open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/washington.md

@@ -0,0 +1,247 @@
+---
+jurisdiction: "Washington"
+slug: washington
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/washington
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/washington · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Washington Consumer Privacy Law (My Health My Data Act)[^about]
+
+Washington has no comprehensive consumer-privacy statute, but the My Health My Data Act (ch. 19.373 RCW) reaches biometrics, precise location, and health inferences across most consumer businesses — and a violation is a per se Consumer Protection Act violation that consumers can sue over.
+
+
+## At a glance
+
+| Question | Washington |
+| --- | --- |
+| **Law coverage** | Specific data types only |
+| **Summary** | Washington never passed a comprehensive privacy act, but the My Health My Data Act functions like one for a wide swath of businesses — consumer health data includes biometrics, precise location, and inferences, every covered business needs a separate homepage-linked health-data privacy policy, selling that data requires a signed authorization, and violations carry class-action exposure through the Consumer Protection Act. |
+| **Main law** | My Health My Data Act, ch. 19.373 RCW (main regulated-entity duties operative March 31, 2024; small-business duties generally June 30, 2024; geofencing ban separately in force), alongside the breach-notification statute (ch. 19.255 RCW) and the biometric-identifier statute (ch. 19.375 RCW) — Washington has no comprehensive consumer-privacy act |
+| **Privacy policy required?** | Yes — a dedicated consumer health data privacy policy with statutorily fixed contents and a prominently published homepage link (RCW 19.373.020); no Washington statute fixes the contents of a general privacy policy |
+| **Who does it cover?** | Any legal entity that conducts business in Washington or targets products or services to Washington consumers and determines how consumer health data is handled — a category that sweeps in biometrics, genetic data, precise location near health services, and health inferences derived from non-health data, so many non-health businesses are covered; small businesses generally had later dates, not an exemption |
+| **Can consumers sue?** | Yes |
+| **Privacy policy rule** | Policy required only for specific data |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Yes — an MHMDA violation is a per se Consumer Protection Act violation (RCW 19.373.090), so consumers injured in their business or property can sue under RCW 19.86.090; the biometric chapter, by contrast, is Attorney General-only |
+| **Who enforces it?** | Washington Attorney General (under the Consumer Protection Act), alongside private CPA suits |
+
+## Which privacy laws apply to your business in Washington? {#which-privacy-laws-apply}
+
+**Short answer.** Washington has no comprehensive consumer-privacy statute, but the My Health My Data Act (MHMDA), chapter 19.373 RCW, functions as a near-comprehensive law in practice. It covers any legal entity that conducts business in Washington or targets products or services to Washington consumers and that determines the purpose and means of collecting, processing, sharing, or selling *consumer health data* [^q1-regulated-entity] — and it defines that data to reach far beyond health companies: reproductive and sexual health information, biometric data, genetic data, precise location information that could indicate an attempt to obtain health services, and data identifying a consumer seeking health care services all qualify [^q1-chd-definition], as do inferences about health derived or extrapolated from non-health information by algorithms or machine learning [^q1-chd-inference].
+
+The legislature enacted the MHMDA to close the gap left by HIPAA, which protects health data only when specific health care entities hold it — health data collected by non-covered entities such as apps and websites had no equivalent protection [^q1-mhmda-intent]. The result is that an ad-tech platform, a retailer with a wellness aisle, a fitness or period-tracking app, or a data broker can be a *regulated entity* even though it would never think of itself as a health business. The act also protects more than Washington residents: a *consumer* is a Washington resident or any natural person whose consumer health data is collected in Washington, acting in an individual or household context — employees acting in an employment context are excluded [^q1-consumer-def].
+
+There is no revenue floor. A *small business* — one that handles consumer health data of fewer than 100,000 consumers a year, or derives less than half its revenue from such data and handles fewer than 25,000 consumers' data — is covered rather than exempt [^q1-small-business]. Many core duties, including policy, collection and sharing, rights, security, processor-contract, and sale-authorization duties, had section-specific June 30, 2024 dates for small businesses [^q1-policy-small-business-date] [^q1-collection-small-business-date] [^q1-rights-small-business-date] [^q1-security-small-business-date] [^q1-processor-small-business-date] [^q1-sale-small-business-date]; the geofencing ban is not written with that same small-business delay [^q1-geofence-ban]. The exemptions are framed around categories of information rather than whole entities: information that is protected health information under HIPAA is outside the act [^q1-exemptions-phi], and personal information governed by the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or FERPA is likewise exempt [^q1-exemptions-federal]. A HIPAA-covered business is not exempt as an entity; only its exempt data sets, such as PHI and the other categories listed in RCW 19.373.100, fall outside the act [^q1-exemptions-health].
+
+Two older statutes round out the state framework. Chapter 19.375 RCW restricts enrolling a *biometric identifier* in a database for a commercial purpose without notice, consent, or an opt-out mechanism [^q1-biometric-enroll], and chapter 19.255 RCW requires any person or business doing business in Washington to notify residents when unsecured personal information is breached [^q1-breach-duty]. The breach statute is covered below; chapter 19.375 matters chiefly as an AG-only biometric contrast. Washington has no standalone direct-to-consumer genetic-testing privacy statute; genetic data is instead regulated as *consumer health data* under the MHMDA's definition [^q1-chd-definition].
+
+Washington came close to flipping to a comprehensive regime: the People's Privacy Act (House Bill 1671) would have imposed data-minimization duties and opt-in consent across all personal data, but it died in the House Appropriations Committee when the Legislature adjourned sine die on March 12, 2026. Sponsors are expected to try again, so the MHMDA-centered framework described here is what governs for now — and a program built to the MHMDA's consent-first architecture would already satisfy much of what a future omnibus law would likely ask.
+
+## What must your Washington consumer health data privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** Washington requires a dedicated *consumer health data privacy policy*, with contents fixed by statute. Beginning March 31, 2024, a regulated entity must maintain a policy that clearly and conspicuously discloses: the categories of consumer health data collected and the purposes for which they are collected, including how the data will be used; the categories of sources; the categories of consumer health data shared; a list of the categories of third parties *and the specific affiliates* with whom the data is shared; and how consumers can exercise their statutory rights [^q2-policy-contents]. The business must also prominently publish a link to that policy on its homepage [^q2-homepage-link].
+
+Small businesses had until June 30, 2024 to comply [^q2-small-business-date]. Treat the statutory list as a drafting checklist — each of the five items must appear on the face of the policy. Note one element that goes beyond the generic state-law pattern: third parties may be disclosed by category, but affiliates that receive consumer health data must be listed specifically. The homepage link rule is broader than a root landing page: *homepage* includes any webpage where personal information is collected and, for a mobile app, the platform or download page plus an in-app link [^q2-homepage-definition].
+
+The policy is also a ceiling on conduct, not just a disclosure exercise. A business may not collect, use, or share additional categories of consumer health data, or use existing data for additional purposes, without first disclosing the addition and obtaining the consumer's affirmative consent [^q2-new-categories] [^q2-new-purposes], and it is a violation of the act to contract with a processor to process consumer health data in a manner inconsistent with the policy [^q2-processor-consistency]. The statute names a distinct policy and a distinct homepage link, so a conservative approach is to publish the consumer health data privacy policy as its own standalone document with its own homepage link, rather than folding the disclosures into a general privacy notice [^q2-homepage-link].
+
+No Washington statute fixes the contents of a *general* consumer privacy policy. For data outside the MHMDA, the operative discipline is the federal one: under Section 5 of the FTC Act, a published policy that misstates how you actually collect, use, or share data can be treated as deceptive [^q2-ftc5]. The practical rule for the general policy is therefore accuracy; the practical rule for the consumer health data policy is the statutory checklist.
