Q: Does the My Health My Data Act apply to all small businesses in Washington?

A: It applies to any business that collects, shares, or sells consumer health data from Washington residents, regardless of size. If you handle data that relates to physical or mental health — even indirectly — you are likely covered.

Q: Can consumers sue my business under Washington privacy laws?

A: Yes. The MHMDA includes a private right of action, meaning consumers can bring lawsuits directly against businesses for violations, in addition to enforcement by the Attorney General.

Q: Is Washington going to pass a comprehensive consumer privacy law?

A: It is actively being pursued. House Bill 1671 (the People Privacy Act) was retained for the 2025-2026 legislative session. Businesses should prepare as if comprehensive privacy regulation is coming soon.

Q: Do I need a separate privacy policy for health data?

A: Yes. The MHMDA requires a specific consumer health data privacy policy, separate from your general privacy policy, linked prominently on your homepage.

Q: How does dark web monitoring relate to data privacy compliance?

A: Dark web monitoring helps you detect if consumer data has been exposed in a breach, which triggers notification obligations under both the MHMDA and Washington's existing data breach notification law (RCW 19.255.010).

How Do Washington State Data Privacy Laws Affect Small Businesses?

Washington state has some of the most aggressive data privacy laws in the country, and they apply to businesses of every size. If your company collects personal data from Washington residents — especially health-related information — you are already subject to enforceable obligations under the My Health My Data Act (MHMDA), signed into law in 2023. Ignoring these rules exposes your business to lawsuits, fines, and reputational damage that no small company can afford.

What Is the Washington My Health My Data Act?

The My Health My Data Act (MHMDA) is Washington’s landmark privacy law, enacted in 2023, making it the first state law specifically designed to protect personal health data that falls outside HIPAA’s reach. This matters for small businesses because HIPAA only covers healthcare providers, health plans, and their business associates. The MHMDA covers everyone else — retailers, fitness apps, wellness companies, employers collecting health screening data, and any business that handles what the law defines as “consumer health data.”

Consumer health data under MHMDA includes information that identifies or could reasonably identify a consumer’s physical or mental health status, condition, treatment, or diagnosis. That definition is deliberately broad.

Key requirements include:

Explicit consent before collection. You can only collect consumer health data if the consumer gives prior consent or the data is strictly necessary to provide a product or service the consumer requested.
Published privacy policy. Every regulated business must publish a consumer health data privacy policy linked prominently from its homepage.
Separate consent for sharing. Sharing data with third parties requires separate, specific consent. Selling it requires written and signed authorization.
Consumer rights. Consumers can access, delete, and withdraw consent for their health data at any time.

The geofencing provision (RCW 19.373.080) has been in effect since July 2023, prohibiting businesses from using geofencing around healthcare facilities to collect or infer health data. The remaining provisions took effect on March 31, 2024 for regulated entities, with small businesses receiving a delayed compliance deadline of June 30, 2024.

Does Washington Have a Comprehensive Consumer Privacy Law?

As of early 2026, Washington does not have a comprehensive consumer data privacy law like California’s CCPA or Virginia’s VCDPA. It is not for lack of trying — the state legislature has introduced privacy bills repeatedly, with the sticking point being whether to include a private right of action (the right for individual consumers to sue businesses directly).

House Bill 1671, the People Privacy Act, was introduced in the 2025 session and retained for the 2025-2026 legislative cycle. If enacted, it would apply broadly to businesses conducting operations in Washington or targeting Washington residents who collect or process personal data. As of spring 2026, the bill’s prospects remain uncertain, but the trajectory is clear: comprehensive privacy regulation is coming.

For businesses in Skagit, Whatcom, Snohomish, King, and Pierce counties, the practical takeaway is to start building privacy practices now rather than scrambling later.

What Should Small Businesses Do to Comply Right Now?

Even without a comprehensive privacy law, Washington businesses face real obligations today:

Audit your data collection. Identify every point where you collect personal data — especially anything that could qualify as consumer health data under the MHMDA’s broad definition.
Publish a privacy policy. If you handle any consumer health data, your website needs a specific consumer health data privacy policy, linked from your homepage.
Implement consent mechanisms. Build clear opt-in processes before collecting health-related data. Generic “I agree” checkboxes will not meet the standard.
Document everything. Maintain records of consent, data processing activities, and any data sharing. This becomes your evidence of compliance.
Review vendor agreements. Every third party that touches consumer health data on your behalf needs contractual obligations that align with MHMDA requirements.

How Does This Affect Businesses Already Subject to HIPAA?

If your business is a HIPAA-covered entity or business associate, the MHMDA generally does not apply to data that is already regulated under HIPAA. However, health data you collect outside of HIPAA’s scope — such as employee wellness programs or customer-facing health surveys — may still fall under the MHMDA. In our experience working with healthcare practices across Western Washington, this gray area catches more businesses than you would expect.

The safest approach is to treat the MHMDA as an additional layer of protection that fills the gaps HIPAA does not cover. If your practice needs help understanding HIPAA IT requirements, start here.

What Penalties Can Washington Businesses Face?

The MHMDA is enforced by the Washington Attorney General’s office under the state Consumer Protection Act. Violations can result in civil penalties of up to $7,500 per violation. The law also includes a private right of action, meaning individual consumers can sue businesses directly for violations — an enforcement mechanism that many state privacy laws lack.

For businesses handling sensitive data, working with a managed compliance partner reduces the risk of overlooked obligations and provides documentation that demonstrates good-faith effort.

What About Federal Privacy Laws?

No comprehensive federal privacy law exists as of 2026, which means state laws like Washington’s MHMDA set the standard for businesses operating here. If you serve customers across multiple states, you may also need to comply with privacy laws in California, Virginia, Colorado, Connecticut, and others. Each has different requirements, thresholds, and enforcement mechanisms.

ROI Technology Inc. helps businesses across Western Washington navigate evolving compliance requirements with NIST-aligned IT management and proactive security. Contact us to discuss your compliance posture.