Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Washington - Sectoral Privacy Overview

Washington - Sectoral Privacy Overview

May 2024


The Constitution of the State of Washington (Constitution) explicitly recognizes an individual's right to privacy and states under Article 1 §7: 'No person shall be disturbed in his private affairs, or his home invaded, without authority of law.' Courts have held that this section of the Constitution affords greater protection and is broader than the Fourth Amendment to the Constitution of the United States (State v. Arreola, 176 Wash.2d 284, 291 (2012)).

In addition to this constitutional right, the Washington State Supreme Court (Supreme Court) has affirmed that a common law right of privacy exists and that individuals may bring a cause of action for invasion of that right (see Reid v. Pierce County, 136 Wn.2d 195, 205, 961 P.2d 333 (1998)). There are four common law invasion of privacy claims recognized in Washington:

  • intrusion upon solitude or seclusion;
  • public disclosure of private facts;
  • publicity which places a person in a false light in the public eye; and
  • appropriation of one's name or likeness.

Intrusion upon solitude or seclusion

The tort of intrusion is based on the intentional interference with the private affairs of an individual, in such a manner that would be highly offensive to a reasonable person. The invasion need not be physical; for instance, tapping a phone line or peering into a private dwelling using binoculars could be grounds for an intrusion claim. To state a claim for intrusion upon solitude or seclusion, a plaintiff must establish that (see Armijo v. Yakima HMA, LLC, No. 11-CV-3114-TOR, 2012 WL 2576624, at *2 (E.D. Wash. 3 July 2012)):

  • the defendant deliberately intruded, physically or otherwise;
  • into the plaintiff's solitude, seclusion, or private affairs or concerns; and
  • in a manner that would be highly offensive to a reasonable person.

Public disclosure of private facts

The tort of public disclosure allows an individual to sue if highly sensitive information about them has been disclosed without their authorization. To state a claim, a plaintiff must establish that (see Fisher v. State Department of Health, 125 Wn. App. 869, 106 P.3d 836 (Wash. Ct. App. 2005)):

  • there has been a publication or disclosure about their private affairs; and
  • the matter publicized would be highly offensive to a reasonable person.

Note that there are some important limitations to this tort. First, the disclosure of private facts must be public, meaning that disclosure of information to a small group of individuals, or legitimately interested parties, will not suffice. For example, in Mayer v. Huesner a court held that a patient waived their privacy interest in medical records by pursuing a workers' compensation claim, and such disclosure was 'internal and private, not public' (Mayer v. Huesner, 126 Wash. App. 114, 122 P.3d 152 (2005)). Second, the disclosure must involve private facts that would cause a reasonable person to be offended or embarrassed if such information were similarly disclosed about them. A plaintiff will not successfully prevail on a claim of public disclosure if they have unusual sensitivities, and the exposure of the information would not offend a reasonable person. For example, in Mark v. King Broad. Co., the court held that the plaintiff's claim of publication of private matter failed where a film portrayal of the plaintiff speaking on the phone would not offend a 'person of ordinary sensitivities' (Adams v. King Cty., 164 Wash. 2d 640, 662, 192 P.3d 891, 902 (2008)).

False light privacy

The tort of false light is similar to the tort of defamation, in that it protects people who have been cast in a false light in the public eye. However, unlike a defamation action, where a plaintiff could be compensated for damages to their reputation, the tort of false light speaks more to the peace of mind of an individual than to their reputation with the broader community (see Brink v. Griffith, 65 Wash. 2d 253, 396 P.2d 793 (1964)). Plaintiffs that prevail on false light claims are allowed to recover damages for injured feelings and mental suffering. To prevail on a false light claim, a plaintiff must demonstrate that (Mark v. King Broad. Co., 27 Wash. App. 344, 356 (1980), aff'd sub nom. Mark v. Seattle Times, 96 Wash. 2d 473, 635 P.2d 1081 (1981)):

  • there was a public disclosure that put the plaintiff in a false light;
  • with convincing clarity, the plaintiff was the person about whom the publication was made;
  • the false light would be highly offensive to a reasonable person; and
  • the defendant knew of, or recklessly disregarded, the falsity of the publication and the false light in which the plaintiff was represented.

Appropriation of one's name or likeness

The tort of appropriation involves the use of an individual's name or appearance, in a commercial context, without permission. It is similar to the 'right of publicity,' which protects the names and identities of celebrities and other notable persons. To be liable for the tort of appropriation, a defendant must have (see Washington Practice, Tort Law and Practice, §21:4, 4th ed.):

  • appropriated the reputation, prestige, or social or commercial standing of a plaintiff's name or likeness; and
  • without the plaintiff's authorization.

Monetary gain by the defendant is not necessary for the plaintiff to prevail on this claim.

This year, the Washington State Legislature (State Legislature) re-introduced Senate Joint Resolution 8202/House Joint Resolution 4201, which would create an amendment to the Constitution intended to expressly set forth the existing constitutional right to make reproductive freedom decisions included in a person's liberty, privacy, and equal protection rights guaranteed by Article I, Sections 3 and 7, Article XXXI, Section 1, or any other applicable provision of the Constitution.