+
+## When do you need consent — and when a signed authorization — to handle health data in Washington? {#consent-and-authorization}
+
+**Short answer.** The MHMDA runs on a two-tier opt-in structure, with a third, stricter tier for sales. For regulated entities after March 31, 2024, and small businesses after June 30, 2024, a business may not *collect* consumer health data except with the consumer's consent for a specified purpose, or to the extent necessary to provide a product or service the consumer requested [^q3-collection-consent] [^q3-small-business-date]. It may not *share* that data except with a consent that is separate and distinct from the collection consent, or again as necessary to provide the requested product or service [^q3-sharing-consent]. And it is unlawful for any person to *sell* consumer health data without first obtaining a valid authorization signed by the consumer — separate and distinct from both consents [^q3-sale-authorization].
+
+Consent under the act is demanding. It means a clear affirmative act signifying freely given, specific, informed, opt-in, voluntary, and unambiguous agreement — and the statute expressly disqualifies acceptance of broad terms of use, hovering over or closing content, and agreement obtained through deceptive designs [^q3-consent-definition]. The consent request itself has fixed contents: it must be obtained before the collection or sharing and must clearly and conspicuously disclose the categories of data, the purpose and specific ways the data will be used, the categories of recipients, and how to withdraw consent [^q3-consent-request]. A pre-checked box, nudging cookie banner, or buried onboarding clause is high-risk under that standard.
+
+The sale tier is closer to a HIPAA-style authorization than to an opt-out. The signed authorization must be a plain-language document that identifies the specific consumer health data sold, the seller and purchaser contact information, the sale purpose, how the data will be gathered, and how the purchaser will use it. It also must say that goods or services cannot be conditioned on signing, explain revocation, warn about redisclosure, expire one year from signature, and include the consumer's signature and date [^q3-authorization-contents]. The authorization is invalid if it is expired, incomplete, revoked, combined with other documents, or made a condition of goods or services; a copy must go to the consumer, and the seller and purchaser must retain authorizations for six years [^q3-authorization-contents]. Because *sale* means an exchange for monetary or other valuable consideration, routine data-monetization arrangements involving consumer health data are effectively gated behind annual, revocable, signed paperwork — which in practice means most businesses simply do not sell such data.
+
+## What must your contracts with vendors and processors say? {#vendor-contracts}
+
+**Short answer.** For consumer health data, a written contract is a statutory requirement. A processor may process such data only pursuant to a binding contract that sets forth the processing instructions and limits the actions the processor may take with the data it handles on the business's behalf [^q4-processor-contract].
+
+The act adds three teeth to that baseline. The processor must assist the business, through appropriate technical and organizational measures, in fulfilling the business's own MHMDA obligations [^q4-processor-duties]. A processor that departs from the instructions or processes data outside the scope of its contract stops being a processor — it is treated as a regulated entity itself, subject to the full statute for that data [^q4-outside-scope]. And on the controller side, contracting with a processor to process consumer health data in a manner inconsistent with the published consumer health data privacy policy is itself a violation [^q4-policy-consistency] — so the DPA and the policy have to be drafted against each other, not in separate silos.
+
+The same operating model has a security duty. A covered business must restrict employee, processor, and contractor access to consumer health data to what is necessary for the consented purposes or for a requested product or service, and it must maintain administrative, technical, and physical data-security practices that satisfy at least the reasonable standard of care in its industry [^q4-security-duty]. Small businesses had until June 30, 2024 to comply with that data-security section [^q4-security-small-business-date].
+
+Outside the MHMDA, Washington has no omnibus data-processing-agreement statute; vendor terms for ordinary personal data are driven by the sectoral overlay and by contract practice. The GLBA Safeguards Rule requires financial institutions to bind service providers by contract to implement and maintain safeguards [^q4-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection terms before protected health information is shared [^q4-hipaa-baa]. A practical template for Washington vendors carries the MHMDA elements — documented instructions, scope limits, assistance duties — across the whole engagement, since the same vendor often touches both health and non-health data.
+
+## What rights can Washington consumers exercise over their health data? {#consumer-rights}
+
+**Short answer.** Three rights, each enforceable on a 45-day clock. A consumer has the right to confirm whether a business is collecting, sharing, or selling consumer health data about them and to access it — including a list of all third parties and affiliates that received the data and an active email address or other online mechanism for contacting those third parties [^q5-access]. A consumer may withdraw consent to collection and sharing [^q5-withdraw]. And a consumer may have the data deleted — a deletion that must reach every part of the business's network, including archived and backup systems, and that the business must propagate by notifying all affiliates, processors, contractors, and other third parties that received the data [^q5-delete].
+
+Requests must be honored without undue delay and in all cases within 45 days of receipt, with one 45-day extension available when reasonably necessary [^q5-deadline]. For deletion, data on archived or backup systems gets a limited runway — the deletion there may be delayed up to six months from authentication of the request [^q5-delete]. The third-party-list element of the access right is unusually operational: honoring it requires recipient-level records of where consumer health data went, not just category-level disclosures.
+
+A business must also stand up an appeal process: if it refuses to act on a request, the consumer may appeal, the business must answer the appeal in writing within 45 days, and a denial must come with a way to complain to the Attorney General [^q5-appeal]. A business may not unlawfully discriminate against a consumer for exercising any right under the act [^q5-nondiscrimination].
+
+The MHMDA does not create the targeted-advertising or profiling opt-out structure common in omnibus privacy statutes; instead, its operative rules are consent, withdrawal of consent, deletion, and sale authorization [^q5-collection-consent] [^q5-sharing-consent] [^q5-withdraw] [^q5-delete] [^q5-sale-authorization]. That means there is no universal opt-out preference signal rule such as Global Privacy Control in the MHMDA.
+
+## Can you use geofencing near health care facilities in Washington? {#geofencing-ban}
+
+**Short answer.** No — not for anything touching consumer health data. The MHMDA makes it unlawful for *any person* to implement a geofence around an entity that provides in-person health care services where the geofence is used to identify or track consumers seeking health care services, to collect consumer health data from them, or to send them notifications, messages, or advertisements related to their health data or health care services [^q6-geofence-ban].
+
+The ban is flat: it applies to any person, not just regulated entities; it has no consent exception — a consumer cannot agree to be geofenced out of it; and unlike the act's other duties, the section's text carries no delayed compliance date for small businesses [^q6-geofence-ban]. A *geofence* is a virtual boundary of 2,000 feet or less around a physical location, established by GPS, cell-tower connectivity, cellular data, RFID, Wi-Fi data, or any other form of spatial or location detection [^q6-geofence-def].
+
+Note how wide the protected zone is. *Health care services* means any service to assess, measure, improve, or learn about a person's mental or physical health [^q6-hcs-def] — which reaches pharmacies, counseling offices, reproductive-health clinics, and dispensaries when they provide qualifying health-care or medication-related services, not just hospitals. Location-based advertising programs need a Washington-specific suppression rule around such facilities, because this is the one MHMDA provision that no consent flow can cure.
+
+## When must you notify people of a data breach in Washington? {#breach-notification}
+
+**Short answer.** Any person or business that conducts business in Washington and owns or licenses data including personal information must disclose a breach of the security of the system to every Washington resident whose unsecured personal information was, or is reasonably believed to have been, acquired by an unauthorized person — though notice is not required if the breach is not reasonably likely to subject consumers to a risk of harm [^q7-breach-duty]. Notice to affected consumers must go out in the most expedient time possible and no more than 30 calendar days after the breach was discovered [^q7-thirty-days]. If a single breach requires notifying more than 500 Washington residents, the business must also notify the Attorney General within the same 30-day window [^q7-ag-notice].
+
+*Personal information* is broader in Washington than in many breach statutes: beyond name plus Social Security, driver's license, or financial-account numbers, it includes full date of birth, electronic-signature private keys, student, military, and passport ID numbers, health-insurance IDs, medical-history information, biometric data used to identify an individual, and username-or-email plus password combinations. It also includes those listed data elements without a name if they were not rendered unusable and would enable identity theft [^q7-pi-definition]. Encryption is the main safe harbor — the duty attaches to information that was not *secured*, meaning encrypted to at least the NIST standard or otherwise rendered unusable [^q7-secured] — but even encrypted data triggers notice if the key was also compromised [^q7-breach-duty].
