Washington educational resource

Washington MHMDA vs. general data breach law: decision tree for operators

If you operate a SaaS, app, or business that handles data about Washington consumers, the first question is which Washington privacy statute applies. Most operators land in one of four positions: Chapter 19.255 RCW alone (general personal information, no consumer health data), Chapter 19.373 RCW alone (consumer health data only, no personal information triggering breach notification), both at once (mixed data sets, which is the most common position for fitness, wellness, and many SaaS operators), or neither (the data and business mix do not reach either statute, which is rare for any meaningful consumer product). The decision tree below is the framework I walk operators through during a written attorney evaluation. It is educational, not Washington legal advice for a specific posture.

Last legally reviewed: 2026-05-19. Statute text retrieved from Chapter 19.255 RCW and Chapter 19.373 RCW on app.leg.wa.gov on that date.

Step 1: do you have Washington consumer touchpoints?

Ch. 19.255 reaches operators that own or license personal information "about Washington residents." Physical presence in Washington is not required.
Ch. 19.373 reaches "regulated entities" that conduct business in Washington OR produce or provide products or services targeted to Washington consumers AND alone or jointly determine the purposes and means of processing consumer health data. The "targeted to" reach is broad.
If both reach you, both statutes are in scope.

Step 2: what data categories do you collect?

If you collect "personal information" within RCW 19.255.010 (name plus listed identifier), Ch. 19.255 breach notification is in scope. The trigger is incident-based.
If you collect "consumer health data" within RCW 19.373.010 (biometric identifiers, mental-health or reproductive-health inferences, fitness and wellness data, precise location near healthcare facilities, and other listed categories), Ch. 19.373 is in scope. The obligations attach at intake, not at incident.
If you collect both, both statutes apply in parallel.

Step 3: incident posture vs. ongoing compliance posture

Ch. 19.255 is mostly incident-based. The operator's primary obligations crystallize when there is an unauthorized acquisition of computerized personal information. The compliance posture between incidents is light: maintain reasonable security, build an incident response plan, run tabletops.

Ch. 19.373 is mostly ongoing. The operator's obligations attach to the act of collecting, processing, sharing, or selling consumer health data, whether or not anything ever goes wrong. The compliance posture includes a separate Consumer Health Data Privacy Policy linked from the homepage under RCW 19.373.020, consumer-facing consent and rights infrastructure under RCW 19.373.030 and following, a geofence prohibition around in-person healthcare facilities under RCW 19.373.080, and processor-contract requirements under RCW 19.373.060. An operator with no incident still has to satisfy MHMDA daily.

Step 4: enforcement and remedy

The two statutes feed Chapter 19.86 RCW (the Consumer Protection Act) by different routes, and the remedy stacks are not identical. Ch. 19.373 supplies a per se Consumer Protection Act violation at RCW 19.373.090, which brings the full Chapter 19.86 remedy stack: actual damages, the discretionary trebling enhancement capped at twenty-five thousand dollars per RCW 19.86.020 violation under RCW 19.86.090, one-way attorney's fees, and the four-year statute of limitations under RCW 19.86.120, with both private right of action and AG enforcement available. Ch. 19.255 is more limited. The consumer protection section at RCW 19.255.040 gives the Attorney General CPA-style enforcement authority and separately lets an injured consumer bring a civil action for damages and injunctive relief, but the statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090. The full RCW 19.86.090 private remedy stack therefore does not automatically attach to a Chapter 19.255 breach-notification claim; a separate Chapter 19.86 CPA claim may still be available where the facts independently satisfy the CPA elements. (RCW 19.255.030 is a different provision addressing federal-law, HIPAA covered entity, and Gramm-Leach-Bliley financial-institution treatment, not the consumer enforcement section for the typical Washington breach matter.)

Decision tree summary

Position A: Ch. 19.255 only. You collect names plus SSN, driver's license, account numbers, login credentials, or other Ch. 19.255 categories, but no consumer health data. Run the Ch. 19.255 framework: incident response plan, encryption posture, 30-day clock, AG submission readiness for 500+ resident incidents.

Position B: Ch. 19.373 only. You collect consumer health data but the data does not include Ch. 19.255 personal-information categories. Run the MHMDA framework: separate Consumer Health Data Privacy Policy, consent at collection, sale and share authorization, geofence compliance, processor contracts.

Position C: both. You collect Ch. 19.255 personal information AND consumer health data. Build both frameworks in parallel. An incident triggers Ch. 19.255 obligations on the personal-information data and remains subject to Ch. 19.373's ongoing compliance posture. Coordinate the two so a breach response does not contradict the MHMDA notices.

Position D: neither. Rare. If you genuinely collect no Ch. 19.255 personal information and no MHMDA consumer health data, both statutes are out of scope, although other Washington statutes (the Consumer Protection Act at Ch. 19.86 broadly, employment privacy, biometric privacy in specific contexts) may still apply.

The most common decision-tree error

I see more operators land in Position C while believing they are in Position A or Position B. A fitness app that also collects payment information is in Position C, not Position B alone. A SaaS that processes employee wellness data for client businesses is often in Position C even when the SaaS's primary product is unrelated to wellness. A telehealth-adjacent app that takes intake forms with SSN and date of birth is in Position C, not Position A. The conservative posture is to assume Position C unless the data inventory clearly excludes either Ch. 19.255 categories or Ch. 19.373 consumer health data, and to build both frameworks.

What I review when you send a Washington compliance matter

When you send the data inventory, the homepage and consent UX, the current privacy policy (and, if applicable, the separate Consumer Health Data Privacy Policy), and a brief product description, I walk the decision tree against the specific posture and tell you which position you are in, what the compliance gaps are, and what the recommended remediation looks like. The output is a written evaluation, not a sales pitch.

Primary sources

RCW 19.255.010: data breach definitions and notice.
RCW 19.255.030: federal-law / HIPAA covered entities and Gramm-Leach-Bliley financial institutions.
RCW 19.255.040: consumer protection section. AG CPA-style enforcement plus consumer civil action for damages and injunctive relief. Statute itself precludes action to enforce Chapter 19.255 from being brought under RCW 19.86.090.
RCW 19.373.010: MHMDA definitions.
RCW 19.373.020: separate consumer health data privacy policy.
RCW 19.373.030: consent and authorization.
RCW 19.373.060: processor contracts.
RCW 19.373.080: geofence prohibition.
RCW 19.373.090: per se CPA hook.

This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.