In recent years, the State Legislature has proposed several pieces of legislation that would strengthen privacy rights for individuals in Washington. Most notably, last year, Washington passed the My Health My Data Act, Wash. Rev. Code Ann. §§ 19.373.005 — 19.373.900, (MHMD or Act).  Because of its potentially broad scope and private right of action, MHMD may be one of the most significant U.S. privacy laws enacted in recent years.  See Section 3 (Health Data) for more information.

So far, Washington has not succeeded in enacting any true omnibus privacy bills. This year, the State Legislature re-introduced Senate Bill 5643/House Bill 1616, the 'people's privacy act,' creating a charter of people's personal data rights (SB 5643/HB 1616), and adding a new section to Chapter 42.56 and a new chapter to Title 19 addressing data privacy. The previous year, much attention was given to Senate Bill 5062 for the Washington Privacy Act (the Bill), which would have imposed General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) like requirements on businesses, including obligations to provide meaningful privacy notices about their data practices and to honor consumer rights requests (including but not limited to access, rectification, and deletion requests) from Washington State residents.

Two years ago, the State Legislature also passed House Bill 4607 recognizing digital privacy day (HR 4607), establishing January 28, as a day to commemorate data privacy, to encourage Washingtonians to be aware of and take steps to protect their privacy interests and personal information. Time will tell whether Washington will enact its own substantive, omnibus privacy law.


The Privacy Act

The statute on violating the right to privacy (the Privacy Act), under Chapter 9.73 of Title 9 of the Revised Code of Washington (RCW), addresses the right to privacy in communications, including letters sent and received, and the right to be free from having conversations intercepted, recorded, or divulged in the absence of a court order. Washington courts have noted that the State Legislature's primary purpose in enacting this statute was to protect the privacy of individuals and that this statute broadly protects individuals' privacy rights, more so than most other electronic surveillance laws (see State v. Williams, 94 Wn.2d 531, 543, 617 P.2d 1012 (1980); State v. Roden, 179 Wash.2d 893, 898, 321 P.3d 1183 (2014), holding that the Privacy Act 'is one of the most restrictive electronic surveillance laws ever promulgated').

§9.73.030 of the Privacy Act makes it unlawful to intercept, record, or divulge private communications, transmitted by telephone, telegraph, radio, or other device, without first obtaining the consent of all participants in the conversation, unless an exception applies (e.g. in the event of an emergency, such as a fire, crime, or natural disaster). The Privacy Act further specifies that, where consent is needed, it will be considered to have been obtained where one party announces to all the other parties engaged in the communication or conversation, in a reasonably effective manner, that such communication or conversation is about to be recorded or transmitted.

§9.73.050 of the Privacy Act addresses the admissibility of intercepted communications in evidence and states that information obtained in violation of §9.73.030 of the Privacy Act will be inadmissible in any civil or criminal case, unless an exception applies (see State v. Faford, 128 Wn.2d 476, 910 P.2d 447 (1996) (en banc); State v. Townsend, 147 Wn.2d 666, 57 P.3d 255 (2002) (en banc); State v. Clark, 129 Wn.2d 211, 916 P.2d 384 (1996) (en banc)).

Violations of §9.73.030 of the Privacy Act are gross misdemeanors. In addition, any person who violates the Privacy Act could be subject to legal action for damages and liable for actual damages, including mental pain and suffering endured by the plaintiff, or liquidated damages computed at the rate of $100 per day for each violation, not to exceed $1,000, and reasonable attorneys' fees and other costs of litigation pursuant to §9.73.060 of the Privacy Act.

Electronic impersonation and invasion of privacy

§4.24.790 of Chapter 4.24 of Title 4 of the RCW makes it unlawful to impersonate another person online. 'Impersonation' is defined as 'using an actual person's name or likeness to create an impersonation that another person would reasonably believe or did reasonably believe was or is the actual person being impersonated' (§4.24.790(1)(c) of the RCW). A person may be liable in a civil action based on a claim of invasion of privacy when:

  • they intentionally impersonate another;
  • the individual who was impersonated did not consent to the impersonation;
  • the impersonator intended to deceive or mislead for the purpose of harassing, threatening, intimidating, humiliating, or defrauding another; and
  • the impersonation proximately caused injury to the impersonated individual (injury is broadly defined to include injury to reputation or humiliation, injury to professional or financial standing, or physical harm) - a court may also award the prevailing party costs and reasonable attorney's fees.

There are several exemptions to §4.24.790 of the RCW. For example, it does not apply if the impersonation occurs in the context of art, commentary, satire, or parody or for other matters that are considered cultural, historical, political, religious, educational, or newsworthy in nature (§4.24.790(4) of the RCW).

A new bill passed by the State Legislature, House Bill 1335 concerning the unauthorized publication of personal identifying information (HB 1335), adds a new section to Chapter 4.24, regarding the unauthorized publication of personal identifying information and prescribing new penalties, and came into effect on July 23, 2023

Unauthorized transmission of software

§19.270.020 of Chapter 19.270 of Title 19 of the RCW is Washington state's spyware act and it makes it unlawful for a person to transmit, or procure the transmission of, software without the consent and actual knowledge of the owner or operator of the computer that the software, among other things, collects personally identifiable information through the use of a keystroke-logging function or by extracting the information from the owner or operator's hard drive.

