Navigating Data Privacy in Washington State: A 2026 Outlook for Businesses

Introduction

For Washington businesses, data privacy has evolved beyond a technical concern to become a central legal and operational reality. The landscape in 2026 is defined by significant new laws, aggressive enforcement and a surge in private lawsuits. This article examines the key trends driving that shift, helping organisations understand both the legal requirements and the practical steps needed to thrive. Complex legal developments are distilled into clear, actionable insights for business leaders and operational teams, offering organisations a roadmap for the coming year’s critical compliance and risk management priorities. 

Key Legal and Regulatory Updates for 2026

Washington’s regulatory environment has solidified with the full implementation and maturation of several key laws. The Washington My Health My Data Act (MHMDA) remains a cornerstone, but its interpretation by the Attorney General’s office has clarified several previously ambiguous points. Furthermore, though Washington’s first-of-its-kind “Washington Privacy Act” was never passed, businesses in Washington are now operating under its functional equivalent thanks to a combination of sector-specific rules, aggressive application of the Consumer Protection Act (CPA) to data practices, and other states having used the Washington Privacy Act as the basis of their comprehensive state privacy law.

The most significant development is the expansion of “health data” definitions under the MHMDA and related laws. The Washington Attorney General’s office and private plaintiffs can now enforce an administratively broadened law and focus on a wide array of computer-generated information rather than just traditional medical records. This expansion directly impacts businesses far beyond the healthcare sector.

• Newly included data types: purchase histories for supplements, fitness tracker data, search queries related to medical symptoms, and wellness app information (even from general mindfulness apps) are now routinely treated as protected health data.
• Geofencing restrictions: the use of geofencing technology to identify and target consumers near healthcare facilities is now virtually prohibited, with severe penalties for violations.
• Universal consumer rights: inspired by broader trends, Washington now expects all businesses, regardless of size or sector, to honour core consumer rights for health data – the right to access, delete and correct their personal data, and to opt out of its sale.

Plaintiff attorneys are actively leveraging the CPA to protect consumer rights and enforce compliance with privacy laws. Courts now construe the CPA to grant consumers rights such as the right to access, correct, delete and opt out of the sale of their personal data, and to require businesses to be transparent about their data practices and to limit data collection to necessary purposes. With litigants able to recover attorneys’ fees and treble damages for violations, the CPA offers a significant financial incentive for plaintiff attorneys.

Emerging Litigation Trends: Where the Legal Battles Are Happening

Litigation is no longer dominated solely by regulatory actions. A thriving ecosystem of private plaintiff lawsuits has emerged and extends well beyond the MHMDA’s private right of action. These cases are setting costly precedents and creating new liabilities. The plaintiff’s bar has become sophisticated in identifying technical violations that can lead to statutory damages, which can quickly scale for large customer bases. Some of the more common claims include the following.

• Failure to have a health data privacy notice: the MHMDA requires a separate health data privacy notice in addition to the general website privacy notice.
• Collection of health data without consent: tracking technologies collecting information about a visit to certain websites or products/services contained on those websites without affirmative express consent are a violation of the MHMDA. See further below regarding implied consent challenges.
• Sharing health data: similarly, “sharing” or “selling” health data to third parties, such as website analytics providers, without authorisation can be problematic.

Additionally, these cases rarely rely only on the MHMDA and typically incorporate other causes of action.

Another major trend is the rise of “dark pattern” litigation. Plaintiffs’ attorneys are successfully arguing that website designs and user interfaces that make it difficult to find privacy controls or that nudge users towards sharing data constitute unfair or deceptive practices under the CPA. Simply having a privacy notice is no longer a defence if the actual user experience contradicts disclosures or hides consumer choices.

• Examples of alleged “dark patterns”: buried consent buttons, pre-checked boxes for data sharing, confusing toggle switches, and requiring account creation to exercise data rights.
• Implied consent challenges: businesses that claim “implied consent” from continued website use are losing cases, as courts demand clear, affirmative and unbundled consent for data collection and sharing.
• Vendor liability: lawsuits increasingly name both the primary business and its third-party data processors (such as analytics or marketing vendors), arguing shared responsibility for unlawful data flows.

