Washington data breach law vs. My Health My Data Act: side-by-side comparison of two different statutes
Operators frequently confuse Chapter 19.255 RCW (Washington's general data breach notification statute, applicable to "personal information" of Washington residents) with Chapter 19.373 RCW (the My Health My Data Act, applicable to "consumer health data" of Washington consumers). They are not the same statute, they do not have the same trigger, they do not have the same content requirements, and they do not have the same enforcement posture. An operator that processes both general personal information and consumer health data is subject to both, in parallel, and a breach can implicate both at once. This page is a side-by-side comparison aimed at operators trying to figure out which statute is in play and what to do when both are.
Ch. 19.255 (data breach). Applies to any person or business that owns or licenses computerized "personal information" of Washington residents. "Personal information" is defined at RCW 19.255.010 as first name or first initial and last name combined with a listed identifier (SSN, driver's license, account+code, full date of birth, biometric, login credentials, others).
Ch. 19.373 (MHMDA). Applies to "regulated entities" that conduct business in Washington or produce or provide products or services targeted to Washington consumers AND alone or jointly determine the purposes and means of collecting, processing, sharing, or selling "consumer health data." "Consumer health data" is defined very broadly at RCW 19.373.010 and includes biometric identifiers, mental-health and reproductive-health inferences, fitness or wellness data, and precise location near healthcare facilities.
Trigger
Ch. 19.255. Trigger is an unauthorized acquisition of computerized personal information. The encryption safe harbor at RCW 19.255.010 applies when the data was encrypted and the decryption key was not also acquired.
Ch. 19.373. Trigger is not a breach event but the ongoing collection, processing, sharing, or selling of consumer health data. Obligations attach at intake, not at incident. A separate Consumer Health Data Privacy Policy linked from the homepage is required under RCW 19.373.020.
Consumer-facing obligations
Ch. 19.255. Consumer notice no more than thirty calendar days after discovery (subject to law-enforcement delay and time to determine scope) with statutory content (categories acquired, time frame, contact information, recommended protection steps, FTC and CRA contact information).
Ch. 19.373. Standing consumer rights: access, deletion, withdrawal of consent. Specific consent requirements for collection and sharing under RCW 19.373.030. Separate authorization for sale under RCW 19.373.030. Geofence around in-person healthcare facilities prohibited under RCW 19.373.080.
Regulator notice
Ch. 19.255. AG notice within thirty days of discovery if a single breach affects more than five hundred Washington residents (RCW 19.255.010).
Ch. 19.373. No single AG-notice-on-incident trigger of the same kind. The AG enforces the statute generally. Regulator notice obligations are situation-specific.
Enforcement
Ch. 19.255. The consumer protection section is at RCW 19.255.040. The Attorney General has CPA-style enforcement authority under the public-interest and unfair-or-deceptive framework, and an injured consumer may bring a civil action for damages and injunctive relief. The statute itself says, however, that an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090. The full Chapter 19.86 remedy stack (treble damages capped at twenty-five thousand dollars per RCW 19.86.020 violation, one-way attorney's fees) does not automatically attach to a Chapter 19.255 claim; a separate Chapter 19.86 CPA claim may still be available where the facts independently satisfy the CPA elements. (Note: RCW 19.255.030 is a different provision addressing federal-law, HIPAA covered entity, and Gramm-Leach-Bliley financial-institution treatment, not the consumer enforcement section.)
Ch. 19.373. Per se Consumer Protection Act violation under RCW 19.373.090. This is the substantive enforcement difference from Chapter 19.255: MHMDA expressly creates per se CPA liability, with private right of action and AG enforcement both available under the Chapter 19.86 remedy stack, while Chapter 19.255 itself precludes routing the breach-notification claim through RCW 19.86.090.
Statute of limitations
Both reach the four-year CPA SOL through different routes. Ch. 19.373's per se CPA hook brings Chapter 19.86's four-year limitations period under RCW 19.86.120 straight in. Ch. 19.255 reaches the same four-year period only for any independently pleaded Chapter 19.86 claim, because the Chapter 19.255 enforcement section itself blocks RCW 19.86.090 routing.
When both apply at once
Operators that hold both general personal information (SSN, driver's license, account numbers) and consumer health data (biometric, mental health, fitness, location near healthcare facilities) face both statutes in parallel. A breach involving health data triggers Ch. 19.255 if the data falls within the personal-information definition, and Ch. 19.373 separately because the operator's ongoing handling of consumer health data is regulated regardless of incident. The compliance posture has to satisfy both. The breach response has to satisfy Ch. 19.255 for the notification piece and Ch. 19.373 for the consumer-rights and authorization piece. In a contested matter, plaintiffs and the AG are likely to plead both.
Why this matters in practice
The mistake I see most often is an operator with a fitness app treating Ch. 19.255 as the only relevant statute, building a breach response plan calibrated to it, and missing the Ch. 19.373 compliance baseline entirely. Or the reverse: an MHMDA-aware operator that has built a polished consumer-health-data policy but never built the breach-notification runbook because the only privacy statute on their radar is MHMDA. The two statutes complement each other. If an operator holds the categories of data both statutes reach, both apply, and the operator's posture has to address each separately rather than collapsing them.
What I review when you send a Washington matter that may touch both
When you send the data inventory, the consumer notices in scope, the current privacy policy and (if applicable) the separate Consumer Health Data Privacy Policy, and the incident timeline (if any), I walk Ch. 19.255 and Ch. 19.373 in parallel and tell you which statute is in play, where the compliance gaps are on each, and what the recommended next step looks like. The output is a written evaluation, not a sales pitch.
Primary sources
RCW 19.255.010: data breach definitions and notice obligations.
RCW 19.255.040: consumer protection section. AG CPA-style enforcement plus consumer civil action for damages and injunctive relief. Statute itself precludes action to enforce Chapter 19.255 from being brought under RCW 19.86.090.
RCW 19.373.010: MHMDA definitions, including consumer health data and regulated entity.
RCW 19.373.020: separate Consumer Health Data Privacy Policy.
RCW 19.373.030: consent and sale-or-share authorization.
RCW 19.373.080: geofence prohibition near healthcare facilities.
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.