An individual who violates this statute may be liable for actual damages or $100,000 per violation, whichever is greater. A court may increase the damages amount by up to three times the actual damages if the defendant has engaged in a pattern and practice of violating this law. The court may also award costs and reasonable attorney's fees to the prevailing party. The amount of damages awarded by the court for violations of this may not exceed $2,000,000.


Last year, Washington passed the My Health My Data Act. MHMD protects 'consumer health data,' which is broadly defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Wash. Rev. Code Ann. § 19.373.010(8)(a). The Act took full effect on March 31, 2024, for most regulated entities (although small businesses have until June 30, 2024, to comply). 

MHMD applies to companies that collect and process consumer health data and conduct business in Washington or provide products or services that are targeted to consumers in Washington. It also applies to processors that collect and handle consumer health data on behalf of regulated entities.  Unlike other state privacy laws, MHMD is not limited to commercial actors and thus can reach non-profit organizations.

Notably, the scope of data covered under the definition 'consumer health data' is potentially very broad. It could include information that relates to a consumer's health, fitness, or wellness -- covering, for instance, information about prior injuries, workout and fitness data, and even goals or interests related to fitness and health. It also includes data a regulated entity infers about a consumer’s health, fitness status, or interests from data that is not health-related, such as assigning shoppers a 'pregnancy prediction score' based on the purchase of certain products (as noted in the Washington Attorney General's FAQs guidance). MHMD imposes a number of obligations on regulated entities, including but not limited to:

  • maintaining a consumer health data privacy policy;
  • abiding by restrictions on the collection of consumer health data;
  • obtaining consent in order to share consumer health data;
  • obtaining a valid authorization to sell consumer health data;
  • abiding by geofencing restrictions; and
  • implementing certain data security practices.

MHMD is also unique among state privacy laws in allowing a private right of action. A violation of the Act is a per se violation of the Washington Consumer Protection Act (CPA), Wash. Rev. Code Ann. §§ 19.86.010 — 19.86.920. Wash. Rev. Code Ann. § 19.373.090. The CPA is enforced by the Attorney General (AG) as well as through private action. This means that individual consumers have the ability to file lawsuits alleging violations of the Act.  Plaintiffs' attorneys could make liberal use of this provision, potentially resulting in substantial class action litigation.

There are several other statutes in Washington that address the privacy and security of health information, including the Uniform Health Care Information Act (the Health Act), under Chapter 70.02 of Title 70 of the RCW. Since it was enacted in 1991, the Health Act has been amended several times to be more consistent with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Health Act restricts the unauthorized dissemination of 'health care information,' which means information, whether oral or recorded, that identifies a patient or could be readily associated with the identity of a patient, and which directly relates to the patient's healthcare, including charts, reports, correspondence, diagnostic studies, documents, x-rays, tissue and specimen slides, and photographs. Health care information also includes any required accounting of disclosures of health care information. Subject to very limited exceptions, healthcare information cannot be released without a patient's written authorization.

The Health Act also provides patients with a right to access and make copies of their medical records and it places limitations on fees healthcare providers can charge for complying with these requests.

In addition, the Health Act requires healthcare providers to adopt reasonable safeguards to secure healthcare information and imposes an obligation on providers to display a 'Notice of Information Practices' in a conspicuous place, to ensure that their patients are informed about the providers' information practices. The Health Act requires including language along the lines of the following in the notice:

"We keep a record of the health care services we provide you. You may ask us to see and copy that record. You may also ask us to correct the record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it at _______________."

There is a two-year statute of limitations period on any legal action against a healthcare provider for failure to comply with the Health Act after the cause of action is discovered. If an action is brought against a healthcare provider or facility, a court may award actual damages in addition to reasonable attorney's fees and other expenses. In addition to the remedies specifically provided for in the Health Act, a plaintiff may also have a common law claim for an invasion of privacy discussed above.

House Bill 1134 Implementing the 988 behavioral health crisis response and suicide prevention system (HB 1134) passed last year. HB 1134 creates a crisis response improvement strategy committee for the purpose of providing advice in developing an integrated behavioral health crisis response and suicide prevention system. This includes the creation of several subcommittees, including a '988 geolocation subcommittee' dedicated to examining privacy issues related to federal planning efforts to route 988 crisis hotline calls based on the person's location, rather than area code, including ways to implement the federal efforts in a manner that maintains public and clinical confidence in the crisis hotline.


Washington has a number of statutes that apply to the treatment and protection of financial information, including credit card and payment information. In particular, §9A.56.290 of Chapter 9A.56 of Title 9A of the RCW makes it unlawful to use a scanning device to access, read, obtain, memorize, or store information encoded on a payment card without the permission of the authorized cardholder, or with the intent to defraud the authorized user, another person, or a financial institution. Violations of this statute are considered a class C felony, and second or subsequent violations are a class B felony.

In addition, §19.255.020 of Chapter 19.255 of Title 19 of the RCW, which is part of the state's breach notification law, under §19.255.005 et seq. of Chapter 19.255 of Title 19 of the RCW, imposes affirmative obligations on individuals, partnerships, corporations, associations, organizations, government entities, and any other legal or commercial entity to take reasonable measures when processing payment information. If a processor or business fails to take reasonable care to guard against unauthorized access to such information in its possession or control, and such failure is found to be the proximate cause of a security breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards. The State Legislature drafted this provision in part to encourage financial institutions to reissue credit and debit cards to consumers when appropriate to reduce the incidence of identity theft and associated costs to consumers.

The Washington Administrative Code (WAC) also imposes obligations that relate to financial information, specifically under §284-04-120 et seq. of Chapter 284-04 of Title 284 of the WAC. Under the WAC, covered entities have an obligation to provide clear and conspicuous notice to consumers and customers that reflects their privacy policies and information practices (see §284-04-200 of the WAC). A 'consumer' is defined as 'an individual who seeks to obtain, obtains, or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes and about whom the licensee has nonpublic personal information' (§284-04-120(6) of the WAC). A 'customer' is defined as 'a consumer who has a customer relationship with a licensee' (§284-04-120(9) of the WAC). 'Nonpublic personal financial information' means personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available (§284-04-120(22)(a) of the WAC).

WAC Chapter 284-04 also restricts how covered entities can disclose non-public personal financial information. By statute, licensees may not disclose non-public personal financial information about a consumer to a nonaffiliated third party unless they have provided an initial notice and opt-out notice to the consumer, and the consumer does not opt-out after being given a reasonable opportunity (§284-04-300 of the WAC). Reasonable opportunities to opt-out include providing the consumer with a form they can mail in, a toll-free number they can call, or other reasonable ways that they can provide notice 30 days from the date they received notice (§284-04-300 of the WAC). In the case of an isolated transaction, such as providing an insurance quote, the consumer must be given the opportunity to opt-out during the transaction, and must opt-out before the transaction is complete (§284-04-300 of the WAC). A consumer can also be given the option to partially opt-out, by selecting certain non-public information that they do not want disclosed. Consumers must be provided with such notice even if a customer relationship is never formed with the provider.

If a provider receives non-public personal financial information from a non-affiliated financial institution, they may disclose the information only to their affiliates, the affiliates of the financial institution from where they received the information and to any other person that the information could be lawfully disclosed to directly by the financial institution from where the provider received the information (§284-04-305 of the WAC).

In addition to non-public financial information, a provider is also prohibited from disclosing a consumer's policy number (or related account number) to any non-affiliated third party for their use in marketing (§284-04-310 of the WAC). A provider can disclose such policy information to their own service provider, for marketing purposes, as long as the service provider is not authorized to directly initiate charges to the account (§284-04-310 of the WAC). A provider can also disclose such policy information to an affinity or similar program, if it was previously identified to the customer when they entered into the program (§284-04-310 of the WAC).

If a consumer chooses not to grant authorization for or to opt-out from disclosure of their non-public financial information, the provider is prohibited from thereby discriminating against them (§284-04-605 of the WAC).

There are a number of exceptions where providers can disclose non-public financial information without consent, such as to process a transaction on behalf of the consumer, for fraud prevention purposes, or to respond to a properly authorized subpoena.

Violation of the above is deemed an unfair method of competition or an unfair or deceptive act and practice in Washington (§284-04-610 of the WAC).

The statute also imposes breach notification requirements in the event of a security incident. In the event of a security breach, a licensee must notify the Office of the Insurance Commissioner, in writing, within two business days, about the number of affected or potentially affected customers, after determining notification must be sent to consumers (§284-04-625 of the WAC). Failure to provide notice of a security breach is deemed an unfair practice (§284-04-625 of the WAC).

The RCW also contains a statute on identity crimes, under §9.35.001 et seq. of Chapter 9.35 of Title 9 of the RCW. In RCW §9.35.001, the State Legislature made clear that financial information is personal and sensitive information, such that unlawful possession or use of it by others may result in significant harm to one's privacy interest. The State Legislature also acted with the intent of protecting seniors and vulnerable individuals from identity theft. Under this statute, 'financial information' is defined as including account numbers and balances, transaction account information, codes, passwords, social security numbers, tax identification numbers, driver's license or permit numbers, state identity card numbers, and other information held for the purpose of accessing an account or initiating a transaction (§9.35.005 of the RCW).

RCW §9.95.010 makes it a crime to obtain a person's financial information by knowingly making a false statement or knowingly providing a forged or counterfeit document to obtain such information. In determining the appropriate penalty for violation of this statute, the State Legislature stated that each individual unlawful use is a separate unit of prosecution for each victim and for each act of obtaining or possessing the information (RCW §9.35.001). Violation results in a class C felony. Violators are also liable for $500, or actual damages, whichever is greater, plus attorney's fees (§9.95.010 of the RCW).

RCW §9.35.020 prohibits possession or use of another's financial information to commit a crime. Identity theft in the first degree occurs when the accused obtains credit, money, or goods in excess of $1,500 in value, or knowingly targets a senior or vulnerable individual. Additionally, any consumer fraud that targets any senior or vulnerable individual is subject to civil penalties of three times the amount of actual damages (§9.35.060 of the RCW). Identity theft in the first degree is a class B felony. Identity theft in the second degree is a violation that does not rise to the level of first-degree identity theft. Second-degree identity theft is a class C felony. A defendant can be convicted of identity theft as well as the crime they intended to commit without violating double jeopardy. In State of Washington v. Michael Darrel Miliam, the court held that convictions of both second-degree theft and second-degree identity theft did not violate the prohibition against double jeopardy (State of Washington v. Michael Darrel Miliam, 155 Wash.App. 365, 375 (2010)).