In parallel with the trends described above, businesses should expect expansive privacy litigation around AI-driven profiling and automated decision-making that leverage broad categories of “health data”, including purchase histories for supplements, fitness tracker outputs, symptom-related search queries, and wellness app information, all of which are now routinely treated as protected. This expansion heightens discrimination and bias risk for businesses that deploy machine-learning models in marketing, personalisation or eligibility determinations, because allegedly biased inferences or opaque data flows can be framed as unlawful “collection”, “sharing”, or “sale” of health data without clear, affirmative and unbundled consent. Implicit in the “dark patterns” litigation described above is the argument that confusing consent flows or buried controls render algorithmic processing non-transparent or deceptive. Litigants are increasingly targeting both the primary business and its analytics or marketing vendors under shared-responsibility theories. Businesses should expect courts and regulators to assess the reasonableness of governance over AI tools (including vendor use of business data to train models) and to treat vendor practices as extensions of the business, reinforcing the need for contractual audit rights and alignment between disclosures and actual data flows.

Businesses can further expect fallout from the 2026 Washington Supreme Court ruling in Brown v Old Navy (2:23-cv-00781-JHC) that advertisers cannot send emails that contain any false or misleading information in the email subject line. Brown expands the scope of Washington’s anti-spam law, the Commercial Electronic Mail Act (CEMA). CEMA was passed in 1998 to address the influx of unsolicited, deceptive or misleading commercial emails received by Washington consumers. The court in Brown construed the law broadly, holding that it prohibits any false or misleading information in the subject line, even information that only misrepresents the commercial nature of the message such as “Today Only” or “Three Days Only” for a sale that in fact lasts longer than advertised. Washington businesses should exercise caution when relying on their email marketing vendors to ensure compliance with anti-spam laws. Most vendors are familiar with the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), but CAN-SPAM does not pre-empt state laws that prohibit material falsity or deception in any portion of a commercial email. Businesses now face penalties of up to USD500 per violation or actual damages, whichever is greater, if their email subject line creates a false sense of urgency about discounts.

As is the case elsewhere, the plaintiffs’ bar in Washington is actively monitoring data breach reports, searching out affected individuals, and filing follow-on class action complaints. Evolving Washington case law has recognised potential common law duties to safeguard information, and that organisations that manage greater amounts of sensitive data have a correspondingly greater duty to safeguard that information. Organisations in particular sectors that are known to be targeted by data thieves (such as healthcare and education) may be particularly easy targets for plaintiff class action lawyers, since the evolving case law seems to assume that entities in those sectors know of the risk and should implement correspondingly greater security measures. Class action lawyers are also becoming more creative in the claims they plead, evolving from mere negligence allegations to claims of breach of contract, breach of fiduciary duty, and violations of Washington’s CPA, which allows for recovery of fees and treble damages.

Furthermore, Washington businesses need to be mindful of privacy class actions that have been sweeping across the country. For example, Washington businesses that do not do business with consumers in other states or only operate business to business (B2B) may still be served with a complaint alleging various state and federal theories, such as under the California Invasion of Privacy Act (CIPA), the Electronic Communications Privacy Act (ECPA) and the Video Privacy Protection Act (VPPA). Businesses should also continue to monitor laws enacted in other states, such as Maryland’s new Online Data Privacy Act (MODPA), which requires businesses of a certain size to obtain explicit consent from individuals before collecting or sharing their precise location information. Designed to prevent unauthorised tracking or surveillance, MODPA encompasses information obtained from GPS, Wi-Fi, Bluetooth, cellular tower triangulation or similar technologies. MODPA’s geolocation restrictions mirror the geofencing limitations in the MHMDA, and businesses can and should expect Washington courts and regulators to take note of how MODPA is enforced and interpreted in Maryland.

While there is currently no Washington law involving children’s data or requirements of age-appropriate website or app design, businesses can expect a greater focus on children’s privacy under other state and potentially federal legal initiatives. Similarly, Washington businesses will face challenges and risks when handling personal data of non-Washington residents, as the patchwork collection of state comprehensive and sector-specific privacy laws continues to grow.

Washington businesses can protect themselves by having an updated and accurate website privacy notice, obtaining consent through a cookie banner that is properly operating, avoiding dark patterns, tightening their vendor contracts, and continuously monitoring their security protocols so as to have an auditable paper trail of best practices should data thieves strike and class action lawyers follow.