+
+For health-sector businesses there is a federal bridge: a HIPAA covered entity is deemed compliant with the chapter for protected health information if it complies with the HITECH Act's breach-notification provisions, though it must still notify the Washington Attorney General [^q7-hipaa-deemed]. The AG notice itself has fixed contents — affected-resident counts, data types, exposure timeframe, containment steps, and a sample consumer notice — and must be updated if information was unknown when first due [^q7-ag-notice].
+
+## Can a consumer sue your business under Washington privacy law? {#consumer-lawsuit}
+
+**Short answer.** Yes — and this is the headline risk of the MHMDA. The act declares that a violation is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the Consumer Protection Act, and that the practices it covers are matters vitally affecting the public interest [^q8-mhmda-cpa]. That per se designation plugs directly into the CPA's private remedy: any person injured in business or property by a CPA violation may sue for actual damages, costs, and attorney fees, and the court may treble damages up to $25,000 [^q8-cpa-private-action]. The CPA confirms the chain — a claimant can establish public-interest injury by showing the act violates a statute that incorporates the CPA [^q8-cpa-per-se].
+
+The contrast with Washington's biometric chapter shows the design was deliberate: chapter 19.375 RCW says expressly that it may be enforced solely by the Attorney General [^q8-biometric-ag-only]. Unlike chapter 19.375, chapter 19.373 has no AG-only enforcement clause; private plaintiffs therefore proceed through the CPA remedy in RCW 19.86.090, subject to injury and causation [^q8-cpa-private-action]. Public enforcement runs in parallel: CPA violations can carry civil penalties of up to $7,500 per RCW 19.86.020 violation, and the Attorney General may petition to recover civil penalties [^q8-cpa-penalties]. The MHMDA contains no cure period, so there is no statutory grace window before either a consumer suit or an AG action.
+
+The central open question for private suits is the CPA's injury element: plaintiffs must still prove injury to business or property and causation [^q8-cpa-private-action], and whether unconsented collection or sharing of health data alone satisfies that element is untested.
+
+The breach statute carries its own, separate consumer remedy: an action to enforce chapter 19.255 may not be brought through the CPA's private-action section, but any consumer injured by a violation of that chapter may institute a civil action for damages directly under it [^q8-breach-pra]. So a notification failure adds direct consumer-suit exposure on top of the Attorney General's parens patriae authority.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Washington. This article synthesizes Washington primary law and is not legal advice from a Washington-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^q1-regulated-entity]: **RCW 19.373.010(23)** — "‘Regulated entity’ means any legal entity that: (a) Conducts business in Washington, or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data." *Wash. Rev. Code § 19.373.010(23).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q1-chd-definition]: **RCW 19.373.010(8)** — "‘Consumer health data’ means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. (b) For the purposes of this definition, physical or mental health status includes, but is not limited to: (i) Individual health conditions, treatment, diseases, or diagnosis; (ii) Social, psychological, behavioral, and medical interventions; (iii) Health-related surgeries or procedures; (iv) Use or purchase of prescribed medication; (v) Bodily functions, vital signs, symptoms, or measurements of the information described in this subsection (8)(b); (vi) Diagnoses or diagnostic testing, treatment, or medication; (vii) Gender-affirming care information; (viii) Reproductive or sexual health information; (ix) Biometric data; (x) Genetic data; (xi) Precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies; (xii) Data that identifies a consumer seeking health care services;" *Wash. Rev. Code § 19.373.010(8).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q1-chd-inference]: **RCW 19.373.010(8)(b)(xiii)** — "Any information that a regulated entity or a small business, or their respective processor, processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)." *Wash. Rev. Code § 19.373.010(8)(b)(xiii).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q1-mhmda-intent]: **RCW 19.373.005** — "However, HIPAA only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections. Chapter 191, Laws of 2023 works to close the gap between consumer knowledge and industry practice by providing stronger privacy protections for all Washington consumers' health data." *Wash. Rev. Code § 19.373.005(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.005>
+
+[^q1-consumer-def]: **RCW 19.373.010(7)** — "‘Consumer’ means (a) a natural person who is a Washington resident; or (b) a natural person whose consumer health data is collected in Washington. ‘Consumer’ means a natural person who acts only in an individual or household context, however identified, including by any unique identifier. ‘Consumer’ does not include an individual acting in an employment context." *Wash. Rev. Code § 19.373.010(7).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q1-small-business]: **RCW 19.373.010(28)** — "‘Small business’ means a regulated entity that satisfies one or both of the following thresholds: (a) Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or (b) Derives less than 50 percent of gross revenue from the collection, processing, selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers." *Wash. Rev. Code § 19.373.010(28).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q1-policy-small-business-date]: **RCW 19.373.020(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.020(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q1-collection-small-business-date]: **RCW 19.373.030(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.030(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q1-rights-small-business-date]: **RCW 19.373.040(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.040(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040>
+
+[^q1-security-small-business-date]: **RCW 19.373.050(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.050(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.050>
+
+[^q1-processor-small-business-date]: **RCW 19.373.060(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.060(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.060>
+
+[^q1-sale-small-business-date]: **RCW 19.373.070(6)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.070(6).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.070>
+
+[^q1-geofence-ban]: **RCW 19.373.080** — "It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services." *Wash. Rev. Code § 19.373.080.* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.080>
+
+[^q1-exemptions-phi]: **RCW 19.373.100(1)** — "This chapter does not apply to: (a) Information that meets the definition of: (i) Protected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations;" *Wash. Rev. Code § 19.373.100(1)(a)(i).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.100>
+
+[^q1-exemptions-federal]: **RCW 19.373.100(2)** — "Personal information that is governed by and collected, used, or disclosed pursuant to the following regulations, parts, titles, or acts, is exempt from this chapter: (a) The Gramm-Leach-Bliley act (15 U.S.C. 6801 et seq.) and implementing regulations; (b) part C of Title XI of the social security act (42 U.S.C. 1320d et seq.); (c) the fair credit reporting act (15 U.S.C. 1681 et seq.); (d) the family educational rights and privacy act (20 U.S.C. 1232g; Part 99 of Title 34, C.F.R.);" *Wash. Rev. Code § 19.373.100(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.100>
+
+[^q1-exemptions-health]: **RCW 19.373.100(1)** — "This chapter does not apply to: (a) Information that meets the definition of: (i) Protected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations; (ii) Health care information collected, used, or disclosed in accordance with chapter 70.02 RCW; (iii) Patient identifying information collected, used, or disclosed in accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2; (iv) Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization; the protection of human subjects under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth in this subsection; (v) Information and documents created specifically for, and collected and maintained by: (A) A quality improvement committee for purposes of RCW 43.70.510 , 70.230.080 , or 70.41.200 ; (B) A peer review committee for purposes of RCW 4.24.250 ; (C) A quality assurance committee for purposes of RCW 74.42.640 or 18.20.390 ; (D) A hospital, as defined in RCW 43.70.056 , for reporting of health care-associated infections for purposes of RCW 43.70.056 , a notification of an incident for purposes of RCW 70.56.040 (5), or reports regarding adverse events for purposes of RCW 70.56.020 (2)(b); or (E) A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when collected, used, or disclosed for purposes specified in chapter 70.02 RCW; (vi) Information and documents created for purposes of the federal health care quality improvement act of 1986, and related regulations; (vii) Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26; (viii) Information that is (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164, and (B) derived from any of the health care-related information listed in this subsection (1)(a)(viii); (b) Information originating from, and intermingled to be indistinguishable with, information under (a) of this subsection that is maintained by: (i) A covered entity or business associate as defined by the health insurance portability and accountability act of 1996 and related regulations; (ii) A health care facility or health care provider as defined in RCW 70.02.010 ; or (iii) A program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2; (c) Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514; or (d) Identifiable data collected, used, or disclosed in accordance with chapter 43.371 RCW or RCW 69.43.165 ." *Wash. Rev. Code § 19.373.100(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.100>
+
+[^q1-biometric-enroll]: **RCW 19.375.020** — "A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." *Wash. Rev. Code § 19.375.020(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.020>
+
+[^q1-breach-duty]: **RCW 19.255.010** — "Any person or business that conducts business in this state and that owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured." *Wash. Rev. Code § 19.255.010(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010>
+