It is also a misdemeanor to use another's financial information to solicit undesired mail, 'with the intent to annoy, harass, intimidate, torment, or embarrass that person' (§9.35.030 of the RCW). Violators are also subject to civil damages of $500 or actual damages, whichever is greater, plus attorney's fees.


In Washington, under Chapter 49.12 of Title 49 of the RCW, employees have a right to examine all personnel files kept by their employer. This does not include records relating to the investigation of a possible criminal offense or records compiled in preparation for an impending lawsuit (§49.12.260 of the RCW). At least annually, upon the request of the employee, the employer must allow them to inspect their own personnel files (§49.12.240 of the RCW). An employee can also file a rebuttal or correction to any of the information in the file, and if the employer agrees such information is incorrect, they must remove it (§49.12.250 of the RCW). An employee retains this right for two years after their employment ends (§49.12.250 of the RCW). A proposed bill in the State Legislature, House Bill 1320 concerning access to personnel files, which further defines what is included in a 'personnel file,' would also grant employees a private right of action, without requiring employees to exhaust administrative remedies, to enforce this right. Senate Bill 5061 concerning unemployment insurance would similarly amend §49.12.250 of the RCW without adding a private right of action.

Employers in Washington are allowed to monitor employees with television cameras or videotapes in both public and work areas; however, it is advisable for employers to tell employees that they are being monitored. It is also lawful for employers to use computers to monitor an employee's performance, but the employer should explain their ability and intention to do so ahead of time to the employee to avoid any claims of invasion of privacy.

Although it remains unsettled law, it could be argued that an employee's personal email has privacy protection under the federal Electronic Communications Privacy Act of 1986, which prohibits the intentional interception of electronic communications (see 18 United States Code (U.S.C.) §2511). In Sprague v. Spokane Valley Fire Department, the plaintiff firefighter brought suit due to the defendant fire department allegedly firing them for including religious comments in emails sent through the department's computer systems (Sprague v. Spokane Valley Fire Department, 409 P.3d 160 (Wash. 2018)). The Supreme Court held that the department's policy restricting the use of the email system to departmental business was reasonable, however, the Supreme Court held that the plaintiff met the initial burden of establishing that the restrictions on what they could send using the department's computer systems violated their first amendment rights (Sprague v. Spokane Valley Fire Department, at 167). Thus, employers should have in place a clear policy regarding email use, reserve the right to monitor employees' email messages and require employees to sign and acknowledge receipt of such policy.

It is illegal for an employer to intercept, record, or transmit any private communications by employees, without their prior consent, although an employer may monitor the numbers dialed by employees, in order to monitor unauthorized phone use. Where an employer desires to monitor calls or observe employee performance, they should advise employees in advance that they will be doing so, in addition to notifying customers of this practice at the beginning of the call.

Under Chapter 49.44 of Title 49 of the RCW, when it comes to social media and networking, an employer cannot request or require an employee or applicant to (§49.44.200 of the RCW):

  • disclose their login information;
  • access the account in the presence of the employer;
  • add a person (including the employer) to the employee's list of contacts; or
  • alter the third-party settings of their profile, so that their profile may be more easily viewed by the employer.

Similarly, an employer cannot take any adverse action against an employee or applicant because they refuse to take one of the previous actions (§49.44.200 of the RCW). Additionally, an employer who inadvertently obtains an employee's social networking login is prohibited from using it to access the employee's social networking account, although not liable for possessing such information alone (§49.44.200 of the RCW).

An employer can request or require that an employee share content from their social networking account if such a request is made in the context of conducting an investigation in response to information about the employee's social networking activity (§49.44.200 of the RCW). The purpose of the investigation must be to ensure compliance with the laws and against employee misconduct or investigate the employee's unauthorized use of the employer's confidential or proprietary information on their social networking profile (§49.44.200 of the RCW). During the investigation, such information cannot be obtained from the employee by them being forced to surrender their login information, and the law does not obligate employees to divulge information even in these limited scenarios (§49.44.200 of the RCW).

An employer can also request or require an employee to disclose their login information where the account was provided by virtue of the employment relationship or where the device or account was paid for or supplied by the employer (§49.44.200 of the RCW).

Employees have a private right of action against an employer that violates the above-described statute and may bring a civil action against the employer (§49.44.205 of the RCW). The court may award injunctive relief, actual damages, or penalty in the amount of $500, in addition to reasonable expenses and attorney's fees (§49.44.205 of the RCW).


There are no laws in Washington State that provide for special protections of children's privacy online. However, the federal Children's Online Privacy Protection Act of 1998 (COPPA) does apply in Washington and imposes certain requirements on internet service providers and operators of websites to safeguard the privacy of children under the age of 13.


