Health Insurance Portability and Accountability Act (HIPAA) establishes baseline privacy protections for medical information held by healthcare providers, health plans, and healthcare clearinghouses. In Washington, HIPAA applies as it does nationwide, but the state has supplemented these federal protections with additional privacy safeguards.

Under HIPAA, "covered entities" must provide patients with Notice of Privacy Practices, obtain authorization before using or disclosing protected health information (PHI) for purposes other than treatment, payment, or healthcare operations, and implement administrative, physical, and technical safeguards to protect health information. Patients have rights to access their medical records, request corrections, receive an accounting of disclosures, and file complaints about privacy violations with the U.S. Department of Health and Human Services Office for Civil Rights.

Washington-Specific Health Privacy Protections

Washington law extends health privacy protections beyond HIPAA's scope in several important ways. RCW 70.02, the Uniform Health Care Information Act, governs disclosure of health care information by healthcare providers and facilities in Washington. This statute provides protections that often exceed HIPAA requirements and applies to some entities not covered by HIPAA.

Under RCW 70.02, healthcare providers must obtain written authorization before disclosing health care information, with limited exceptions for treatment, payment, health care operations, and legally required disclosures. The law includes specific protections for mental health treatment records under RCW 71.05, substance abuse treatment records (which also have federal protection under 42 CFR Part 2), and HIV/AIDS test results under RCW 70.24.

The My Health My Data Act represents Washington's most significant expansion of health privacy rights. By covering health apps, wearable devices, online health information searches, and other digital health tools not regulated by HIPAA, MHMDA closes critical gaps in health privacy protection. This is particularly important for reproductive health data, mental health apps, fertility trackers, and wellness platforms that collect sensitive health information but don't fall under traditional healthcare regulation.

To protect medical records in Washington, residents should: request copies of their medical records regularly to monitor for accuracy; understand who has access to their information by requesting an accounting of disclosures; carefully review privacy notices from healthcare providers; limit sharing of health information with apps and devices not covered by HIPAA; and file complaints with both the Washington Department of Health and federal Office for Civil Rights if privacy violations occur.

Consumer Data Privacy Rights

Washington residents possess extensive rights regarding their personal data, though some of these rights depend on pending legislation and the specific context of data collection. Understanding these rights enables residents to exercise greater control over their digital footprint.

Data Access and Portability Rights

Under the My Health My Data Act, Washington consumers have explicit rights to access consumer health data that businesses have collected about them. Businesses must respond to these requests within 45 days and provide the information in a readily usable format. While Washington does not yet have a comprehensive consumer privacy law equivalent to California's CCPA for all consumer data, health data receives robust protection.

For consumer health data specifically, Washington residents can request that businesses disclose what categories of data have been collected, the sources of that data, the purposes for collection and sharing, and the categories of third parties with whom data has been shared. This transparency right allows consumers to understand the full scope of their digital health footprint.

Deletion Rights

Washington consumers have the right to request deletion of their consumer health data under MHMDA. Upon receiving a valid deletion request, businesses must delete the consumer's health data from their records and notify all affiliates, processors, contractors, and third parties to whom the data was sold or disclosed to also delete the data, unless an exception applies (such as legal compliance requirements or fraud prevention).

Opt-Out Rights

The My Health My Data Act grants Washington residents the right to withdraw consent for collection or sharing of consumer health data at any time. Businesses must make withdrawal of consent as easy as providing consent initially—if a business allows one-click consent, it must provide one-click withdrawal. Businesses cannot charge fees, degrade service, or retaliate against consumers who exercise their withdrawal rights.

Data Broker Removal

While Washington does not currently require data brokers to register with the state (unlike Vermont and California), residents can still request removal from data broker databases. Major data brokers operating in Washington include Acxiom, Epsilon, LexisNexis, CoreLogic, and Experian. Each maintains opt-out processes, though these vary in complexity.

To remove information from data brokers, Washington residents should: identify which brokers hold their information by searching their names on major people-search websites; visit each broker's opt-out page (usually found in privacy policies or through web searches for "[company name] opt out"); submit opt-out requests with required verification information; document all requests with screenshots and confirmation numbers; and repeat the process every 6-12 months, as information may reappear from new data sources.

Credit Report Rights Under FCRA

The federal Fair Credit Reporting Act provides Washington residents with specific rights regarding credit reports. Consumers are entitled to one free credit report annually from each of the three major credit bureaus (Equifax, Experian, and TransUnion) through AnnualCreditReport.com. Washington residents can also freeze their credit reports for free under federal law, preventing new creditors from accessing the report without authorization.

