Washington My Health My Data Act

Washington My Health My Data Act (RCW Ch. 19.373) regulates consumer health data (CHD) under a broad definition: past/present/future physical or mental health status; reproductive/sexual health; biometric/genetic; bodily functions, vital signs, symptoms, measurements; diagnoses; treatment; gender-affirming care; prescription medications; precise location indicating an attempt to acquire/receive health services; data identifying services sought; and inferences. Key obligations: CHD privacy policy on the homepage; opt-in for collection and (separately) for sharing; signed authorisation for sale; 2,000ft geofence prohibition around in-person health-care facilities for tracking, CHD collection, or health-related notifications/ads (absolute prohibition — no consent exception); consumer rights (access, deletion, withdrawal of consent). No applicability threshold. Enforcement by WA AG + private right of action via Washington CPA (treble damages up to $25K/violation + attorneys' fees). Class-action litigation is the dominant enforcement risk.

Composition

15 controls currently indexed; participates in 5 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Cloud data privacy lifecycle — CSA CCM v4 DSP control family
• Consent management — capture, modify, withdraw across jurisdictions
• Cross-jurisdiction consumer / Data Principal rights — operational fabric
• Processor / service provider contract requirements across jurisdictions
• Sensitive personal information — heightened protection across jurisdictions