Under the statute on commercial electronic mail, under §19.190.010 et seq. of Chapter 19.190 of Title 19 of the RCW, RCW §19.190.020 prohibits sending a commercial electronic message that contains false or misleading information in the subject line or that misrepresents any identifying information, from a computer located in Washington or to an electronic address the sender knows or has reason to know is that of a Washington resident. Sending a commercial text message to a Washington resident is also prohibited, under RCW §19.190.060, although cellular providers that merely serve as an intermediary are exempt (RCW §19.190.070). Additionally, an interactive service provider cannot be held liable for voluntarily, and in good faith, blocking any messages it reasonably believes are or will be sent in violation of this statute (§19.190.050 of the RCW).

A recipient of such an email or text message, sent in violation of this statute, can receive damages of the greater of $500, or actual damages (§19.190.040 of the RCW). An interactive computer service that is damaged under this statute can receive the greater of $1,000 or actual damages (§19.190.040 of the RCW).

In State v. Heckel, Washington's AG filed suit against an Oregon resident for violation of RCW Chapter 19.190, which, as described above, prohibits misrepresentation in unsolicited commercial emails sent from a computer in Washington or to a Washington resident (State v. Heckel, 122 Wash. App. 60, 63 (2004)). The defendant argued that the state failed to prove that they knew or had reason to know their email was directed to a Washington resident (Ibid, at 67). The court held that actual knowledge is imputed if residency information is available from the domain name registrant, and noted that the statute does not state what evidence is sufficient to demonstrate 'reason to know' (Ibid). The state proved the defendant's knowledge by showing that some of the recipients were listed on the website of the Washington Association of Internet Service Providers, where Washington residents who do not want to receive spam can register (Ibid, at 69). Ultimately, the court held that summary judgment for the state was proper (Ibid, at 72).

The State Legislature has proposed a bill that would amend the statute to provide some clarity and strengthen the limitations of the statute, House Bill 1650 concerning commercial solicitation (HB 1650). The proposed bill includes newly defined terms like 'mobile device' and 'established business relationship,' as well as slight changes to the definitions of 'automatic dialing and announcing device' and 'commercial solicitation' so that the statute is more applicable to current and future communication methods. Notably, the bill would also amend the applicability of and exclusions under the statute. One proposed change would prohibit the sending of a commercial electronic message of the like identified above to a person within the state of Washington, rather than to a Washington resident, with a rebuttable presumption that a number with a Washington state area code is within the state of Washington (see Section 5 of HB 1650). The bill also seeks to amend what activities are not considered to be violations of the statute. Namely, the bill includes an exception for such email or text messages sent by a person with an established business relationship with the recipient as well as clarifies the consent exception by requiring the consent to be in writing and, for consents provided electronically, by requiring clear, detailed disclosures about the text messages (see Section 6 of HB 1650). The bill also increases damages from $500 to $1,000 per violation, and limits fee-shifting to reward plaintiffs only.

Washington State also regulates telephone solicitations under Chapter 80.36 of Title 36 of the RCW, which includes calls made by non-profits, calls for polling or soliciting the expression of ideas, and calls to business contacts (§80.36.390 of the RCW). If, at any time during the call, the party asks to not be called again, the person making the call must not call again for at least one year or give out the party's name or phone number to another company or organization (apart from returning their information to the company it came from) (§80.36.390 of the RCW).

The AG is permitted to bring enforcement actions with regard to this statute, although a company's first violation will consist of a warning letter (§80.36.390 of the RCW). An aggrieved party may also bring a civil action in superior court to both prevent future violations and to recover damages, including attorney's fees and costs (§80.36.390 of the RCW).

Due to the widespread practice of fraudulent commercial telephone solicitation, the State Legislature enacted commercial telephone solicitation provisions into law, under Chapter 19.158 of title 19 of the RCW. This statute describes certain requirements telephone solicitors must meet. For example, the solicitor must notify the recipient of a call, within the first minute of a call, with the name of the company who the solicitation is being made on behalf of the identity of the caller, and the product being sold (§19.158.110 of the RCW). Solicitors must also terminate the call within ten seconds if the purchaser indicates they do not wish to continue the conversation, and agree to not contact the consumer again for at least one year if the consumer so requests.

For the purposes of this statute, a commercial telephone solicitation means any unsolicited call by a salesperson for the purpose of inducing a purchase or investment (§19.158.020 of the RCW). This includes giving a free gift or award to a potential purchaser, or other communication that misrepresents the price, quality, or availability of a good, invites a response, and is followed by a call by a salesperson (§19.158.020 of the RCW). Any person who engages in these activities is considered a commercial telephone solicitor (§19.158.020 of the RCW). A commercial telephone solicitor does not include an isolated transaction that is not part of a pattern of repeated transactions, and a call for non-commercial purposes (§19.158.020 of the RCW).

Regardless of where they are located, a commercial telephone solicitor must register with the Washington State Department of Licensing (the Department of Licensing) if they wish to do business in (i.e. make calls to) Washington, or if they are to maintain or defend a lawsuit (§19.158.050 of the RCW). A salesperson who solicits on behalf of an unregistered company will be guilty of a misdemeanor (§19.158.150 of the RCW).