Under RCW 19.182.170, Washington's Consumer Credit Reporting Act, consumers can place security freezes on their credit reports and receive specific protections regarding how credit information is reported and used. The law requires consumer reporting agencies to investigate disputes within 30 days and prohibits reporting of certain information after specified time periods.

Employment Background Checks & Privacy

Washington has enacted several laws limiting what employers can consider in background checks, how they must conduct these checks, and what privacy protections apply to employees and applicants.

Fair Chance Act and Ban-the-Box

Washington's Fair Chance Act, codified in RCW 49.94, prohibits most employers from asking about criminal history on initial job applications. This "ban-the-box" law requires employers to wait until after they have determined the applicant is otherwise qualified before inquiring about criminal history. Employers cannot advertise that individuals with criminal records will not be considered.

Once an employer does inquire about criminal history, they must follow specific procedures under RCW 49.94. If an employer intends to deny employment or take adverse action based on criminal history, they must provide the applicant with a written notice that includes the specific conviction(s) forming the basis for the decision, allow the applicant at least two business days to respond with mitigating evidence, and engage in an individualized assessment considering the nature of the crime, time elapsed, and relevance to the position.

Limitations on Criminal Record Access

Under RCW 10.97, Washington's criminal records privacy act, dissemination of criminal history record information is restricted. While employers can access conviction records through the Washington State Patrol's background check system or commercial background check providers, arrest records that did not lead to conviction generally cannot be reported after one year.

Washington law also limits how long certain criminal records can affect employment. Under RCW 9.96A.020, individuals who have been convicted of crimes in Washington are issued a certificate of discharge upon completion of their sentence. This certificate restores civil rights and means the conviction cannot be used to disqualify the person from employment unless the conviction directly relates to the job.

Expungement and Record Sealing

Washington law provides mechanisms for vacating convictions and sealing records. Under RCW 9.94A.640 (for felonies) and RCW 9.96.060 (for misdemeanors), individuals who have completed their sentences and remained crime-free for specified waiting periods can petition courts to vacate convictions. Once vacated, the conviction is legally deemed not to have occurred, and individuals can lawfully state they have not been convicted.

Waiting periods vary: typically three years after completion of sentence for most misdemeanors, five years for Class C felonies, and ten years for Class B felonies. Certain serious crimes, including most violent offenses and crimes against persons, cannot be vacated.

Fair Credit Reporting Act Compliance

When Washington employers use third-party background check companies, they must comply with the federal Fair Credit Reporting Act (FCRA). This requires: obtaining written consent before conducting the background check; providing pre-adverse action notice if planning to deny employment based on the report; including a copy of the report and a summary of FCRA rights; allowing reasonable time for the applicant to dispute inaccuracies; and providing final adverse action notice if proceeding with the denial.

Washington residents who discover inaccurate information in employment background checks should immediately dispute the information with both the background check company and the original source of the information. Under FCRA, background check companies must investigate disputes within 30 days.

Protecting Yourself in Washington

Washington residents can take concrete steps to enhance their privacy and control their personal information. This practical guide provides actionable measures for protecting privacy in the digital age.

Step 1: Opt Out of People-Search Sites

Begin by identifying which people-search websites list your information. Search for your name, phone number, and address on major sites including Spokeo, WhitePages, BeenVerified, Intelius, PeopleFinders, and TruthFinder. For each site listing your information:

Step 2: Freeze Your Credit

Contact all three major credit bureaus to place free security freezes on your credit reports. For Equifax, call 1-800-349-9960 or visit Equifax.com/personal/credit-report-services; for Experian, call 1-888-397-3742 or visit Experian.com/freeze; for TransUnion, call 1-888-909-8872 or visit TransUnion.com/credit-freeze. You will receive a PIN or password to lift the freeze temporarily when you need to apply for credit. Also freeze your reports at ChexSystems (for banking) and Innovis (fourth credit bureau).

Step 3: Request Removal from Data Brokers

Submit opt-out requests to major data brokers. For Acxiom, visit Acxiom.com/opt-out; for Epsilon, visit Epsilon.com/privacy-policy; for Oracle Data Cloud, visit Oracle.com/legal/privacy/marketing-cloud-data-cloud-privacy-policy.html. Document each request and follow up if you don't receive confirmation within 60 days.

Step 4: Exercise Your Health Data Rights

For health apps and wellness platforms used in Washington, review privacy settings and exercise your rights under the My Health My Data Act. Contact each service provider to request: disclosure of what health data has been collected; deletion of health data you no longer want stored; and withdrawal of consent for data sharing with third parties. Keep records of all requests and responses.

