← All US breach laws·WA

Washington data breach notification law

Washington's data breach notification requirements under Wash. Rev. Code §19.255.010 (amended by HB 1071, 2020 expansion). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Wash. Rev. Code §19.255.010
Enforcer
Washington Attorney General
AG notification
Required
Private right of action
Yes — residents can sue

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay, but no more than 30 days after discovery of the breach
Notify the state regulator
Yes — within 30 days if more than 500 Washington residents are affected, written notice to the AG including a sample notice and number of residents affected
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification required if PI was, or is reasonably believed to have been, accessed or acquired by unauthorized person; harm-based exception narrow
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Washington law

First name/initial + last name with SSN, DL/state ID, financial account + access code, biometric data, health information, full date of birth, taxpayer ID, military ID, OR username/email + password/security Q&A; standalone any of the above sufficient for identity theft also covered

Penalties and enforcement

Up to $7,500 per violation under Consumer Protection Act; private right of action
Enforced by: Washington Attorney General. Official regulator page →

Common pitfalls

Washington's PI definition is among the broadest after 2020 (HB 1071) — includes DOB, biometrics, military ID standalone
AG notice must include a SAMPLE of the consumer notification — preview language in advance

Frequently asked questions

How long do I have to notify Washington residents after a data breach?
In the most expedient time possible and without unreasonable delay, but no more than 30 days after discovery of the breach
Do I have to notify the Washington Attorney General?
Yes — within 30 days if more than 500 Washington residents are affected, written notice to the AG including a sample notice and number of residents affected
Does Washington require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from Washington's breach notification requirement?
Yes — Washington has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Washington residents sue me directly for a data breach?
Yes — Washington allows a private right of action. Affected residents may sue for actual damages and, in some cases, statutory damages or attorneys' fees. Class actions are common.
What counts as 'personal information' under Washington law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, biometric data, health information, full date of birth, taxpayer ID, military ID, OR username/email + password/security Q&A; standalone any of the above sufficient for identity theft also covered
What are the penalties for failing to comply with Washington's breach notification law?
Up to $7,500 per violation under Consumer Protection Act; private right of action

Related state breach laws

Vermont (VT)
9 V.S.A. §§2430
Virginia (VA)
Va. Code §18.2-186.6
West Virginia (WV)
W. Va. Code §§46A-2A-101 to 46A-2A-105
Wisconsin (WI)
Wis. Stat. §134.98

Pre-empt the Washington breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Washington's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit