Washington My Health My Data Act
Effective date
Penalty
Violations are per se unfair or deceptive under the Washington Consumer Protection Act. $7,500 or more per violation. Private right of action. Opt-in consent…
Obligations mapped
Tracked
Overview
Broad health data privacy law covering health data collected outside HIPAA, including data from health-related AI tools, wearables, and wellness apps. Defines consumer health data extremely broadly to include data not typically considered health-related: biometric data, bodily function data, and inferences derived from non-health data. Applies to Washington residents and any person whose health data is collected in Washington (potential extraterritorial reach). Much broader than reproductive health alone: it covers all consumer health data outside HIPAA. Geofencing ban around healthcare facilities effective July 2023. Regulated entities: compliance from March 31, 2024; small businesses from June 30, 2024. Multiple lawsuits filed, establishing early case law.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Deployers and users of covered AI systems and tools
- Organizations operating in Washington
This regulation applies to companies that use or deploy AI tools and systems built by other vendors. If your company uses AI-powered products in the areas listed below, this regulation may apply to you.
See enrolled statute text at the official source.
AI categories covered
- Healthcare AI
- Consumer-facing AI
Specific AI use cases:
- Diagnostic and clinical AI
- clinical decision support
- insurance prior auth
- Chatbots and virtual assistants
- Customer profiling and segmentation
What this requires you to do
Detailed obligation packs are not yet mapped for this entry in XIRA. Obligation areas from the catalog are listed below.
What this requires you to do
Consent required
Obtain consent. Get explicit permission from individuals before collecting or using their data with AI.
Transparency notice required
Provide transparency notices. Inform affected individuals that AI is being used and how it influences decisions.
Data access rights
Provide data access. Consumers can request access to data collected and used by your AI systems.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Violations are per se unfair or deceptive under the Washington Consumer Protection Act. $7,500 or more per violation. Private right of action. Opt-in consent required for collection and sharing of consumer health data.
Private right of action: plaintiffs may bring direct claims in addition to government enforcement.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
Effective for small businesses
effective
Effective for regulated entities
signed
Signed by Governor Inslee
Related regulations
- UpcomingAI-Specific
Washington AI Content Disclosure Act (HB 1170)
AI content provenance and watermarking requirements for providers with 1 million or more monthly Washington users. Requires latent disclosures (watermarks) in AI-generated image, video, and audio content. Extended implementation period to January 1, 2028. Only applies to providers with 1 million or more monthly Washington users. Closely aligned with California SB 942 (California AI Transparency Act). AG-exclusive enforcement under the Consumer Protection Act. No private right of action.
Effective
- UpcomingAI-Specific
Washington SB 5395 (AI in Health Insurance Prior Authorization)
Enacted as Chapter 157, Laws of 2026; Governor signed March 23, 2026; effective June 11, 2026. AI tools may be used to approve prior authorization requests but may not deny care without human review by a licensed physician or health professional. Where applicable, managed care organizations may need to report the percentage of total denials aided by AI. Periodic performance reviews of AI tools may be required for accuracy and reliability.
Effective
- In EffectAI-Specific
Washington Election Deepfake Disclosure (SB 6280)
Requires clear and conspicuous disclosure when AI-generated or AI-manipulated media is used in political advertising or communications. One of the first state laws specifically targeting deepfakes in elections.
Effective
- In EffectAI-Specific
Washington Fabricated Intimate Images (2024)
Criminalizes creation and distribution of AI-generated intimate images without consent. Provides civil remedies for victims.
Effective
- In EffectAI-Specific
Washington Forged Digital Likenesses (HB 2459)
Extends Washington's existing forgery and identity theft statutes to cover AI-generated digital likenesses used for fraudulent purposes.
Effective
- UpcomingAI-Specific
Washington AI Chatbot Safety for Minors (HB 2225)
First-in-nation law requiring AI chatbot operators to disclose AI nature at regular intervals (every 3 hours for adults, every hour for minors) and implement safety measures to protect minors from manipulation, explicit content, and emotional exploitation. Includes self-harm and crisis protocols. Targets conversational AI engagement patterns specifically.
Effective
Washington AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.