Step 5: Seal or Expunge Eligible Criminal Records

If you have criminal convictions in Washington that may be eligible for vacation, contact the court where you were convicted or consult with an attorney. The Washington State Bar Association provides lawyer referrals at 206-443-9722. You can also contact the Washington Defender Association's CLEAR Hotline at 1-888-201-1014 for information about record clearance.

To petition for vacation of a conviction, you must: obtain copies of your criminal history from the Washington State Patrol; determine eligibility based on the crime type and waiting period; file a motion to vacate with the sentencing court; serve the motion on the prosecuting attorney; and attend a hearing where the judge will decide whether to grant the vacation.

Step 6: Register for Address Confidentiality if Eligible

If you are a victim of domestic violence, sexual assault, trafficking, or stalking, consider applying for Washington's Address Confidentiality Program administered by the Secretary of State. This program, authorized under RCW 40.24, provides participants with a substitute address for public records and mail forwarding services. Contact the program at 1-800-822-1065 or visit sos.wa.gov/acp.

Step 7: Monitor Public Records

Regularly search for your name in Washington public records databases to identify what information is publicly available. Check county property records, business registrations, and court records. If you find inaccurate information, contact the maintaining agency to request corrections under the Public Records Act.

Washington Data Breach Notification

Washington's data breach notification law, RCW 19.255.010, imposes specific obligations on businesses and governmental entities that experience data security breaches involving personal information of Washington residents.

Who Must Notify

Any person or entity that conducts business in Washington and owns or licenses data containing personal information must provide notification when a breach of security occurs. This applies regardless of whether the business is physically located in Washington—if the business maintains personal information about Washington residents, the law applies. Third-party data processors that discover a breach must notify the data owner, who then bears responsibility for notifying affected individuals.

What Triggers Notification

A breach triggering notification is defined as unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Personal information includes a person's first name or initial and last name combined with one or more of the following: social security number, driver's license number or state ID number, account number or credit/debit card number combined with security code or password, or username/email address combined with password or security question answer that would permit access to an online account.

Under RCW 19.255.010(8), notification is not required if, after appropriate investigation and consultation with relevant federal, state, or local law enforcement, the business reasonably determines that the breach is unlikely to result in harm to affected individuals.

Notification Timeframe

Washington law requires notification in "the most expedient time possible and without unreasonable delay," consistent with measures necessary to determine the scope of the breach, identify affected individuals, and restore system integrity. While no specific number of days is mandated, Washington courts and the Attorney General interpret this to mean notification should generally occur within 30 days of discovery unless circumstances justify delay.

Content of Notification

Breach notifications must include: description of the incident in general terms; the type of personal information subject to unauthorized access; contact information for the business making the notification; contact information for major credit reporting agencies if the breach involves social security numbers; and advice that individuals can obtain information about identity theft prevention from the Federal Trade Commission and the Washington Attorney General.

Method of Notification

Notification may be provided by written notice, electronic notice (if consistent with federal E-SIGN Act requirements), or substitute notice if the cost of providing notice would exceed $250,000 or the affected class exceeds 500,000 persons. Substitute notice consists of email notice, conspicuous posting on the business's website, and notification to major statewide media.

Attorney General Notification

If a breach affects more than 500 Washington residents, the business must notify the Washington Attorney General's Office in writing. The notification should be sent to: Washington State Attorney General, Consumer Protection Division, 800 Fifth Avenue, Suite 2000, Seattle, WA 98104, or submitted electronically through the Attorney General's website.

Penalties for Violations

Failure to comply with Washington's breach notification law constitutes a violation of the Consumer Protection Act under RCW 19.86. The Attorney General can seek civil penalties of up to $2,000 per violation, injunctive relief, and costs of investigation and prosecution. Private individuals cannot sue directly under the breach notification statute but may have claims under other theories if they suffer damages from a breach.

Children's Privacy (Washington)

Children's personal information receives special protection under both federal and Washington state law, recognizing that minors require enhanced privacy safeguards.

COPPA Compliance in Washington

The federal Children's Online Privacy Protection Act (COPPA) applies to operators of commercial websites and online services directed to children under 13, or operators with actual knowledge they are collecting personal information from children under 13. COPPA requires verifiable parental consent before collecting, using, or disclosing children's personal information, with limited exceptions.

In Washington, the Federal Trade Commission enforces COPPA, but the Washington Attorney General also actively pursues enforcement under state consumer protection laws when companies violate children's privacy. The Attorney General has authority to investigate and prosecute unfair or deceptive practices affecting Washington children.