+[^q2-policy-contents]: **RCW 19.373.020(1)(a)** — "beginning March 31, 2024, a regulated entity and a small business shall maintain a consumer health data privacy policy that clearly and conspicuously discloses: (i) The categories of consumer health data collected and the purpose for which the data is collected, including how the data will be used; (ii) The categories of sources from which the consumer health data is collected; (iii) The categories of consumer health data that is shared; (iv) A list of the categories of third parties and specific affiliates with whom the regulated entity or the small business shares the consumer health data; and (v) How a consumer can exercise the rights provided in RCW 19.373.040" *Wash. Rev. Code § 19.373.020(1)(a).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q2-homepage-link]: **RCW 19.373.020(1)(b)** — "A regulated entity and a small business shall prominently publish a link to its consumer health data privacy policy on its homepage." *Wash. Rev. Code § 19.373.020(1)(b).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q2-small-business-date]: **RCW 19.373.020(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.020(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q2-homepage-definition]: **RCW 19.373.010(16)** — "‘Homepage’ means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application's platform page or download page, and a link within the application, such as from the application configuration, ‘about,’ ‘information,’ or settings page." *Wash. Rev. Code § 19.373.010(16).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q2-new-categories]: **RCW 19.373.020(1)(c)** — "A regulated entity or a small business may not collect, use, or share additional categories of consumer health data not disclosed in the consumer health data privacy policy without first disclosing the additional categories and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data." *Wash. Rev. Code § 19.373.020(1)(c).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q2-new-purposes]: **RCW 19.373.020(1)(d)** — "A regulated entity or a small business may not collect, use, or share consumer health data for additional purposes not disclosed in the consumer health data privacy policy without first disclosing the additional purposes and obtaining the consumer's affirmative consent prior to the collection, use, or sharing of such consumer health data." *Wash. Rev. Code § 19.373.020(1)(d).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q2-processor-consistency]: **RCW 19.373.020(1)(e)** — "It is a violation of this chapter for a regulated entity or a small business to contract with a processor to process consumer health data in a manner that is inconsistent with the regulated entity's or the small business's consumer health data privacy policy." *Wash. Rev. Code § 19.373.020(1)(e).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q3-collection-consent]: **RCW 19.373.030(1)(a)** — "beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(a).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q3-small-business-date]: **RCW 19.373.030(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.030(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q3-sharing-consent]: **RCW 19.373.030(1)(b)** — "A regulated entity or a small business may not share any consumer health data except: (i) With consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(b).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q3-sale-authorization]: **RCW 19.373.070(1)** — "beginning March 31, 2024, it is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorization from the consumer. The sale of consumer health data must be consistent with the valid authorization signed by the consumer. This authorization must be separate and distinct from the consent obtained to collect or share consumer health data, as required under RCW 19.373.030" *Wash. Rev. Code § 19.373.070(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.070>
+
+[^q3-consent-definition]: **RCW 19.373.010(6)** — "‘Consent’ means a clear affirmative act that signifies a consumer's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written consent provided by electronic means. (b) ‘Consent’ may not be obtained by: (i) A consumer's acceptance of a general or broad terms of use agreement or a similar document that contains descriptions of personal data processing along with other unrelated information; (ii) A consumer hovering over, muting, pausing, or closing a given piece of content; or (iii) A consumer's agreement obtained through the use of deceptive designs." *Wash. Rev. Code § 19.373.010(6).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q3-consent-request]: **RCW 19.373.030(1)(c)** — "Consent required under this section must be obtained prior to the collection or sharing, as applicable, of any consumer health data, and the request for consent must clearly and conspicuously disclose: (i) The categories of consumer health data collected or shared; (ii) the purpose of the collection or sharing of the consumer health data, including the specific ways in which it will be used; (iii) the categories of entities with whom the consumer health data is shared; and (iv) how the consumer can withdraw consent from future collection or sharing of the consumer's health data." *Wash. Rev. Code § 19.373.030(1)(c).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q3-authorization-contents]: **RCW 19.373.070(2)** — "A valid authorization to sell consumer health data is a document consistent with this section and must be written in plain language. The valid authorization to sell consumer health data must contain the following: (a) The specific consumer health data concerning the consumer that the person intends to sell; (b) The name and contact information of the person collecting and selling the consumer health data; (c) The name and contact information of the person purchasing the consumer health data from the seller identified in (b) of this subsection; (d) A description of the purpose for the sale, including how the consumer health data will be gathered and how it will be used by the purchaser identified in (c) of this subsection when sold; (e) A statement that the provision of goods or services may not be conditioned on the consumer signing the valid authorization; (f) A statement that the consumer has a right to revoke the valid authorization at any time and a description on how to submit a revocation of the valid authorization; (g) A statement that the consumer health data sold pursuant to the valid authorization may be subject to redisclosure by the purchaser and may no longer be protected by this section; (h) An expiration date for the valid authorization that expires one year from when the consumer signs the valid authorization; and (i) The signature of the consumer and date. (3) An authorization is not valid if the document has any of the following defects: (a) The expiration date has passed; (b) The authorization does not contain all the information required under this section; (c) The authorization has been revoked by the consumer; (d) The authorization has been combined with other documents to create a compound authorization; or (e) The provision of goods or services is conditioned on the consumer signing the authorization. (4) A copy of the signed valid authorization must be provided to the consumer. (5) The seller and purchaser of consumer health data must retain a copy of all valid authorizations for sale of consumer health data for six years from the date of its signature or the date when it was last in effect, whichever is later." *Wash. Rev. Code § 19.373.070(2)-(5).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.070>
+
+[^q4-processor-contract]: **RCW 19.373.060(1)(a)** — "beginning March 31, 2024, a processor may process consumer health data only pursuant to a binding contract between the processor and the regulated entity or the small business that sets forth the processing instructions and limit the actions the processor may take with respect to the consumer health data it processes on behalf of the regulated entity or the small business." *Wash. Rev. Code § 19.373.060(1)(a)(i).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.060>
+
+[^q4-processor-duties]: **RCW 19.373.060(1)(b)** — "A processor shall assist the regulated entity or the small business by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the regulated entity's and the small business's obligations under this chapter." *Wash. Rev. Code § 19.373.060(1)(b).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.060>
+
+[^q4-outside-scope]: **RCW 19.373.060(1)(c)** — "If a processor fails to adhere to the regulated entity's or the small business's instructions or processes consumer health data in a manner that is outside the scope of the processor's contract with the regulated entity or the small business, the processor is considered a regulated entity or a small business with regard to such data and is subject to all the requirements of this chapter with regard to such data." *Wash. Rev. Code § 19.373.060(1)(c).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.060>
+
+[^q4-policy-consistency]: **RCW 19.373.020(1)(e)** — "It is a violation of this chapter for a regulated entity or a small business to contract with a processor to process consumer health data in a manner that is inconsistent with the regulated entity's or the small business's consumer health data privacy policy." *Wash. Rev. Code § 19.373.020(1)(e).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020>
+
+[^q4-security-duty]: **RCW 19.373.050(1)** — "beginning March 31, 2024, a regulated entity and a small business shall: (a) Restrict access to consumer health data by the employees, processors, and contractors of such regulated entity or small business to only those employees, processors, and contractors for which access is necessary to further the purposes for which the consumer provided consent or where necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business; and (b) Establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's or the small business's industry to protect the confidentiality, integrity, and accessibility of consumer health data appropriate to the volume and nature of the consumer health data at issue." *Wash. Rev. Code § 19.373.050(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.050>
+
+[^q4-security-small-business-date]: **RCW 19.373.050(2)** — "A small business must comply with this section beginning June 30, 2024." *Wash. Rev. Code § 19.373.050(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.050>
+
+[^q4-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^q4-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,and%20a%20business%20associate%20must>
+