Anyone who knowingly violates this statute will be guilty of a misdemeanor if the value of the transaction made in violation is less than $50 (§19.158.160 of the RCW). If the value of the transaction was more than $50, the violator will be guilty of a gross misdemeanor (§19.158.160 of the RCW). If the value of the transaction is $250 or more, the violator will be guilty of a class C felony (§19.158.160 of the RCW). If multiple violations are made, they may be aggregated into one transaction and sum, for the purpose of determining whether they are to be punished as a class C felony or gross misdemeanor (§19.158.160 of the RCW).

A violation of this statute is deemed an unfair or deceptive act under the Consumer Protection Act under Chapter 19.86 of Title 19 of the RCW (§19.158.030 of the RCW). An injured party may bring an action to recover actual damages, including court costs and attorney's fees (§19.158.130 of the RCW). Additionally, a civil penalty of $500 to $2,000 will be imposed by the court for each violation (§19.158.140 of the RCW). The director of the Department of Licensing may also take disciplinary action (§19.158.040 of the RCW).

Recently, the State Legislature passed, House Bill 1497 concerning commercial telephone solicitation (HB 1497), amending RCW Chapters 80.36 and 19.158 to create more clarity for recipients of such telephone solicitations (including commercial telephone solicitations) identified above. Notably, HB 1497 requires telephone solicitors requesting a donation or monetary gift to ask recipients if they want to continue the call, end the call, or be removed from the solicitor's contact list (see Section 1 of HB 1497). Additionally, if the recipient indicates that they want to end the call, the telephone solicitor must end the call within ten seconds. For situations where recipients want to be removed from a solicitor's contact list, the amendment expands the personal information removed to include any contact information, not just name and phone number, and the solicitor may not contact such recipient at any phone number associated with the recipient, not just the one called in that instance. When making a telephone solicitation, the solicitor must also identify themselves within the first 30 seconds of the call, not just the first minute.

The State Legislature proposed and passed a bill this year, House Bill 1051 concerning robocalling and telephone scams ('HB 1051'), which amends both Chapter 80.36 and Chapter 19.138 to further expand the scope of certain provisions regulating robocalls and telephone solicitations. HB 1051 went into effect on July 23, 2023.


As described in the Health Data section above, MHMD requires regulated entities to publish consumer health data privacy policies. Beginning March 31, 2024, for regulated entities, and June 30, 2024, for small businesses, the Act will require regulated entities to maintain a consumer health data privacy policy that is 'a separate and distinct link on the regulated entity’s homepage' and does 'not contain additional information not required under the Act.' See Protecting Washingtonians' Personal Health Data and Privacy. The policy must clearly disclose the following:

  • the categories of health data collected and the purpose for which the data is collected (i.e., how the data will be used)
  • the categories of sources from which it is collected
  • the categories of consumer health data that is shared a list of categories of third parties and affiliates with whom the regulated entity shares the consumer health data –and–
  • how consumers can exercise their rights provided with the act (Wash. Rev. Code Ann. § 19.373.020).

Unless a regulated entity has previously obtained the consumer's consent to collect, use, or share additional categories of their consumer health data or use such data for additional purposes not disclosed in the entity's consumer health data privacy policy, it is forbidden from doing so. Such entities are also forbidden from contracting with processors to process consumer health data in a manner that is inconsistent with the entity's consumer health data privacy policy. In addition to MHMD,  §40.26.020 of Chapter 40.26 of Title 40 of the RCW requires that an agency that collects biometric identifiers address those identifiers in the agency's privacy policy.

Additionally, businesses with an online presence should ensure they are complying with other state and federal statutes that regulate online privacy policies, such as recent consumer privacy laws enacted in over a dozen  US states that impose privacy policy requirements and Section 5 of the Federal Trade Commission Act of 1914.


Under Chapter 19.215 of Title 19 of the RCW, Washington has enacted a statute to address the disposal of personal information and to ensure the security and confidentiality of personal information during the disposal process, due to the State Legislature's finding that careless disposal can pose a significant threat of identity theft (§19.215.005 of the RCW).

Under this statute, personal financial and health information is defined as 'information that is identifiable to an individual and that is commonly used for financial or healthcare purposes, including account numbers, access codes or passwords, information gathered for account security purposes, credit card numbers, information held for the purpose of account access or transaction initiation, or information that relates to medical history or status' (§19.215.010 of the RCW). Destroying personal information is defined as 'shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means' (§19.215.010 of the RCW).

An individual who believes they may have been harmed due to improper data disposal may petition the court for damages or an injunction (§19.215.020 of the RCW). A company is responsible for taking all reasonable steps to destroy personal financial and health information (§19.215.020 of the RCW). If the failure to do so is due to negligence, the court may award a penalty of $200 or actual damages, whichever is greater, plus costs and reasonable attorney's fees (§19.215.020 of the RCW). If the failure to do so is willful, the court may award the greater of $600 or treble damages, although treble damages are capped at $10,000 (§19.215.020 of the RCW). In addition to an individual right of action, this statute also allows the AG to bring a civil action on behalf of the state for damages, injunctive relief, or both, and the court may award the same damages available to an individual plaintiff (§19.215.020 of the RCW).

