Washington business deliberately shared, sold, or sent your personal information to someone you did not authorize? Demand letter strategy
A hacker breach is a security failure. A deliberate disclosure of your personal information is a business decision. When a Washington company sold a list with your data, sent your file to a vendor outside the scope of its privacy notice, accidentally emailed your records to the wrong recipient, or posted your information on a public site, the legal framing is not the same as a Ch. 19.255 RCW breach case. The lever is the Consumer Protection Act at Chapter 19.86 RCW, supplemented by contract claims based on the company's stated privacy policy. Ch. 19.255 RCW remains relevant when the disclosure involves "personal information" within the statutory definition and the recipient was unauthorized, because the statute reaches unauthorized acquisitions of computerized data regardless of whether the acquirer is a hacker or a recipient who should not have received the file. The honest answer up front: the strength of the matter depends heavily on what the company's privacy policy actually said and how the disclosure happened.
Fast triage: what kind of disclosure is this?
- Did the company share or sell your data to a third party outside the scope of the privacy policy in effect when you provided the information? That is a deceptive-practice CPA case before it is anything else.
- Did a company employee accidentally email or upload your file to the wrong recipient (a "rogue email" or "misconfigured share")? That can still be a Ch. 19.255 unauthorized acquisition by an unauthorized person, depending on the data and the safe-harbor analysis.
- Did the company post your information on a public site, even in summary form? Public posting of personal information often falls inside Ch. 19.255 if the data category is in scope, and can also support a separate publication-of-private-facts theory.
- Did the company disclose to a vendor or processor without the contractual protections the privacy policy promised? That is a deceptive-practice case (the promise was breached) plus a possible processor-allocation issue under RCW 19.255.020.
- Did the disclosure involve health, biometric, mental-health, reproductive, gender-affirming, or wellness data? If so, MHMDA (Chapter 19.373 RCW) is in the case and the framing changes materially. See the data breach vs. MHMDA comparison.
The legal hooks: how Washington frames a deliberate disclosure
The CPA frame is usually the lead. RCW 19.86.020 prohibits unfair or deceptive acts or practices in trade or commerce. A company's privacy policy is a representation about how data will be handled; using the data in a way the policy did not authorize is deceptive on its face. The public-interest element under RCW 19.86.093 is rarely a problem because companies that handle data this way usually do it for many consumers, not just one. The remedy at RCW 19.86.090 supplies actual damages, the discretionary trebling enhancement capped at twenty-five thousand dollars per RCW 19.86.020 violation, and one-way attorney's fees. The four-year SOL under RCW 19.86.120 applies.
The Ch. 19.255 frame is the backup. RCW 19.255.010 defines a breach of system security by reference to unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. A disclosure to a recipient who was not authorized to receive the data is an unauthorized acquisition by an unauthorized person. The encryption safe harbor still applies. If the company should have sent notice and did not, the consumer protection section at RCW 19.255.040 gives the Attorney General CPA-style enforcement authority and separately lets an injured consumer bring a civil action for damages and injunctive relief. The statute itself says, however, that an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090, so the full Chapter 19.86 remedy stack (treble damages, one-way attorney fees) does not automatically attach to the breach-notification frame. A separate Chapter 19.86 CPA claim may still be available when the deliberate-disclosure facts independently satisfy the CPA elements, and that independent claim is what carries the trebling and fee-shifting leverage.
The contract frame is the third path. The company's privacy policy is a representation that, depending on the surrounding documentation, may also be a contract term. Breach of a privacy promise can support a separate contract claim with its own remedy. Most demand letters combine the CPA and contract frames because the CPA supplies the fee-shifting and the contract claim supplies a remedy for harms that are not "injury to business or property" in the CPA sense.
The publication-of-private-facts and intrusion-on-seclusion frames are common-law privacy tort theories. They have their own elements (a highly offensive disclosure, private facts not of legitimate public concern, identifiable injury). These are useful as parallel theories when the company posted something publicly that should never have been public.
