Privacy Laws in Washington State (2026): Consumer, Health Data, and Recording Rights Explained

My Health My Data Act Provisions

Washington’s My Health My Data Act (HB 1155) protects consumer health data that falls outside HIPAA by imposing duties on “regulated entities” and extending enforceable rights to you as a consumer. Core timelines: most provisions took effect on March 31, 2024 (June 30, 2024 for small businesses), while the geofencing prohibition has applied since July 23, 2023. Violations are enforceable under the state Consumer Protection Act (CPA). ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy?utm_source=openai))

Regulated entities must publish a clear consumer health data privacy policy that discloses what consumer health data is collected, why it is collected, sources of data, with whom it is shared, and how you can exercise your rights. Additional disclosures and fresh consent are required before collecting or sharing new categories or for new purposes. ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2023-24/Htm/Bill%20Reports/House/1155-S.E%20HBR%20PL%2023.htm))

Consent must be opt-in and specific. Sharing consumer health data requires separate consent from collection consent. Selling consumer health data is unlawful without a stand‑alone, written “valid authorization” that identifies the data to be sold, the buyer, the purpose, and includes your signature; it expires after one year and copies must be retained for six years. ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2023-24/Htm/Bill%20Reports/House/1155-S.E%20HBR%20PL%2023.htm))

The Act also bans geofencing around in‑person health care providers when used to identify or track consumers, collect consumer health data, or push related messages or ads. A “geofence” is a virtual boundary of 2,000 feet or less around a physical location. ([wa-law.org](https://wa-law.org/bill/2023-24/hb/1155/S.PL/?utm_source=openai))

Data subject rights include the ability to confirm collection, sharing, or sale; access your consumer health data (including a list of third parties and affiliates with whom it was shared or sold); withdraw consent; and request deletion across the entity and its affiliates/processors. Entities must respond within 45 days (with one possible 45‑day extension). ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2023-24/Htm/Bill%20Reports/House/1155-S.E%20HBR%20PL%2023.htm))

Automated License Plate Reader Data Retention Rules

As of February 19, 2026, Washington has no statewide statute governing how long agencies may retain automated license plate reader (ALPR) data, though lawmakers are advancing comprehensive limits. A recent report and coverage underscored the gap and spurred legislative action. ([axios.com](https://www.axios.com/local/seattle/2025/10/29/federal-access-washington-police-plate-data-sharing-seattle?utm_source=openai))

The Senate’s SB 6002 (which passed the Senate) would generally cap ALPR data retention at 21 days, with narrow exceptions (e.g., court orders, evidence of specified unlawful conduct, parking for 12 hours, traffic studies for 30 days, commercial vehicle enforcement for four hours). It also adds registration, auditing, and use restrictions, and treats violations as CPA violations with evidence obtained in knowing violation inadmissible. ([lawfilesext.leg.wa.gov](https://lawfilesext.leg.wa.gov/biennium/2025-26/Htm/Bill%20Reports/Senate/6002%20SBR%20LAW%20OC%2026.htm?utm_source=openai))

A House counterpart (HB 2332) proposes a 72‑hour general retention limit with similar exceptions and oversight mechanisms (e.g., AG model policies by July 1, 2027; local adoption by December 1, 2027). Final retention limits will depend on reconciliation of these bills. ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2025-26/Htm/Bill%20Reports/House/2332%20HBA%20CRJ%2026.htm?utm_source=openai))

House Bill 1671 Consumer Health Data Definitions

House Bill 1671 (2025–26 session) is a broader personal data privacy proposal that defines “consumer health data” as personal data linked or reasonably linkable to a consumer that identifies the consumer’s past, present, or future physical or mental health status. The definition explicitly includes conditions and diagnoses, treatments and surgeries, medication use, bodily functions and vital signs, reproductive and sexual health information, gender‑affirming care information, biometric and genetic data, precise geolocation indicating attempts to obtain health services, and derived or inferred health data. ([lawfilesext.leg.wa.gov](https://lawfilesext.leg.wa.gov/biennium/2025-26/Htm/Bill%20Reports/House/1671%20HBA%20TEDV%2025.htm?utm_source=openai))

HB 1671 uses a controller/processor framework and, if enacted, would apply to persons doing business in Washington or targeting Washington residents who collect or process personal data—complementing the existing My Health My Data regime by clarifying and standardizing definitions, including consumer health data. As of February 19, 2026, it remains a bill under consideration. ([wa-law.org](https://wa-law.org/bill/2025-26/hb/1671/S/))

House Bill 2606 Office of Privacy and Data Protection

Washington’s Office of Privacy and Data Protection (OPDP) is established by RCW 43.105.369 to serve as the state’s central point of contact on privacy and data protection policy. Its statutory duties include annual privacy reviews and trainings for state agencies, articulating privacy principles and best practices, coordinating data protection, and participating in reviews of major projects involving personally identifiable information. ([app.leg.wa.gov](https://app.leg.wa.gov/rcw/default.aspx?cite=43.105.369&utm_source=openai))

HB 2606 (2026) would update OPDP’s mandate and performance measures—adding review of agency projects using artificial intelligence, refining reporting metrics, and removing outdated telecommunications reporting. The bill passed the House with strong bipartisan support and is now before the Senate. ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2025-26/Htm/Bill%20Reports/House/2606%20HBR%20TEDV%2026.htm?utm_source=openai))