Washington-Specific Protections

Washington's My Health My Data Act provides enhanced protections for children's health information. The law prohibits collecting, sharing, or selling consumer health data of minors without explicit consent from both the minor (if 13 or older) and a parent or guardian. This creates stronger protections than COPPA for health-related apps and services.

Under RCW 9.73.260, Washington's privacy act restricts recording or intercepting communications involving minors. While this primarily addresses wiretapping, it reflects the state's broader commitment to protecting children's privacy.

School Records and FERPA

The federal Family Educational Rights and Privacy Act (FERPA) protects student education records maintained by schools receiving federal funding. In Washington, FERPA applies to all public schools, most private schools, and public universities. Parents have the right to inspect and review their children's education records, request corrections, and control disclosure of personally identifiable information from those records.

Washington supplements FERPA protections through RCW 28A.605.030 and WAC 392-172A, which provide parents and eligible students with rights to access student records maintained by school districts. These regulations require schools to maintain logs of who accesses student records and establish procedures for challenging inaccurate information.

The Washington Office of Superintendent of Public Instruction (OSPI) provides oversight of student privacy issues and maintains a Student Privacy Office that can be contacted at 360-725-6000 or through OSPI's website for concerns about student record privacy violations.

Frequently Asked Questions

How do I request my personal information from a company under Washington law?

For consumer health data, submit a written request to the company citing your rights under the My Health My Data Act (RCW 19.373). The company must respond within 45 days, providing the categories of health data collected, sources of the data, purposes for collection and sharing, and categories of third parties who received the data. Send requests to the company's designated privacy contact, typically found in their privacy policy. Keep copies of all correspondence and follow up if you don't receive a response within the required timeframe.

Can I sue a company that violates my privacy rights in Washington?

Yes, for violations of the My Health My Data Act. RCW 19.373.400 provides a private right of action, allowing Washington residents to sue companies directly. You can recover statutory damages of $1,000 per violation (or $10,000 for intentional violations), plus attorney fees and costs. For other privacy violations, you may need to file a complaint with the Washington Attorney General's Consumer Protection Division, which can investigate and prosecute violations of the Consumer Protection Act.

How long does a criminal conviction stay on my record in Washington?

Criminal convictions remain on your Washington record indefinitely unless vacated or sealed through legal proceedings. However, under RCW 9.96A.020, once you receive a certificate of discharge upon completing your sentence, the conviction cannot be used to disqualify you from employment unless directly related to the job. You may be eligible to vacate certain convictions after waiting periods: typically 3 years for misdemeanors, 5 years for Class C felonies, and 10 years for Class B felonies. Violent crimes and crimes against persons generally cannot be vacated.

What should I do if a Washington government agency denies my public records request?

First, review the denial letter to understand which exemption the agency cited under RCW 42.56. Contact the agency's public records officer to discuss the denial and potentially narrow your request. If informal resolution fails, you can file a lawsuit in superior court under RCW 42.56.550 to compel disclosure. Courts can award penalties of $5 to $100 per day for improper withholding, plus attorney fees. Consider consulting with an attorney who specializes in public records law. The ACLU of Washington and the Washington Coalition for Open Government provide resources and may offer assistance.

Do I have to pay fees for public records in Washington?

Agencies cannot charge for the first two hours of search and redaction time under RCW 42.56.120. After that, they can charge actual costs. Typical copying fees are $0.15 per page for standard copies. Electronic records sent via email usually incur no charge. If costs will exceed $50, agencies must provide a cost estimate before proceeding. You can request records in the least expensive format available, and agencies must comply unless that format would violate copyright or security concerns.

Can my employer monitor my personal social media accounts in Washington?

No. RCW 49.12.240 prohibits Washington employers from requesting access to employees' or applicants' personal social networking accounts, requiring disclosure of passwords, demanding that employees add anyone to their contact lists, or accessing accounts in the employer's presence. However, this protection doesn't prevent employers from viewing publicly available information on social media or requiring access to employer-provided accounts used for work purposes. Employers also can require disclosure if necessary for investigating employee misconduct or compliance with legal requirements.

How do I remove my address from public records in Washington?

Your address may appear in multiple public records including property ownership records, voter registration, and business filings. While you generally cannot remove accurate public records, you can minimize exposure by: using a P.O. box or private mailbox service for business and mailing purposes; applying for the Address Confidentiality Program if you're a victim of domestic violence, sexual assault, trafficking, or stalking (contact the Secretary of State at 1-800-822-1065); opting out of people-search websites that compile public records; and requesting that county assessors and auditors mark your property records to suppress online display of your address where local rules allow.

What rights do I have if my medical information is breached in Washington?

Under RCW 19.

Last reviewed: Apr 2, 2026 Updated: Apr 2, 2026