+[^q5-access]: **RCW 19.373.040(1)(a)** — "a consumer has the right to confirm whether a regulated entity or a small business is collecting, sharing, or selling consumer health data concerning the consumer and to access such data, including a list of all third parties and affiliates with whom the regulated entity or the small business has shared or sold the consumer health data and an active email address or other online mechanism that the consumer may use to contact these third parties." *Wash. Rev. Code § 19.373.040(1)(a).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040>
+
+[^q5-withdraw]: **RCW 19.373.040(1)(b)** — "A consumer has the right to withdraw consent from the regulated entity's or the small business's collection and sharing of consumer health data concerning the consumer." *Wash. Rev. Code § 19.373.040(1)(b).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040>
+
+[^q5-delete]: **RCW 19.373.040(1)(c)** — "A consumer has the right to have consumer health data concerning the consumer deleted and may exercise that right by informing the regulated entity or the small business of the consumer's request for deletion. (i) A regulated entity or a small business that receives a consumer's request to delete any consumer health data concerning the consumer shall: (A) Delete the consumer health data from its records, including from all parts of the regulated entity's or the small business's network, including archived or backup systems pursuant to (c)(iii) of this subsection; and (B) Notify all affiliates, processors, contractors, and other third parties with whom the regulated entity or the small business has shared consumer health data of the deletion request. (ii) All affiliates, processors, contractors, and other third parties that receive notice of a consumer's deletion request shall honor the consumer's deletion request and delete the consumer health data from its records, subject to the same requirements of this chapter. (iii) If consumer health data that a consumer requests to be deleted is stored on archived or backup systems, then the request for deletion may be delayed to enable restoration of the archived or backup systems and such delay may not exceed six months from authenticating the deletion request." *Wash. Rev. Code § 19.373.040(1)(c).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040>
+
+[^q5-deadline]: **RCW 19.373.040(1)(g)** — "A regulated entity and a small business shall comply with the consumer's requests under subsection (1)(a) through (c) of this section [(a) through (c) of this subsection] without undue delay, but in all cases within 45 days of receipt of the request submitted pursuant to the methods described in this section. A regulated entity and a small business must promptly take steps to authenticate a consumer request but this does not extend the regulated entity's and the small business's duty to comply with the consumer's request within 45 days of receipt of the consumer's request. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the regulated entity or the small business informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension." *Wash. Rev. Code § 19.373.040(1)(g).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040>
+
+[^q5-appeal]: **RCW 19.373.040(1)(h)** — "A regulated entity and a small business shall establish a process for a consumer to appeal the regulated entity's or the small business's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within 45 days of receipt of an appeal, a regulated entity or a small business shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the regulated entity or the small business shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint." *Wash. Rev. Code § 19.373.040(1)(h).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040>
+
+[^q5-nondiscrimination]: **RCW 19.373.030(1)(d)** — "A regulated entity or a small business may not unlawfully discriminate against a consumer for exercising any rights included in this chapter." *Wash. Rev. Code § 19.373.030(1)(d).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q5-collection-consent]: **RCW 19.373.030(1)(a)** — "beginning March 31, 2024, a regulated entity or a small business may not collect any consumer health data except: (i) With consent from the consumer for such collection for a specified purpose; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(a).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q5-sharing-consent]: **RCW 19.373.030(1)(b)** — "A regulated entity or a small business may not share any consumer health data except: (i) With consent from the consumer for such sharing that is separate and distinct from the consent obtained to collect consumer health data; or (ii) To the extent necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business." *Wash. Rev. Code § 19.373.030(1)(b).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030>
+
+[^q5-sale-authorization]: **RCW 19.373.070(1)** — "beginning March 31, 2024, it is unlawful for any person to sell or offer to sell consumer health data concerning a consumer without first obtaining valid authorization from the consumer. The sale of consumer health data must be consistent with the valid authorization signed by the consumer. This authorization must be separate and distinct from the consent obtained to collect or share consumer health data, as required under RCW 19.373.030" *Wash. Rev. Code § 19.373.070(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.070>
+
+[^q6-geofence-ban]: **RCW 19.373.080** — "It is unlawful for any person to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services." *Wash. Rev. Code § 19.373.080.* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.080>
+
+[^q6-geofence-def]: **RCW 19.373.010(14)** — "‘Geofence’ means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary. For purposes of this definition, ‘geofence’ means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location." *Wash. Rev. Code § 19.373.010(14).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q6-hcs-def]: **RCW 19.373.010(15)** — "‘Health care services’ means any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health, including but not limited to: (a) Individual health conditions, status, diseases, or diagnoses; (b) Social, psychological, behavioral, and medical interventions; (c) Health-related surgeries or procedures; (d) Use or purchase of medication;" *Wash. Rev. Code § 19.373.010(15).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010>
+
+[^q7-breach-duty]: **RCW 19.255.010(1)** — "Any person or business that conducts business in this state and that owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person." *Wash. Rev. Code § 19.255.010(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010>
+
+[^q7-thirty-days]: **RCW 19.255.010(8)** — "Notification to affected consumers under this section must be made in the most expedient time possible, without unreasonable delay, and no more than thirty calendar days after the breach was discovered, unless the delay is at the request of law enforcement as provided in subsection (3) of this section, or the delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." *Wash. Rev. Code § 19.255.010(8).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010>
+
+[^q7-ag-notice]: **RCW 19.255.010(7)** — "Any person or business that is required to issue a notification pursuant to this section to more than five hundred Washington residents as a result of a single breach shall notify the attorney general of the breach no more than thirty days after the breach was discovered. (a) The notice to the attorney general shall include the following information: (i) The number of Washington consumers affected by the breach, or an estimate if the exact number is not known; (ii) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach; (iii) A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; (iv) A summary of steps taken to contain the breach; and (v) A single sample copy of the security breach notification, excluding any personally identifiable information. (b) The notice to the attorney general must be updated if any of the information identified in (a) of this subsection is unknown at the time notice is due." *Wash. Rev. Code § 19.255.010(7).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010>
+
+[^q7-pi-definition]: **RCW 19.255.005(2)** — "An individual's first name or first initial and last name in combination with any one or more of the following data elements: (A) Social security number; (B) Driver's license number or Washington identification card number; (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account; (D) Full date of birth; (E) Private key that is unique to an individual and that is used to authenticate or sign an electronic record; (F) Student, military, or passport identification number; (G) Health insurance policy number or health insurance identification number; (H) Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or (I) Biometric data generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual; (ii) User name or email address in combination with a password or security questions and answers that would permit access to an online account; and (iii) Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if: (A) Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and (B) The data element or combination of data elements would enable a person to commit identity theft against a consumer." *Wash. Rev. Code § 19.255.005(2)(a).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.005>
+
+[^q7-secured]: **RCW 19.255.005(3)** — "‘Secured’ means encrypted in a manner that meets or exceeds the national institute of standards and technology standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person." *Wash. Rev. Code § 19.255.005(3).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.005>
+
+[^q7-hipaa-deemed]: **RCW 19.255.030** — "A covered entity under the federal health insurance portability and accountability act of 1996, 42 U.S.C. Sec. 1320d et seq., is deemed to have complied with the requirements of this chapter with respect to protected health information if it has complied with section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015. Covered entities shall notify the attorney general pursuant to RCW 19.255.010 (7) in compliance with the timeliness of notification requirements of section 13402 of the federal health information technology for economic and clinical health act, P.L. 111-5 as it existed on July 24, 2015, notwithstanding the timeline in RCW 19.255.010 (7)." *Wash. Rev. Code § 19.255.030(1).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.030>
+
+[^q8-mhmda-cpa]: **RCW 19.373.090** — "The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business, and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW." *Wash. Rev. Code § 19.373.090.* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.090>
+