House Bill 1392 promoting the fair servicing and repair of digital electronic equipment (HB 1392), re-introduced by the State Legislature this year, would add a new chapter to Title 19, relating to the fair servicing and repair of digital electronic equipment and including provisions imposing privacy and security requirements on such providers. See Section 4 of HB 1392.


Artificial intelligence

Washington joins other states in enacting legislation regarding the use of artificial intelligence technologies.  SB 5838 convenes an AI task force with a broad mandate that includes a review of existing protections under state and federal law for individual data and privacy rights and recommendations relating to the appropriate and legal use of training data.

Biometric data

Washington was one of the first states in the country to enact a law to safeguard biometric information. The Biometric Law, under Chapter 19.375 of Title 19 of the RCW, applies to 'biometric identifiers,' which are defined as 'data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual' (§19.375.010(1) of the RCW). The Biometric Law goes on to specifically exclude 'a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment or operations' from the definition of biometric identifiers (§19.375.010(1) of the RCW).

The Biometric Law prohibits enrolling a biometric identifier in a database for commercial purposes, without first:

  • providing notice;
  • obtaining consent; or
  • providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.

'Enroll' means to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual' (§19.375.010(5) of the RCW).

The Biometric Law further prohibits disclosure of biometric data to a third party for a commercial purpose without notice and consent and adequate security as required under the statute, or an applicable exception (e.g. disclosure is necessary to provide/facilitate the requested product or service or financial transaction, litigation, judicial process, required by law, or to a third party who promises not to further disclose or enroll for purposes inconsistent with consent and otherwise complies with the statute) (§19.375.020(3) of the RCW).

Biometric identifiers must be secured using reasonable safeguards and kept only as long as necessary to provide services requested, comply with the law, or protect against claims or other liability (§19.375.020(4) of the RCW).

Facial recognition services

In March 2020, Washington enacted a law to regulate the use of facial recognition services by state and local government agencies, which came into effect July 1, 2021, under Engrossed Substitute Senate Bill 6280 for an Act Relating to the Use of Facial Recognition Services (SB 6280) (RCW Chapter forthcoming). SB 6280 highlights that the use of facial recognition services presents civil liberties risks, and the State Legislature sought to limit government agencies' use of these technologies, including prohibiting their use for ongoing surveillance, real-time identification, or persistent tracking without the use of a warrant, exigent circumstances, or a court order to locate a missing person (Section 11 of SB 6280).

Although most of the obligations in SB 6280 fall on government agencies using facial recognition services, there are also implications for companies that produce and provide these services. SB 6280 requires that 'accountability reports' be published by government agencies who wish to use the services, which must include information about the vendors providing facial recognition services, including, but not limited to, the vendor's name, a description of the service, the data collected and processed by the service, a description of the vendor's security breach notification practices, and the data collected and processed by the service (Section 3 of SB 6280). Further, providers of facial recognition services must make available to government agencies the ability to conduct independent testing of the services for accuracy and bias (Section 6 of SB 6280).

Efforts to directly regulate companies that produce and provide facial recognition services were considered by the State Legislature in 2020 but failed to pass, including a section that would have addressed this in the failed Washington Privacy Act.

Driver and vehicle data

In April 2021, Washington enacted a law enhancing data stewardship and privacy protections for vehicle and driver data obtained by the Department of Licensing, which came into effect July 25, 2021, under Senate Bill 5152 enhancing data stewardship and privacy protections for vehicle and driver data (SB 5152). SB 5152 clarifies allowable uses of personal or identity information and prescribes penalties for data misuse.

Most of the obligations in SB 6280 fall on government agencies using facial recognition services, but as with SB 6280, there are also implications for companies that provide or receive vehicle and driver data. SB 5152 regulates all information or records containing personal or identity information obtained by the Department of Licensing, pursuant to the administration of driver and vehicle records.

Recipients and sub-recipients of such data have an affirmative obligation to take all reasonable actions necessary to prevent the unauthorized disclosure and misuse of personal or identity information. The Department of Licensing may audit or investigate any entity receiving covered data under SB 5152. Finally, all data service contracts with the Department of Licensing must include several mandatory provisions, including audit requirements and limitations and restrictions on the use of personal or identity information.

Senate Bill 5574, re-introduced this year, establishes a pay-per-mile fee system that imposes on Washington agencies and account managers certain minimum privacy standards, including limiting the use of personal information and a requirement to maintain a privacy policy.

Legislation in the area of electric/hybrid car funding may give rise to new privacy regulations as well. The State Legislature re-introduced a bill this year, House Bill 1832 implementing a per mile charge on vehicle usage of public roadways, that would implement a road usage charge system with provisions in place designed to ensure the usage charge system is designed and implemented in a manner that places privacy of the motor vehicle owner as a first principle, especially with regard to location data.

Student data

The State Legislature enacted SB 5593 this year to improve equity in the transfer of student data between K-12 schools and institutions of higher education.  The bill imposes requirements on institutions of higher education regarding data-sharing agreements such institutions must enter into with the office of the superintendent of public instruction to facilitate the transfer of high school student directory information. It also imposes requirements on school districts operating high schools regarding the transmission of directory information for all enrolled high school students to the office of the superintendent of public instruction.