Washington privacy law for SaaS companies: the operator's map across three statutes
A SaaS company serving Washington customers operates inside three statutes that talk to each other: Chapter 19.255 RCW (data breach notification, applicable to personal information about Washington residents), Chapter 19.373 RCW (the My Health My Data Act, applicable to consumer health data of Washington consumers), and Chapter 19.86 RCW (the Consumer Protection Act, which both other statutes route through for enforcement). Washington does not have a CCPA or CPRA equivalent in the consumer-rights-and-controllers-everywhere sense; the statutory map is narrower and more specific. The map below is what I walk through when a SaaS operator sends a Washington privacy posture for written attorney evaluation. It is educational, not Washington legal advice for a specific posture.
Ask my AI Legal Analyst about Washington consumer health data and MHMDA?
Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.
Common Washington consumer-health-data questions, always free
Statute 1: Chapter 19.255 RCW (breach notification)
- Applies when you own or license computerized "personal information" of Washington residents within the definition at RCW 19.255.010 (name plus a listed identifier).
- Trigger is unauthorized acquisition, not exposure. Encryption safe harbor applies when both the data was encrypted and the decryption key was not also acquired.
- Consumer notice no more than thirty days from discovery; Attorney General notice in the same window for breaches affecting more than five hundred Washington residents.
- Processor allocation under RCW 19.255.020: vendor notifies owner promptly; owner carries consumer and AG notice.
- Consumer protection section at RCW 19.255.040: gives the Attorney General CPA-style enforcement authority for Chapter 19.255 violations and separately lets an injured consumer bring a civil action for damages and injunctive relief. The statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090, so the full RCW 19.86.090 private CPA remedy stack (treble damages capped at $25,000, one-way attorney's fees) does not automatically apply to a breach-notification claim. A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements.
Statute 2: Chapter 19.373 RCW (MHMDA)
- Applies to "regulated entities" that conduct business in Washington or produce or provide products or services targeted to Washington consumers AND determine the purposes and means of processing "consumer health data" within the definition at RCW 19.373.010.
- Separate Consumer Health Data Privacy Policy linked from the homepage under RCW 19.373.020. Not a section of the general privacy policy.
- Consent at collection, separate authorization for sale, and separate authorization for sharing under RCW 19.373.030.
- Consumer rights (access, deletion, withdrawal of consent) under RCW 19.373.040.
- Data security obligations under RCW 19.373.050.
- Processor contracts under RCW 19.373.060.
- Geofence around in-person healthcare facilities prohibited under RCW 19.373.080.
- Per se CPA violation under RCW 19.373.090.
Statute 3: Chapter 19.86 RCW (CPA)
- Substantive prohibition on unfair or deceptive acts or practices in trade or commerce at RCW 19.86.020.
- Codification of the public-interest paths at RCW 19.86.093.
- Private remedy at RCW 19.86.090 (actual damages, discretionary trebling capped at $25,000 per RCW 19.86.020 violation, one-way attorney's fees) is available only when the facts independently satisfy the CPA elements; the statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090.
- Four-year statute of limitations at RCW 19.86.120.
- For SaaS operators, the CPA framework reaches the MHMDA angle as a per se CPA violation under RCW 19.373.090. The breach-notification angle is different: RCW 19.255.040 gives the AG CPA-style enforcement authority and lets an injured consumer sue for damages and injunctive relief, but the statute says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090, so the full RCW 19.86.090 private remedy stack does not automatically attach. A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements (a privacy policy that contradicts actual practice, an undisclosed tracking pixel, an undisclosed third-party data sale).
Contractual overlay: SaaS terms and DPAs
- Terms of Service should reference Washington for any explicit privacy or breach-notification language and should not contradict the practice in MHMDA-required Consumer Health Data Privacy Policy.
- DPA should encode breach-notification windows, cost allocation, indemnification, liability-cap carve-outs for breach-related costs, and processor obligations consistent with both RCW 19.255.020 and RCW 19.373.060.
- For B2B operators with Washington enterprise customers, expect customer-side flow-down obligations: minimum security controls, audit rights, breach-notification timing, and indemnity.
- Insurance: cyber and tech E&O with breach-response coverage; the breach-coach panel may be policy-specified.
Multi-state overlay
Most SaaS operators serve consumers in multiple states. The Washington map operates inside a wider posture that includes California (CCPA / CPRA, Cal. Civ. Code 1798.82 breach notification, Confidentiality of Medical Information Act for medical data), Colorado, Virginia, Texas, and federal sectoral statutes (HIPAA, GLBA, COPPA). The conservative posture is to default to the strictest applicable standard for timing, content, AG triggers, and consumer rights, and to use Washington's MHMDA framework as a baseline because it is the most demanding state-law consumer-health-data regime in effect.
The mistake SaaS operators make most often
The mistake I see most often is a SaaS operator treating Washington privacy as just a breach-notification statute and missing MHMDA entirely, or treating Washington privacy as just MHMDA and missing the Ch. 19.255 incident-response posture. The conservative posture is to assume both apply when the SaaS handles a mixed data set, build the separate Consumer Health Data Privacy Policy if any of the MHMDA-listed data categories are processed, and build the Ch. 19.255 incident-response runbook even if the data category currently looks benign. The cost of building both is small; the cost of missing either after the fact is large.
What I review when you send a Washington SaaS privacy matter
When you send the data inventory, the current Terms of Service, the privacy policy and (if applicable) the separate Consumer Health Data Privacy Policy, the DPA template, the consent UX screenshots, and a short product description, I walk all three statutes against the specific posture and tell you where the compliance gaps are and what the recommended remediation looks like. The output is a written evaluation, not a sales pitch.
Payment
Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The Written Attorney Consultation is a flat $240. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.
Delivery
Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.
Process
- Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
- I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
- I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
- We refine. Reasonable revision rounds are included so the final version fits how your product actually works.
Scope
This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.
Send your question, a short factual summary, and your key documents. You get a written attorney response identifying the main legal issues, the risks, and the practical next steps, so you know whether you have a real exposure and what to do about it. Provided under my California license; for Washington court representation I coordinate with Washington-admitted counsel.
See the full Washington MHMDA resource → or email me directly for a scoped quote.
Primary sources
- Chapter 19.255 RCW: data breach notification.
- Chapter 19.373 RCW: My Health My Data Act.
- Chapter 19.86 RCW: Consumer Protection Act.
- RCW 19.86.090: CPA private action (available only if a separate Chapter 19.86 claim is independently supported on the facts; Chapter 19.255 cannot be enforced under this section).
- RCW 19.86.093: codified public-interest paths.
- RCW 19.86.120: four-year SOL.
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.