MHMDA

Washington My Health My Data Act

Flag of US
Washington, United StatesOpt-inState
Back to Regulations Guide

Key Facts

Effective Date
March 31, 2024
Enacted
April 27, 2023
Enforcing Authority
Washington Attorney General; Private right of action via Consumer Protection Act
Consent Model
Opt-in
Applies To
Any person conducting business in Washington or targeting Washington consumers that collects, shares, or sells consumer health data — no size-based exemptions

Overview

Washington's My Health My Data Act is a sector-specific health data privacy law with the broadest health data definition among US laws. It requires opt-in consent for ALL consumer health data and uniquely prohibits geofencing within 2,000 feet of healthcare facilities. A private right of action enables individual lawsuits.

What This Means for Your Website

  • Opt-in consent is required for ALL consumer health data collection, sharing, and sale
  • Separate consent is needed for each category of health data
  • Geofencing is prohibited within 2,000 feet of healthcare facilities
  • No small business exemption — applies to businesses of any size
  • A private right of action allows consumers to sue directly (treble damages up to $25,000)

Key Requirements

The Washington AG and private plaintiffs enforce the MHMDA. AG penalties reach $7,500 per violation. Private actions allow actual damages plus treble damages capped at $25,000. The broad health data definition covers far more than HIPAA. No revenue or data volume thresholds apply.

How ConsentStack Handles This

ConsentStack helps healthcare-adjacent websites obtain opt-in consent per health data category for Washington visitors, reducing exposure to both AG enforcement and private lawsuits.

Penalties

$7,500 per violation (AG); Private action: actual damages + treble damages (cap $25,000).

Maximum Fine
USD7,500 per violation

Key Requirements

  • Opt-in consent for ALL consumer health data collection, sharing, and sale
  • Geofencing prohibited within 2,000 feet of healthcare facilities
  • Separate consent for each category of health data
  • Consumer rights: access, delete, withdraw consent
  • No small business exemption for core requirements

Notable Provisions

  • Private right of action — unique among most US privacy laws
  • Geofencing prohibition around healthcare facilities (2,000 ft)
  • Broadest health data definition among US laws
  • No size-based exemptions

US State Specifics

Private Right of Action
Yes
Global Opt-out Required
No
Sensitive Data Opt-in
Yes

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

What is the MHMDA?

The My Health My Data Act is Washington's health data privacy law requiring opt-in consent for all consumer health data with the broadest health data definition among US laws.

Can consumers sue under the MHMDA?

Yes. The MHMDA provides a private right of action — consumers can recover actual damages plus treble damages up to $25,000.

What is the MHMDA geofencing ban?

The MHMDA prohibits geofencing within 2,000 feet of healthcare facilities — preventing location-based targeting near medical facilities.

Does the MHMDA have size-based exemptions?

No. The MHMDA applies to businesses of any size that collect, share, or sell consumer health data of Washington residents.

Stay compliant with MHMDA

ConsentStack helps you implement Opt-in consent for Washington, United States automatically.

Get started free