Top Compliance Challenges for Businesses

Moving beyond understanding the law, the practical task of compliance presents several consistent challenges. First is the mapping and inventory dilemma. Many organisations still lack a clear, real-time picture of what data they collect, where it flows and with whom it is shared. This foundational gap makes complying with access, deletion and opt-out requests operationally impossible.

Secondly, the vendor management life cycle has become a high-stakes compliance area. The old practice of signing a vendor’s standard data agreement is now a major liability. Businesses must actively manage their third-party relationship with ongoing diligence and enforceable contractual protections that match regulatory duties. In addition to verifying that vendors do not share, sell or otherwise use customer data or personal information for their own purposes, businesses must grapple with the risk of vendors using business data to train AI tools. Contractual restrictions, even if legally enforceable against the vendor, may not offer a satisfactory defence if a customer’s data is leaked or otherwise disclosed due to a vendor’s failure to follow its own promises. Businesses should take steps to assess their vendors’ cybersecurity and privacy compliance systems, and should reserve the right to audit a vendor’s tools to ensure that their promises match what their contracts say.

Finally, incident response preparedness has shifted. The legal standard is no longer just about notifying authorities after a breach. Regulators and plaintiffs examine the reasonableness of data security practices before the incident. Documented privacy impact assessments, regular employee training, and encryption standards are scrutinised to determine whether negligence occurred. What was considered “reasonable” five or ten years ago is no longer reasonable; data security practices must be regularly reviewed and updated to take into account changing technologies and risk vectors.

Actionable Recommendations for 2026

Conduct a “Privacy Maturity Audit”

This goes beyond a data map to assess policies, vendor contracts, website user experience, and employee training against current enforcement priorities. Review retention and deletion schedules to ensure data minimisation over time. Develop detailed, test incident response “playbooks” and conduct tabletop exercises. Consider routine privacy impact assessments for all new products, marketing initiatives and vendor onboarding to align with the evolving “reasonableness” standard. The goal is not perfection – it is prioritisation. Identify your single greatest compliance gap and draft a concrete remediation plan to address it immediately with defined ownership and timelines.

Review your vendor contracts

Next, revamp your vendor contracts. Ensure that every agreement with a service provider that touches personal data includes explicit requirements for:

• assisting with consumer rights requests;
• mandatory breach notification; and
• the right to audit vendor compliance.

Regulators increasingly treat vendor practices as an extension of the business itself, and enforcement actions reflect that reality. Although Washington does not have specific statutory requirements for vendor contracts outside the MHMDA, Washington businesses can leverage broader requirements in other state privacy laws for a standard vendor contract framework.

Design privacy interfaces defensively and transparently

Implement clear, layered and consumer-friendly privacy interfaces. Design your website and app privacy controls with the assumption that they will be exhibits in a court proceeding. Use plain language, make opt-out paths as easy as opt-in, and document all consumer choices meticulously. Well-designed interfaces are not just compliance tools – they are reputational safeguards.

Immediate priority checklist

• Audit all website and app user flows for potential “dark patterns”.
• Designate a point person responsible for responding to consumer rights requests within the legally mandated timelines, and implement practical steps for verifying requestor identity and handling fraudulent rights requests.
• Update breach response plans to include scenarios involving the broadened definition of health data.
• Schedule annual privacy training for all employees, with specialised training for marketing and product development teams.
• Conduct regular audits of security practices to establish a pattern of best practices.
• Put in place regular, and no less frequently than annual, review of privacy notices and internal policies.

Conclusion: Building Trust as a Competitive Advantage

The data privacy landscape in Washington for 2026 is complex, but also presents an opportunity. Organisations that view privacy compliance merely as a legal burden will struggle with costs and litigation. Given the Attorney General’s enforcement posture, the availability of attorneys’ fees and treble damages, and evolving expectations that businesses honour universal consumer rights to access, delete, correct and opt out of the sale of health data, companies face material exposure if they cannot demonstrate explainability, auditable consent, vendor oversight, and defensible design of privacy interfaces for AI-related and traditional processing. Companies that proactively adopt transparent and respectful data practices will build deeper trust with their customers. This trust is becoming a measurable competitive differentiator. By investing in robust privacy programmes now, companies are not just avoiding fines but are also future-proofing business operations, enhancing brand reputation and fostering lasting customer loyalty in an era where data stewardship is paramount.