Why the company's own privacy policy is the most important document
In a deliberate-disclosure matter, the privacy policy that was in effect when you provided the data is the central document. The CPA's deceptive-practice element is essentially the gap between what the policy said and what the company actually did. A privacy policy that promised "we do not sell your information" while the data was sold is a textbook CPA case. A privacy policy that quietly allowed sharing with "affiliates and partners" can defeat the deceptive-practice theory entirely. The Wayback Machine capture at archive.org is often the difference between a strong case and a weak one. Before drafting the letter, I pull the privacy policy as it existed at the time you provided the data, not the current version.
What a Washington unauthorized-disclosure demand letter should do
- Identifies the disclosure with specifics: date, recipient, data categories shared, and how you discovered it.
- Quotes the privacy-policy language that was in effect when you provided the data, paired with the actual practice that contradicts it.
- Cites RCW 19.86.020, RCW 19.86.093, and RCW 19.86.090 for the CPA frame, with Ch. 19.255 RCW citations for the notice backup if applicable.
- Quantifies injury: monitoring you bought, spam or harassment costs traceable to the disclosure, mitigation efforts, and any documented loss tied to the recipient's use of the data.
- Demands a specific outcome: deletion confirmation from the recipient, written confirmation that the disclosure has stopped, refund of any subscription or monitoring fees, refund of fees you paid the company for a product the policy was material to, and preservation of breach-related records.
- Preserves the four-year SOL by documenting transmission and reserves rights to refer the matter to the Washington AG and FTC.
Documents to gather before the letter goes out
- The privacy policy as it existed when you provided the data (use archive.org if the current version differs).
- Evidence of the disclosure: a forwarded email from the unauthorized recipient, a spam pattern that traces to the company, a screenshot of public posting, a vendor list, or a public records request response.
- Your original sign-up records: account creation date, ToS version accepted, payment receipts.
- Communications with the company before the disclosure (intake forms, support tickets) and after (your complaint, their response).
- Receipts for monitoring, scrubbing services, identity-protection enrollment, and any other mitigation cost.
- A short timeline: when you signed up, what you provided, when the disclosure happened, how you discovered it, what the company said in response, current status.
When this is worth hiring an attorney
An attorney-drafted Washington unauthorized-disclosure letter is more likely to change the outcome when the privacy-policy gap is clean and documented in writing, when the recipient is a real third party whose conduct can be tracked (a data broker, a competitor, an unrelated business that started contacting you), and when documented injury is in the low four figures or higher. It is less likely to change the outcome when the privacy policy actually authorized the disclosure (read it carefully), when the recipient is a vendor whose use of the data is internal and not visible to you, or when the disclosure is so old that the four-year SOL is close to running.
What I review when you send a Washington disclosure matter
When you send the file I read the privacy policy in the version that was live when you provided the data, the disclosure evidence, your account record, and the company's response. I walk the CPA elements and the Ch. 19.255 backup against the specific facts and form an honest view of whether a $575 attorney-drafted demand letter is the right move, whether AG referral is more efficient, or whether the matter belongs in a class case already pending. The output is a written evaluation, not a sales pitch.
Primary sources
- RCW 19.255.010: breach definitions and notice obligations.
- RCW 19.255.020: processor and vendor allocation.
- RCW 19.255.030: federal-law / HIPAA covered entities and Gramm-Leach-Bliley financial institutions.
- RCW 19.255.040: consumer protection section. AG CPA-style enforcement plus consumer civil action for damages and injunctive relief. Statute itself precludes action to enforce Chapter 19.255 from being brought under RCW 19.86.090.
- RCW 19.86.020: substantive prohibition on unfair or deceptive acts.
- RCW 19.86.090: CPA remedy with treble enhancement and attorney's fees.
- RCW 19.86.093: public-interest paths.
- RCW 19.86.120: four-year statute of limitations.
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship, and nothing on this page is Washington legal advice for a specific matter. A Washington-admitted attorney should verify both the operative statute text and any case citations before relying on them in court or correspondence on a live dispute.