Consent and Data Sharing Requirements

Under the My Health My Data Act, you must be given a clear privacy notice and a straightforward way to exercise your rights. Entities may collect or share consumer health data only with your consent or as necessary to provide a requested product or service; sharing consent must be separate from collection consent, and entities must honor withdrawal of consent. ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2023-24/Htm/Bill%20Reports/House/1155-S.E%20HBR%20PL%2023.htm))

Selling consumer health data requires a separate, signed valid authorization detailing the specific data, buyer and seller identities, purpose, your right to revoke, and a one‑year expiration; copies must be furnished to you and retained for six years. Processors must follow binding instructions, and if they exceed them, they become regulated entities for that data. ([wa-law.org](https://wa-law.org/bill/2023-24/hb/1155/S.PL/?utm_source=openai))

Surveillance and Recording Restrictions

Washington is an “all‑party consent” state: recording a private in‑person, telephone, or electronic conversation generally requires consent from everyone involved. The law focuses on whether the conversation is “private,” with factors including location and the presence of third parties. Limited exceptions cover emergencies, threats, and certain other contexts. Violations are criminal and can also lead to civil liability. ([rcfp.org](https://www.rcfp.org/reporters-recording-guide/washington/?utm_source=openai))

Silent video is typically outside the scope of the Privacy Act; the statute primarily governs audio recordings of private conversations. Attorney General opinions and court decisions clarify that conversations with on‑duty police are generally not private for these purposes. ([atg.wa.gov](https://www.atg.wa.gov/ago-opinions/video-and-audio-recording-communications-between-citizens-and-law-enforcement-officers?utm_source=openai))

Washington also restricts certain forms of digital surveillance. The My Health My Data Act prohibits using geofences around health care providers to track consumers, collect consumer health data, or send related messages and ads, reflecting strong geofencing restrictions tied to health privacy. ([wa-law.org](https://wa-law.org/bill/2023-24/hb/1155/S.PL/?utm_source=openai))

Enforcement and Compliance Mechanisms

Violations of the My Health My Data Act are per se violations of the Consumer Protection Act, enforceable by the Attorney General and through private actions. The CPA authorizes civil penalties up to $7,500 per violation in state enforcement, with enhanced penalties in specified circumstances. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy?utm_source=openai))

Washington’s recording law imposes both criminal and civil consequences: unlawful recording of a private conversation is a gross misdemeanor; illegally obtained recordings are generally inadmissible; and injured parties may recover actual damages or liquidated damages up to $1,000 plus attorney’s fees. ([app.leg.wa.gov](https://app.leg.wa.gov/rcw/default.aspx?cite=9.73.080&utm_source=openai))

If enacted, ALPR legislation would make violations actionable under the CPA, restrict disclosure, mandate audits and logs, and in some versions classify willful violations as gross misdemeanors—adding strong compliance incentives around ALPR data retention and use. ([lawfilesext.leg.wa.gov](https://lawfilesext.leg.wa.gov/biennium/2025-26/Htm/Bill%20Reports/Senate/6002%20SBR%20LAW%20OC%2026.htm?utm_source=openai))

Bottom line for data privacy compliance: map any consumer health data you handle, publish and maintain accurate notices, obtain and record purpose‑specific consents, use stand‑alone authorizations for any sale, limit access and retention, contract tightly with processors, and build processes to honor data subject rights within statutory deadlines. Agencies using ALPRs should prepare for short retention windows, audit trails, and public reporting. ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2023-24/Htm/Bill%20Reports/House/1155-S.E%20HBR%20PL%2023.htm))

FAQs

What protections does the My Health My Data Act provide?

The law requires clear privacy notices; opt‑in consent to collect and separate consent to share consumer health data; a stand‑alone authorization for any sale; and data subject rights to access, deletion, and withdrawal of consent (with 45‑day response timelines). It also bans geofencing around in‑person health care providers for tracking, collection, or targeted messaging, and violations are enforced under the Consumer Protection Act. ([app.leg.wa.gov](https://app.leg.wa.gov/documents/billdocs/2023-24/Htm/Bill%20Reports/House/1155-S.E%20HBR%20PL%2023.htm))

How long can ALPR data be retained under Washington law?

Statewide retention limits are not yet enacted as of February 19, 2026. The Senate’s SB 6002 would set a 21‑day default (with defined exceptions), while a House proposal (HB 2332) would cap retention at 72 hours (with similar exceptions). Final limits will depend on the bill that passes. ([axios.com](https://www.axios.com/local/seattle/2026/02/19/washington-alpr-bill-sb6002-license-plate-reader-data-retention-21-days-privacy?utm_source=openai))

What entities are covered by House Bill 1671?

HB 1671 would apply to persons that conduct business in Washington or target Washington residents and collect or process personal data—using a controller/processor framework and defining sensitive categories such as consumer health data. As of now, it remains a bill in the 2025–26 session. ([wa-law.org](https://wa-law.org/bill/2025-26/hb/1671/S/))

What is the role of the Office of Privacy and Data Protection?

OPDP, established by RCW 43.105.369, is Washington’s hub for privacy policy and data protection. It runs annual agency privacy reviews and trainings, sets statewide privacy principles, coordinates data protection, and reviews major projects with personal data. HB 2606 would modernize its metrics and add AI project review to its core duties. ([app.leg.wa.gov](https://app.leg.wa.gov/rcw/default.aspx?cite=43.105.369&utm_source=openai))