+[^q8-cpa-private-action]: **RCW 19.86.090** — "Any person who is injured in his or her business or property by a violation of RCW 19.86.020 , 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , or any person so injured because he or she refuses to accede to a proposal for an arrangement which, if consummated, would be in violation of RCW 19.86.030 , 19.86.040 , 19.86.050 , or 19.86.060 , may bring a civil action in superior court to enjoin further violations, to recover the actual damages sustained by him or her, or both, together with the costs of the suit, including a reasonable attorney's fee. In addition, the court may, in its discretion, increase the award of damages up to an amount not to exceed three times the actual damages sustained: PROVIDED, That such increased damage award for violation of RCW 19.86.020 may not exceed twenty-five thousand dollars" *Wash. Rev. Code § 19.86.090.* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.86.090>
+
+[^q8-cpa-per-se]: **RCW 19.86.093** — "a claimant may establish that the act or practice is injurious to the public interest because it: (1) Violates a statute that incorporates this chapter;" *Wash. Rev. Code § 19.86.093.* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.86.093>
+
+[^q8-biometric-ag-only]: **RCW 19.375.030** — "This chapter may be enforced solely by the attorney general under the consumer protection act, chapter 19.86 RCW." *Wash. Rev. Code § 19.375.030(2).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.030>
+
+[^q8-cpa-penalties]: **RCW 19.86.140** — "Every person who violates RCW 19.86.020 shall forfeit and pay a civil penalty of not more than $7,500 for each violation: PROVIDED, That nothing in this paragraph shall apply to any radio or television broadcasting station which broadcasts, or to any publisher, printer or distributor of any newspaper, magazine, billboard or other advertising medium who publishes, prints or distributes, advertising in good faith without knowledge of its false, deceptive or misleading character. For unlawful acts or practices that target or impact specific individuals or communities based on demographic characteristics including, but not limited to, age, race, national origin, citizenship or immigration status, sex, sexual orientation, presence of any sensory, mental, or physical disability, religion, veteran status, or status as a member of the armed forces, as that term is defined in 10 U.S.C. Sec. 101, an enhanced penalty of $5,000 shall apply. For the purpose of this section the superior court issuing any injunction shall retain jurisdiction, and the cause shall be continued, and in such cases the attorney general acting in the name of the state may petition for the recovery of civil penalties." *Wash. Rev. Code § 19.86.140.* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.86.140>
+
+[^q8-breach-pra]: **RCW 19.255.040** — "An action to enforce this chapter may not be brought under RCW 19.86.090 . (3)(a) Any consumer injured by a violation of this chapter may institute a civil action to recover damages." *Wash. Rev. Code § 19.255.040(2)-(3).* <https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.040>

package/skills/legal-explainers/data-privacy-law-explainer/content/west-virginia.md

@@ -0,0 +1,141 @@
+---
+jurisdiction: "West Virginia"
+slug: west-virginia
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-12"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/west-virginia
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/west-virginia · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# West Virginia Consumer Privacy Law[^about]
+
+West Virginia has no comprehensive consumer-privacy statute. The operative state laws are the breach-notification article (W. Va. Code §§ 46A-2A-101 et seq.) and the WVCCPA's deceptive-practices article, layered with FTC Act § 5, GLBA, HIPAA, and COPPA.
+
+
+## At a glance
+
+| Question | West Virginia |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | West Virginia has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statutes are the breach-notification article — enforced exclusively by the Attorney General, with civil penalties capped at $150,000 per breach and available only for repeated and willful violations — and the West Virginia Consumer Credit and Protection Act, whose deceptive-practices article carries a consumer private right of action for actual damages or $200 after a 45-day pre-suit cure window. Everything else in a West Virginia-facing privacy program comes from the federal and sectoral overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — so build to those and to the breach statute, and the program upgrades rather than restarts if West Virginia later enacts an omnibus law. |
+| **Main law** | West Virginia breach-notification article, W. Va. Code §§ 46A-2A-101 to 46A-2A-105, plus the WVCCPA unfair-or-deceptive-practices article (W. Va. Code § 46A-6-104) — West Virginia has no comprehensive consumer-privacy law |
+| **Privacy policy required?** | No West Virginia statute mandates a general consumer privacy policy or fixes its contents; a policy that misstates actual practices invites FTC Act § 5 and WVCCPA deception exposure, and GLBA, HIPAA, and COPPA supply the contents where those regimes apply |
+| **Who does it cover?** | Any individual or entity — corporations, partnerships, limited liability companies, associations, governments, for profit or not — that owns or licenses computerized personal information of West Virginia residents; no revenue or consumer-volume threshold |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the breach-notification article — the Attorney General has exclusive enforcement authority; but WVCCPA § 46A-6-106 gives a consumer a private action for actual damages or $200, whichever is greater, subject to the 45-day right-to-cure notice in § 46A-5-108 |
+| **Who enforces it?** | West Virginia Attorney General |
+
+## Which privacy laws apply to your business in West Virginia? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive West Virginia consumer-privacy law. The operative state framework is sectoral. The breach-notification article of the West Virginia Consumer Credit and Protection Act (WVCCPA) reaches any individual or *entity* that owns or licenses computerized personal information of state residents [^q1-stat-102a-duty] — and *entity* is defined to include corporations, partnerships, limited liability companies, associations, governments, and any other legal entity, whether for profit or not [^stat-101-entity]. Alongside it, the WVCCPA's general consumer-protection article declares unfair or deceptive acts or practices in any trade or commerce unlawful [^stat-6104-udap], which is the hook for privacy-related misrepresentation claims. Neither statute carries a revenue or consumer-volume threshold.
+
+West Virginia has not enacted an omnibus privacy statute, so its residents do not have general state-law rights to access, delete, correct, or port their personal data, or to opt out of its sale or use in targeted advertising, and businesses face no state notice-at-collection, consent, data-protection-assessment, or universal opt-out-signal duties. Lawmakers have considered comprehensive consumer-data-protection legislation — a 2024 bill, House Bill 5123, would have created controller duties and consumer rights along the lines of other states' omnibus acts — but it died without passage, so no comprehensive regime is on the books or scheduled to take effect. What fills the gap is a layered framework: the breach-notification article sets the one statewide data-incident duty, the WVCCPA's deceptive-practices article polices what businesses say about their data handling [^stat-6101-purpose], and the rest of a West Virginia privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. Businesses in regulated industries should also confirm whether sector-specific obligations apply to them beyond the laws discussed here. This note is written to stay durable: if West Virginia later enacts a comprehensive law, a program built to this overlay upgrades rather than restarts.
+
+## What must your West Virginia privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No West Virginia statute requires a general consumer privacy policy or fixes what it must say. For most businesses, the governing rule is that whatever you publish has to be true: under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^fed-ftc5-deceptive], and the WVCCPA reaches any deception, false promise, misrepresentation, or material omission made in connection with the sale or advertisement of goods or services — whether or not anyone was actually misled [^stat-6102-deception]. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice].
+
+In practice the drafting question in West Virginia is less *what must be included* and more *does the policy match actual practice*. The WVCCPA makes that federal alignment explicit: West Virginia courts construing the deceptive-practices article are directed to be guided by the policies of the Federal Trade Commission and federal interpretations of FTC Act § 5 [^stat-6101-ftc-guided], so FTC deception doctrine — a privacy policy that misstates collection, use, sharing, retention, or security practices is deceptive — is effectively the West Virginia standard too. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution [^fed-glba-notice], the HIPAA Notice of Privacy Practices if you are a covered entity or business associate, and a COPPA notice if your service is directed to children under 13 [^fed-coppa-notice]. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** West Virginia has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. Where a federal sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before protected health information is shared [^fed-hipaa-baa]. The one state-law touchpoint is breach response: a vendor that maintains computerized personal information it does not own or license must notify the owner or licensee of any breach as soon as practicable after discovery [^stat-102c-maintainer].
+
+Outside the GLBA and HIPAA verticals, the prudent move is to carry the same protections forward as a matter of contract best practice — processing limited to documented instructions, confidentiality, reasonable security, prompt breach notification back to your business, and return or deletion of data at the end of the engagement — even though no West Virginia statute compels them. The breach-notification article's vendor duty is worth implementing expressly: because the statutory clock for notifying residents runs against the data owner, the contract should require the vendor to report any security incident to you quickly and in enough detail to let you decide whether resident notice is triggered. That duty is a breach-response rule, not a general data-processing-agreement mandate, so there is no West Virginia source to cite for omnibus vendor terms — which is itself the operative point.
