Washington's My Health My Data Act applies to you
Operators outside Washington keep concluding the law does not reach them. Most of them are wrong, and the obligations are not light.
Washington’s My Health My Data Act became fully effective for non-small businesses in 2024 and for small businesses in 2024 as well. The law has been on the books long enough that the early-period uncertainty is settling, and the answer that has emerged is uncomfortable for many wellness operators: the law applies to a much broader population of companies than the headline summaries suggested, and the obligations once it applies are heavy.
Three things explain the breadth.
First, the definition of “consumer health data” in the law is unusually wide. It covers personal information that identifies a consumer’s past, present, or future health status, and the implementing guidance has read “health status” to include mental health, reproductive and sexual health, gender-affirming care, biometric data, precise geolocation that could indicate a visit to a healthcare facility, and information derived from any of those. The “derived” piece is the trapdoor. Behavioral signals that, in combination, allow inferences about the categories above are themselves consumer health data, even when no individual signal looks medical.
Second, the law applies extraterritorially. A company outside Washington that collects covered data about Washington residents is in scope. The “doing business in Washington” question that limits some other state laws does not similarly limit MHMDA. If your platform has Washington users, you are inside the law.
Third, the obligations are not the same lightweight checklist that other state laws can be satisfied with. The most demanding requirement is the geofence prohibition: it is unlawful to implement a geofence around any in-person healthcare facility for the purpose of identifying or tracking consumers seeking healthcare services or for the purpose of advertising or marketing to them. That provision sits outside the consent regime; consent does not authorize it. The data sale and sharing prohibitions require valid authorizations, and the authorization standards are stricter than ordinary consent. The private right of action attached to the law makes plaintiff-side litigation a real factor, not a theoretical one.
For wellness operators outside Washington, the practical implications are concrete.
If your product collects, infers, or shares data that touches mental health, reproductive health, fertility, gender-affirming care, biometrics, or precise location, your data flows are within scope as soon as a Washington resident interacts with the product. Geofences around healthcare facilities should be eliminated entirely as a marketing technique. Authorizations for selling or sharing covered data need to meet the law’s specific standards, which include separate, clear consent and a specified purpose. Data minimization, which is sound practice generally, becomes a defensive necessity here.
The temptation to read the law as a Washington-specific compliance question is the most common mistake. The law’s effect is national whenever a national platform has Washington users, which is most national platforms. Reading the law in 2026 with that scope in mind is the starting point for getting the obligations right.