Washington educational resource

Washington privacy law for SaaS companies: the operator's map across three statutes

A SaaS company serving Washington customers operates inside three statutes that talk to each other: Chapter 19.255 RCW (data breach notification, applicable to personal information about Washington residents), Chapter 19.373 RCW (the My Health My Data Act, applicable to consumer health data of Washington consumers), and Chapter 19.86 RCW (the Consumer Protection Act, which both other statutes route through for enforcement). Washington does not have a CCPA or CPRA equivalent in the consumer-rights-and-controllers-everywhere sense; the statutory map is narrower and more specific. The map below is what I walk through when a SaaS operator sends a Washington privacy posture for written attorney evaluation. It is educational, not Washington legal advice for a specific posture.

Last legally reviewed: 2026-05-19. Statute text retrieved from Chapter 19.255 RCW, Chapter 19.373 RCW, and Chapter 19.86 RCW on app.leg.wa.gov on that date.

Statute 1: Chapter 19.255 RCW (breach notification)

Applies when you own or license computerized "personal information" of Washington residents within the definition at RCW 19.255.010 (name plus a listed identifier).
Trigger is unauthorized acquisition, not exposure. Encryption safe harbor applies when both the data was encrypted and the decryption key was not also acquired.
Consumer notice no more than thirty days from discovery; Attorney General notice in the same window for breaches affecting more than five hundred Washington residents.
Processor allocation under RCW 19.255.020: vendor notifies owner promptly; owner carries consumer and AG notice.
Consumer protection section at RCW 19.255.040: gives the Attorney General CPA-style enforcement authority for Chapter 19.255 violations and separately lets an injured consumer bring a civil action for damages and injunctive relief. The statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090, so the full RCW 19.86.090 private CPA remedy stack (treble damages capped at $25,000, one-way attorney's fees) does not automatically apply to a breach-notification claim. A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements.

Statute 2: Chapter 19.373 RCW (MHMDA)

Applies to "regulated entities" that conduct business in Washington or produce or provide products or services targeted to Washington consumers AND determine the purposes and means of processing "consumer health data" within the definition at RCW 19.373.010.
Separate Consumer Health Data Privacy Policy linked from the homepage under RCW 19.373.020. Not a section of the general privacy policy.
Consent at collection, separate authorization for sale, and separate authorization for sharing under RCW 19.373.030.
Consumer rights (access, deletion, withdrawal of consent) under RCW 19.373.040.
Data security obligations under RCW 19.373.050.
Processor contracts under RCW 19.373.060.
Geofence around in-person healthcare facilities prohibited under RCW 19.373.080.
Per se CPA violation under RCW 19.373.090.

Statute 3: Chapter 19.86 RCW (CPA)

Substantive prohibition on unfair or deceptive acts or practices in trade or commerce at RCW 19.86.020.
Codification of the public-interest paths at RCW 19.86.093.
Private remedy at RCW 19.86.090 (actual damages, discretionary trebling capped at $25,000 per RCW 19.86.020 violation, one-way attorney's fees) is available only when the facts independently satisfy the CPA elements; the statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090.
Four-year statute of limitations at RCW 19.86.120.
For SaaS operators, the CPA framework reaches the MHMDA angle as a per se CPA violation under RCW 19.373.090. The breach-notification angle is different: RCW 19.255.040 gives the AG CPA-style enforcement authority and lets an injured consumer sue for damages and injunctive relief, but the statute says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090, so the full RCW 19.86.090 private remedy stack does not automatically attach. A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements (a privacy policy that contradicts actual practice, an undisclosed tracking pixel, an undisclosed third-party data sale).

Contractual overlay: SaaS terms and DPAs

Terms of Service should reference Washington for any explicit privacy or breach-notification language and should not contradict the practice in MHMDA-required Consumer Health Data Privacy Policy.
DPA should encode breach-notification windows, cost allocation, indemnification, liability-cap carve-outs for breach-related costs, and processor obligations consistent with both RCW 19.255.020 and RCW 19.373.060.
For B2B operators with Washington enterprise customers, expect customer-side flow-down obligations: minimum security controls, audit rights, breach-notification timing, and indemnity.
Insurance: cyber and tech E&O with breach-response coverage; the breach-coach panel may be policy-specified.

Multi-state overlay

Most SaaS operators serve consumers in multiple states. The Washington map operates inside a wider posture that includes California (CCPA / CPRA, Cal. Civ. Code 1798.82 breach notification, Confidentiality of Medical Information Act for medical data), Colorado, Virginia, Texas, and federal sectoral statutes (HIPAA, GLBA, COPPA). The conservative posture is to default to the strictest applicable standard for timing, content, AG triggers, and consumer rights, and to use Washington's MHMDA framework as a baseline because it is the most demanding state-law consumer-health-data regime in effect.

The mistake SaaS operators make most often

The mistake I see most often is a SaaS operator treating Washington privacy as just a breach-notification statute and missing MHMDA entirely, or treating Washington privacy as just MHMDA and missing the Ch. 19.255 incident-response posture. The conservative posture is to assume both apply when the SaaS handles a mixed data set, build the separate Consumer Health Data Privacy Policy if any of the MHMDA-listed data categories are processed, and build the Ch. 19.255 incident-response runbook even if the data category currently looks benign. The cost of building both is small; the cost of missing either after the fact is large.

What I review when you send a Washington SaaS privacy matter

When you send the data inventory, the current Terms of Service, the privacy policy and (if applicable) the separate Consumer Health Data Privacy Policy, the DPA template, the consent UX screenshots, and a short product description, I walk all three statutes against the specific posture and tell you where the compliance gaps are and what the recommended remediation looks like. The output is a written evaluation, not a sales pitch.

Primary sources

Chapter 19.255 RCW: data breach notification.
Chapter 19.373 RCW: My Health My Data Act.
Chapter 19.86 RCW: Consumer Protection Act.
RCW 19.86.090: CPA private action (available only if a separate Chapter 19.86 claim is independently supported on the facts; Chapter 19.255 cannot be enforced under this section).
RCW 19.86.093: codified public-interest paths.
RCW 19.86.120: four-year SOL.

This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.