+
+## When must you notify people of a data breach in West Virginia? {#breach-notification}
+
+**Short answer.** An individual or entity that owns or licenses computerized personal information must notify any West Virginia resident whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person — where the incident causes, or the entity reasonably believes it has caused or will cause, identity theft or other fraud — and the notice must be made without unreasonable delay [^stat-102a-notice]. A reportable *breach of the security of a system* is the unauthorized access and acquisition of unencrypted, unredacted computerized data that compromises personal information and leads the entity reasonably to believe identity theft or other fraud has resulted or will result [^stat-101-breach-def]. *Personal information* means a resident's first name or first initial and last name linked to a Social Security number, driver's license or state ID number, or a financial-account or card number with its required access code [^stat-101-pi-def]. If more than one thousand persons must be notified, the entity must also alert the nationwide consumer reporting agencies without unreasonable delay [^stat-102f-cra].
+
+This is the one prong where West Virginia imposes a hard statutory duty, so it belongs at the center of any West Virginia incident-response plan. Two features narrow the trigger. First, the harm element: unlike a pure acquisition-based statute, West Virginia requires a reasonable belief that the breach has caused or will cause identity theft or other fraud before resident notice is due. Second, the encryption and redaction safe harbors: properly encrypted or redacted data generally falls outside the trigger — but notice is still required if encrypted information is acquired in unencrypted form or the incident involves someone with access to the encryption key [^stat-102b-encrypted]. The notice itself must describe the categories of information involved, give a contact point, and include the toll-free numbers and addresses of the major credit reporting agencies with fraud-alert and security-freeze information [^stat-102d-contents]. Notice may be delayed at a law-enforcement agency's direction while disclosure would impede an investigation [^stat-102e-delay]. Finally, there are deemed-compliance paths: an entity that follows its own breach-notification procedures under an information privacy or security policy consistent with the article's timing rules is deemed compliant when it notifies residents under those procedures [^stat-103a-safeharbor], and a financial institution that follows the federal interagency guidance — or an entity that follows its primary or functional regulator's rules — is likewise deemed compliant [^stat-103bc-regulator].
+
+## Can a consumer sue your business in West Virginia over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach-notification article — the Attorney General has exclusive authority to bring an action for its violation [^stat-104b-ag-exclusive]. The WVCCPA is a different story. Any person who purchases or leases goods or services and suffers an ascertainable loss from an unfair or deceptive practice may sue in circuit court to recover actual damages or $200, whichever is greater [^stat-6106-pra]. Two significant limits apply: damages require proof of an actual out-of-pocket loss proximately caused by the violation [^stat-6106-outofpocket], and no WVCCPA action may be filed until 45 days after the consumer has sent the business a written, certified-mail notice of the alleged violation and its factual basis [^stat-5108-cure].
+
+The practical shape of private privacy litigation in West Virginia follows from those two statutes. A consumer cannot sue for a late or missing breach notice itself — that claim belongs to the Attorney General alone — but a consumer who bought goods or services in reliance on a deceptive privacy promise (a privacy policy that misstates what data is collected or shared, for example) can frame a WVCCPA deceptive-practices claim, with the $200 statutory minimum available where actual damages are small. The right-to-cure machinery matters operationally: the pre-suit notice opens a 45-day window for the business to deliver a written cure offer, the limitations period is tolled while that window runs or the cure is being performed [^stat-5108-tolling], and a cure offer that is made, accepted, and performed is a complete defense [^stat-5108-defense]. A business served with a WVCCPA notice should treat the cure window as a genuine settlement opportunity — a timely cure offer also cuts off liability for the consumer's post-offer attorney fees and court costs unless the eventual award exceeds the offer's value [^stat-5108-fees]. Beyond the WVCCPA, plaintiffs in data-incident cases typically plead common-law theories such as negligence and breach of implied contract, which rise or fall on ordinary proof-of-injury and standing principles rather than any West Virginia privacy statute.
+
+## How is privacy law enforced in West Virginia? {#ag-enforcement}
+
+**Short answer.** By the Attorney General. A failure to comply with the breach-notification article's notice provisions constitutes an unfair or deceptive act under the WVCCPA, enforceable by the Attorney General under that chapter's enforcement provisions [^stat-104a-bridge]. The penalty structure is forgiving by design: no civil penalty may be assessed unless the court finds a course of repeated and willful violations, and no penalty may exceed $150,000 per breach or per series of similar breaches discovered in a single investigation [^stat-104-penalty]. Licensed financial institutions are carved out entirely — violations by them are enforceable exclusively by the institution's primary functional regulator [^stat-104c-fininst].
+
+The enforcement picture for a West Virginia-facing privacy program therefore has three tiers. First, breach-notice failures: an Attorney General matter only, with civil-penalty exposure reserved for repeated and willful non-compliance and capped at $150,000 per breach or related series. Second, deceptive privacy practices generally: the Attorney General enforces the WVCCPA's deceptive-practices article, and consumers hold the parallel private action described in the previous answer, so a misleading privacy policy carries both public and private exposure. Third, the federal layer: the FTC enforces Section 5, GLBA, and COPPA against businesses in their scope, and HHS enforces HIPAA — none of which depends on West Virginia law. The operational takeaway is that West Virginia's own enforcement risk concentrates on two failure modes — not notifying after a qualifying breach, and saying things about your data practices that are not true — and a program that handles both has covered the state-law field as it stands today.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not West Virginia. This article synthesizes West Virginia primary law and is not legal advice from a West Virginia-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^q1-stat-102a-duty]: **W. Va. Code § 46A-2A-102** — "An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state." *W. Va. Code § 46A-2A-102(a).* <https://code.wvlegislature.gov/46A-2A-102/>
+
+[^stat-101-entity]: **W. Va. Code § 46A-2A-101** — "‘Entity’ includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not for profit." *W. Va. Code § 46A-2A-101(2).* <https://code.wvlegislature.gov/46A-2A-101/>
+
+[^stat-6104-udap]: **W. Va. Code § 46A-6-104** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful." *W. Va. Code § 46A-6-104.* <https://code.wvlegislature.gov/46A-6-104/>
+
+[^stat-6101-purpose]: **W. Va. Code § 46A-6-101** — "The Legislature hereby declares that the purpose of this article is to complement the body of federal law governing unfair competition and unfair, deceptive and fraudulent acts or practices in order to protect the public and foster fair and honest competition." *W. Va. Code § 46A-6-101(1).* <https://code.wvlegislature.gov/46A-6-101/>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^stat-6102-deception]: **W. Va. Code § 46A-6-102** — "The act, use or employment by any person of any deception, fraud, false pretense, false promise or misrepresentation, or the concealment, suppression or omission of any material fact with intent that others rely upon such concealment, suppression or omission, in connection with the sale or advertisement of any goods or services, whether or not any person has in fact been misled, deceived or damaged thereby;" *W. Va. Code § 46A-6-102(7)(M).* <https://code.wvlegislature.gov/46A-6-102/>
+
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^stat-6101-ftc-guided]: **W. Va. Code § 46A-6-101** — "It is the intent of the Legislature that, in construing this article, the courts be guided by the policies of the Federal Trade Commission and interpretations given by the Federal Trade Commission and the federal courts to Section 5(a)(1) of the Federal Trade Commission Act (15 U. S. C. § 45(a)(1)), as from time to time amended, and to the various other federal statutes dealing with the same or similar matters." *W. Va. Code § 46A-6-101(1).* <https://code.wvlegislature.gov/46A-6-101/>
+
+[^fed-glba-notice]: **GLBA Privacy Notice Requirement** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+
