Washington's My Health My Data Act is narrower than other state privacy laws (consumer health data only) but applies more broadly — no revenue or consumer threshold. Any business handling 'consumer health data' for Washington residents is subject.
Last reviewed 2026-06-19 · Risk rating rationale: No threshold AND a private right of action under Washington Consumer Protection Act. Even small businesses with one Washington customer in a health-data context can face class actions.
Find out in 10 seconds whether your site meets Washington's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Washington sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key Washington laws affecting websites
The statutes most likely to apply to a commercial website serving Washington residents. Click a citation to read the official text where available.
MHMD
— My Health My Data Act· Effective 2024
Applies to: Any business (no revenue or consumer threshold) that conducts business in Washington and collects, processes, sells, or shares 'consumer health data' of Washington residents. 'Consumer health data' is defined very broadly — fitness, mental health, biometric, geolocation near healthcare facilities, and ANY data that 'identifies the consumer's past, present, or future physical or mental health status'.
What your website must do
Opt-in consent for collection of consumer health data
SEPARATE opt-in consent for sharing of consumer health data
SEPARATE valid authorization to SELL consumer health data (with very specific format requirements)
Health-data-specific privacy notice (must be linked from homepage, not buried in general privacy policy)
No geofencing within 2,000 feet of an in-person healthcare facility for ANY purpose involving identification, tracking, or ad delivery related to health data
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
My Health My Data is the most plaintiff-friendly state privacy law because of the private right of action via Washington CPA. Even small violations can spawn class litigation.
Practical requirements for your website
Separate consumer-health-data privacy policy linked from homepage
Opt-in consent for collection
Separate opt-in consent for sharing
Valid signed authorization for sale (very specific format)
Geofencing prohibition within 2,000 ft of healthcare facilities
Cookies and tracking
State-specific rule applies
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
Cookies that capture consumer health data require the same opt-in consent as direct collection. Most cookie banners don't satisfy the My Health My Data standard.
Practical requirements for your website
If any cookie collects consumer health data (including health-app pixels), get prior opt-in via a CHD-specific consent flow
Document the consent for the 6-year retention period
Accessibility (ADA + state)
Federal law applies
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
Federal ADA Title III applies.
Practical requirements for your website
WCAG 2.1 AA conformance
Cybersecurity and breach response
Federal law applies
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
Federal FTC Act applies.
Practical requirements for your website
Material connection disclosures
Email and SMS marketing
Federal law applies
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
Federal CAN-SPAM applies.
Practical requirements for your website
Standard CAN-SPAM compliance
AI regulation
Federal law applies
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
No AI-specific law, but health-related AI processing falls under MHMD.
Practical requirements for your website
Treat any AI processing of consumer health data as subject to MHMD consent requirements
Frequently asked questions about Washington website compliance
I don't run a healthcare business — does MHMD really apply to me?
Very likely yes. 'Consumer health data' is defined so broadly that fitness app data, period tracking, mental wellness apps, biometric login, geolocation near a clinic, and ad-tech inferences about health all qualify. Most e-commerce and SaaS businesses that haven't audited their data flows are at risk.
What is the private right of action exposure?
Washington Consumer Protection Act allows private plaintiffs to sue for actual damages, attorney fees, and statutory penalties up to $25,000 per violation. Class actions are the most common vehicle. Several major cases have already settled in the seven figures.
Ready to check your own site against Washington's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-19. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Washington.