Washington educational resource

Washington privacy violation that does not fit the breach statute? Demand letter strategy under the CPA

Not every Washington privacy complaint maps cleanly to Chapter 19.255 RCW. Tracking pixels that share your activity with advertising networks despite a privacy policy saying otherwise, session-replay tools that record your typing on intake forms, browser fingerprinting that follows you across sites, third-party SDKs in mobile apps that pull contact lists or location, and "we do not share" promises that turn out to be only technically true: these are privacy harms in the ordinary sense, but they often fall outside the breach-notification framework because the conduct is not an unauthorized acquisition of "personal information" in the statutory sense. The Consumer Protection Act at Chapter 19.86 RCW is still the right lever. The work is showing that the company's stated privacy practices and its actual practices diverge in a way that is unfair or deceptive in trade or commerce.

Last legally reviewed: 2026-05-19. Statute text retrieved from Chapter 19.86 RCW on app.leg.wa.gov on that date. Health and wellness privacy issues are covered separately under Chapter 19.373 RCW (MHMDA); breach-notification issues are covered under Chapter 19.255 RCW.

Fast triage: is this actually a CPA privacy case?

Did the company's privacy policy promise something specific that the actual conduct contradicts? "We do not sell," "we do not share with third parties," "we do not track across sites," "we do not record your screen": each is a representation that can be falsified.
Is the conduct discoverable from a technical artifact? Network requests visible in the browser, a third-party SDK list in the app, a Wayback Machine capture of the old policy, a public report from a security researcher.
Did the conduct involve "personal information" within Ch. 19.255 (name plus identifier) or did it involve other identifying data (device IDs, IP addresses, advertising IDs, behavioral data)? The CPA frame works even when Ch. 19.255 does not.
If the conduct involves health, wellness, fitness, biometric, mental-health, reproductive, or gender-affirming data, MHMDA (Chapter 19.373 RCW) is in the case and has its own framework. See the MHMDA vs. general breach law page.
Is the harm something you can quantify in dollars? Monitoring you bought, subscription fees for a product that was material to the privacy promise, identity-theft mitigation in cases where data ended up where it should not have been.

The legal hooks: how the CPA reaches generic privacy harms

RCW 19.86.020 prohibits unfair or deceptive acts or practices in trade or commerce. The Washington Supreme Court reads "unfair" and "deceptive" disjunctively; either is enough. A privacy policy is a representation. Using data in a way the policy did not authorize is, depending on the facts, either deceptive (the policy implied otherwise) or unfair (the practice exploited an asymmetry of information). Source: RCW 19.86.020.

RCW 19.86.093 codifies the public-interest paths. A privacy practice deployed at scale across all users of a website or app has the capacity to injure other persons almost by definition. The third path is rarely a problem in a CPA privacy matter.

RCW 19.86.090 is the remedy. Actual damages, the discretionary trebling enhancement capped at twenty-five thousand dollars per RCW 19.86.020 violation, and one-way attorney's fees to a prevailing plaintiff. The CPA fee shift is the entire reason an individual privacy case can be litigated cost-effectively; without it, the cost of proving the technical conduct often outstrips the recoverable damages.

The hard element in a CPA privacy case is element four: injury to business or property. Pure annoyance, fear of future harm, and emotional distress are not CPA injuries. The plaintiff has to identify a documented loss: a subscription fee paid in reliance on the privacy promise, monitoring purchased, mitigation cost, or a similar dollar number. Washington courts and federal courts applying Washington law have been mixed on whether mere invasion of privacy interests, without out-of-pocket loss, qualifies. The safer demand-letter posture is to anchor the case in documented out-of-pocket numbers rather than to argue the abstract privacy interest alone.

The hardest element is injury, not the deceptive practice

The companies that respond to CPA privacy letters tend to be those whose own counsel concludes the deceptive-practice element is satisfied and the only fight is over damages. The deceptive-practice element is often easy to plead when the policy was clear and the conduct contradicted it. The injury element is where weak cases lose. A demand letter that anchors the matter in documented dollars (subscription fees paid for a product whose privacy promise was material, monitoring purchased to mitigate, mitigation time at a credible hourly rate) lands very differently from one that asks for abstract damages "to be determined." I will tell you whether the injury element is real on your record or whether the matter is closer to an AG referral than to a paid private demand letter.

What a Washington CPA privacy demand letter should do

Identifies the privacy policy in effect when you provided the data, with quotation of the operative sentence, and the Wayback Machine reference if the company has since changed it.
Identifies the conduct that contradicts the policy: the specific tracking pixel, the specific SDK, the specific category of sharing, the specific recording or fingerprinting feature.
Quotes the technical artifact that proves the conduct: a network request, an SDK manifest, a security researcher's report, a court filing in a parallel matter that identifies the same conduct.
Cites RCW 19.86.020 for the substantive prohibition, RCW 19.86.093 for the public-interest path, and RCW 19.86.090 for the remedy.
Quantifies injury with documented dollars (subscription fees, monitoring, mitigation, time) and explains why those dollars are CPA-eligible injury to property.
Demands a specific outcome: deletion of data already collected, an injunction-style written commitment that the conduct has stopped, refund of the subscription period during which the promise was being broken, and preservation of evidence.
Preserves the four-year SOL by documenting transmission and reserves the right to refer the matter to the AG, the FTC, and any pending class case.

Documents to gather before the letter goes out

The privacy policy and ToS as they existed when you signed up (use the Wayback Machine if the current version differs).
Your account record: sign-up date, ToS version accepted, subscription receipts, current account status.
Evidence of the conduct: screenshots of the network requests in the browser developer tools, screenshots of the privacy policy section that was breached, a printed copy of any security-researcher report identifying the same conduct.
Communications with the company before and after you noticed the issue, including any acknowledgement of the practice.
Receipts for monitoring services, ad-blocker subscriptions, or other mitigation tied to the privacy concern.
A short timeline: when you signed up, when the policy promise was made, when you discovered the contradicting conduct, what the company has said.

When this is worth hiring an attorney

An attorney-drafted CPA privacy letter is more likely to change the outcome when the policy-versus-conduct gap is clean and documented in writing or in network artifacts, when documented injury runs into the low four figures or higher (subscription fees plus mitigation), and when the company is a real business with a brand to protect. It is less likely to change the outcome when the only "injury" is annoyance, when the privacy policy actually authorized the conduct on a close reading, or when the conduct is purely technical and you have no way to prove that you in particular were affected.

What I review when you send a Washington privacy matter

When you send the file I read the privacy policy, the technical artifacts, the account record, and any communications with the company. I walk the CPA elements against the specific facts, and I form an honest view of whether a $575 attorney-drafted demand letter is the right move, whether the matter belongs in AG referral or a class case, or whether the injury element is too thin for a paid private letter. The output is a written evaluation, not a sales pitch.

Primary sources

RCW 19.86.010: definitions of trade and commerce.
RCW 19.86.020: substantive prohibition on unfair or deceptive acts.
RCW 19.86.090: private action, treble enhancement capped at $25,000, attorney's fees.
RCW 19.86.093: public-interest paths.
RCW 19.86.120: four-year statute of limitations.
RCW 19.255.040: consumer protection section for breach-notification violations (backup). AG CPA-style enforcement plus consumer civil action for damages and injunctive relief. Statute itself precludes action to enforce Chapter 19.255 from being brought under RCW 19.86.090; an independent Chapter 19.86 CPA claim may still be available where the facts satisfy the CPA elements.

This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship, and nothing on this page is Washington legal advice for a specific matter. A Washington-admitted attorney should verify both the operative statute text and any case citations before relying on them in court or correspondence on a live dispute.