+[^fed-coppa-notice]: **COPPA Notice and Parental-Consent Requirement** — "require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information; and (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;" *15 U.S.C. § 6502(b)(1)(A).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=require%20the%20operator%20of%20any,of%20personal%20information%20from%20children%3B>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>
+
+[^stat-102c-maintainer]: **W. Va. Code § 46A-2A-102** — "An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following discovery, if the personal information was or the entity reasonably believes was accessed and acquired by an unauthorized person." *W. Va. Code § 46A-2A-102(c).* <https://code.wvlegislature.gov/46A-2A-102/>
+
+[^stat-102a-notice]: **W. Va. Code § 46A-2A-102** — "An individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection (e) of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the notice shall be made without unreasonable delay." *W. Va. Code § 46A-2A-102(a).* <https://code.wvlegislature.gov/46A-2A-102/>
+
+[^stat-101-breach-def]: **W. Va. Code § 46A-2A-101** — "‘Breach of the security of a system’ means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state." *W. Va. Code § 46A-2A-101(1).* <https://code.wvlegislature.gov/46A-2A-101/>
+
+[^stat-101-pi-def]: **W. Va. Code § 46A-2A-101** — "‘Personal information’ means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted: (A) Social security number; (B) Driver's license number or state identification card number issued in lieu of a driver's license; or (C) Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts." *W. Va. Code § 46A-2A-101(6).* <https://code.wvlegislature.gov/46A-2A-101/>
+
+[^stat-102f-cra]: **W. Va. Code § 46A-2A-102** — "If an entity is required to notify more than one thousand persons of a breach of security pursuant to this article, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis, as defined by 15 U.S.C. §1681a (p), of the timing, distribution and content of the notices." *W. Va. Code § 46A-2A-102(f).* <https://code.wvlegislature.gov/46A-2A-102/>
+
+[^stat-102b-encrypted]: **W. Va. Code § 46A-2A-102** — "An individual or entity must give notice of the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state." *W. Va. Code § 46A-2A-102(b).* <https://code.wvlegislature.gov/46A-2A-102/>
+
+[^stat-102d-contents]: **W. Va. Code § 46A-2A-102** — "The notice shall include: (1) To the extent possible, a description of the categories of information that were reasonably believed to have been accessed or acquired by an unauthorized person, including social security numbers, driver's licenses or state identification numbers and financial data; (2) A telephone number or website address that the individual may use to contact the entity or the agent of the entity and from whom the individual may learn: (A) What types of information the entity maintained about that individual or about individuals in general; and (B) Whether or not the entity maintained information about that individual. (3) The toll-free contact telephone numbers and addresses for the major credit reporting agencies and information on how to place a fraud alert or security freeze." *W. Va. Code § 46A-2A-102(d).* <https://code.wvlegislature.gov/46A-2A-102/>
+
+[^stat-102e-delay]: **W. Va. Code § 46A-2A-102** — "Notice required by this section may be delayed if a law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required by this section must be made without unreasonable delay after the law-enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security." *W. Va. Code § 46A-2A-102(e).* <https://code.wvlegislature.gov/46A-2A-102/>
+
+[^stat-103a-safeharbor]: **W. Va. Code § 46A-2A-103** — "An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and that are consistent with the timing requirements of this article shall be deemed to be in compliance with the notification requirements of this article if it notifies residents of this state in accordance with its procedures in the event of a breach of security of the system." *W. Va. Code § 46A-2A-103(a).* <https://code.wvlegislature.gov/46A-2A-103/>
+
+[^stat-103bc-regulator]: **W. Va. Code § 46A-2A-103** — "A financial institution that responds in accordance with the notification guidelines prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this article. (c) An entity that complies with the notification requirements or procedures pursuant to the rules, regulation, procedures or guidelines established by the entity's primary or functional regulator shall be in compliance with this article." *W. Va. Code § 46A-2A-103(b)-(c).* <https://code.wvlegislature.gov/46A-2A-103/>
+
+[^stat-104b-ag-exclusive]: **W. Va. Code § 46A-2A-104** — "Except as provided by subsection (c) of this section, the Attorney General shall have exclusive authority to bring action." *W. Va. Code § 46A-2A-104(b).* <https://code.wvlegislature.gov/46A-2A-104/>
+
+[^stat-6106-pra]: **W. Va. Code § 46A-6-106** — "Subject to subsection (b) of this section, any person who purchases or leases goods or services and thereby suffers an ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act, or practice prohibited or declared to be unlawful by the provisions of this article may bring an action in the circuit court of the county in which the seller or lessor resides or has his or her principal place of business or is doing business, or as provided for in §46A-1-1 and §46A-1-2 of this code, to recover actual damages or $200, whichever is greater." *W. Va. Code § 46A-6-106(a).* <https://code.wvlegislature.gov/46A-6-106/>
+
+[^stat-6106-outofpocket]: **W. Va. Code § 46A-6-106** — "An award of damages in an action pursuant to subsection (a) of this section may not be made without proof that the person seeking damages suffered an actual out-of-pocket loss that was proximately caused by a violation of this article." *W. Va. Code § 46A-6-106(b).* <https://code.wvlegislature.gov/46A-6-106/>
+
+[^stat-5108-cure]: **W. Va. Code § 46A-5-108** — "An action may not be brought pursuant to this article and §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code until 45 days after the consumer has informed the creditor, debt collector, seller, or lessor in writing and by certified mail, return receipt requested, to the creditor’s, debt collector’s, seller’s, or lessor’s registered agent identified by the creditor, debt collector, seller, or lessor at the Office of the West Virginia Secretary of State or, if not registered with the West Virginia Secretary of State, then to the creditor’s, debt collector’s, seller’s, or lessor’s principal place of business, of the alleged violation and the factual basis for the violation." *W. Va. Code § 46A-5-108(a).* <https://code.wvlegislature.gov/46A-5-108/>
+
+[^stat-5108-tolling]: **W. Va. Code § 46A-5-108** — "Any applicable statute of limitations is tolled for the 45-day period set forth in subsection (a) of this section or for the period the effectuation of the cure offer is being performed, whichever is longer." *W. Va. Code § 46A-5-108(c).* <https://code.wvlegislature.gov/46A-5-108/>
+
+[^stat-5108-defense]: **W. Va. Code § 46A-5-108** — "Where an action is brought under this article or §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code, it is a complete defense that a cure offer was made, accepted, and the agreed upon cure was performed. If the court determines that the cure offer was accepted and the agreed upon cure performed, the creditor, debt collector, seller, or lessor is entitled to reasonable attorney’s fees and costs attendant to defending the action." *W. Va. Code § 46A-5-108(e).* <https://code.wvlegislature.gov/46A-5-108/>
+
+[^stat-5108-fees]: **W. Va. Code § 46A-5-108** — "The creditor, debt collector, seller, or lessor is not liable for the consumer’s attorney’s fees and court costs incurred following delivery of the cure offer unless the actual damages, civil penalties, and any other monetary or equitable relief provided for under this article and §46A-2-1 et seq., §46A-3-1 et seq., §46A-4-1 et seq., and §46A-6-1 et seq. of this code are found to have been sustained and awarded, without consideration of attorney’s fees and court costs, exceed the value of the cure offer." *W. Va. Code § 46A-5-108(f).* <https://code.wvlegislature.gov/46A-5-108/>
+
+[^stat-104a-bridge]: **W. Va. Code § 46A-2A-104** — "Except as provided by subsection (c) of this section, failure to comply with the notice provisions of this article constitutes an unfair or deceptive act of practice in violation of section one hundred four, article six, chapter forty-six-a of this code, which may be enforced by the Attorney General pursuant to the enforcement provisions of this chapter." *W. Va. Code § 46A-2A-104(a).* <https://code.wvlegislature.gov/46A-2A-104/>
+
+[^stat-104-penalty]: **W. Va. Code § 46A-2A-104** — "No civil penalty may be assessed in an action unless the court finds that the defendant has engaged in a course of repeated and willful violations of this article. No civil penalty shall exceed $150,000 per breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation." *W. Va. Code § 46A-2A-104(b).* <https://code.wvlegislature.gov/46A-2A-104/>
+
+[^stat-104c-fininst]: **W. Va. Code § 46A-2A-104** — "A violation of this article by a licensed financial institution shall be enforceable exclusively by the financial institution's primary functional regulator." *W. Va. Code § 46A-2A-104(c).* <https://code.wvlegislature.gov/46A-2A-104/>