Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Comprehensive provisions for notifications and 45 day deadline
  • Limited methods of notification delivery
  • Report to attorney general (w/in 45 days) with specific information, if applicable
  • Data owners are responsible for breach reporting and notifications
  • Attorney general can take action for noncompliance AND for failing to take precautions against a breach
  • Laws also cover data protection, data disposal, and record retention

Who Me?


Washington breach and notification laws may apply if you are a person or business that:

  • Conducts business in WA and owns or licenses data that includes PII
  • Maintains data that includes PII that you do not own

There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?


PII relevant to a breach in Washington include a person's name plus one of the following:

  • Social Security Number
  • Driver license or WA identification number
  • Account number or credit or debit card number in combination any security code, access code or password, etc. permitting access to the person's account



A few applicable laws include, but are not limited to:

  • Title 19 – Business Regulations – Miscellaneous / Chapter 19.255 RCW:  Personal Information — Notice Of Security Breaches / RCW Sections
  • 19.255.010 Disclosure, notice--Definitions--Rights, remedies, 19.255.020 Liability of processors, businesses, and vendors, 42.56.590 Personal information — Notice of security breaches. (for State agencies), and 69.43.168 Pharmacy, shopkeeper, or itinerant vendor


Washington has laws related to the protection, retention and disposal of personal information.  A few of these laws include:

  • Data Disposal:  RCW 19.215.005 to 19.215.020 Destruction of information - Liability - Exception - Civil action
  • Data Retention:  Laws for state agency records, medical records, etc. differ.  Some medical record laws for collection, retention and access can be found in Titles 18, 51, 70, 71, 74, 246, and 388.



Consumers can institute civil action to recover damages. The business may be enjoined. The attorney general may take additional action.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was secured
  • If the data included any kind of key or cipher
  • If it was acquired by an unauthorized person
  • If there is a risk of harm


The notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise, the notification must be made in the most expedient time possible and without unreasonable delay, but within 45 days.

If notification is required to more than 500 residents, they must also report it, without unreasonable delay but within 45 days, to the state attorney general. There are specific instructions on what should be included.


Requires detailed information and potential provision of services

Detailed information that must be included in the notification. It may only be delivered by mail or email, with stipulations.

A substitute notice, with specific requirements, may be sent if the business demonstrates that the cost will exceed $250,000 or the persons to be notified exceeds 500,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR