Last updated on December 16th, 2025 at 06:44 pm
With data breaches on the rise, it’s more important than ever for U.S. businesses to follow data protection and privacy laws — or risk serious legal and reputational damage. The federal government, state government, and even international governments may have laws that affect your obligations as an entity that collects personal data.
Below, we discuss some of the most important data protection laws for businesses based in the U.S. today, especially those operating in Washington state.
Health Data Laws
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most important health data protection law in the U.S. This federal law protects individuals’ rights to understand and control how their health information is used.
HIPAA protects sensitive health information from being unnecessarily disclosed without the patient’s consent. It allows healthcare providers, plans, clearinghouses, and business associates to transmit health information for select purposes such as treatments, billing, health benefit eligibility inquiries, or when required by law. It also requires entities to keep individually identifiable health information confidential.
HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates that provide services for any other covered entity. There are a lot of nuances. To be in compliance, you will likely need to appoint employees to HIPAA-related roles, arrange regular refresher trainings, and conduct audits, among other actions.
Key takeaway: If you work with or collect health information, your employees need formal, documented training on HIPAA standards with regular refreshers. The penalties for violating HIPAA can be quite severe, ranging from civil fines to imprisonment and other criminal penalties depending on the violation.
Washington My Health My Data Act
Washington State recently expanded privacy protections for consumers with the Washington My Health My Data Act (HB 1155), which went into effect beginning July 23, 2023. This law aims to reduce privacy protection gaps for health data that isn’t regulated by HIPAA, including location data that may reveal someone’s access to healthcare services, even if it isn’t specifically tied to health characteristics or processed by HIPAA-covered entities.
The My Health My Data Act applies to anyone conducting business in Washington that collects, processes, shares, or sells consumer health data. It applies to data processed in Washington, even if the consumer does not reside there. Unlike with some other state privacy laws, your revenue and the number of consumers you serve do not affect the applicability of the law.
This law was part of a package of legislation designed to respond to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which abolished the federal constitutional right to abortion. However, it covers much more than reproductive
health data. Among many other categories of consumer health information, this law protects data about:
- A consumer’s health conditions, treatment, diseases, or diagnosis.
- Social, behavioral, psychological, and medical interventions.
- Health-related surgeries and procedures.
- Use or purchase of prescribed medications.
- Bodily functions, such as tracking a consumer’s digestion or perspiration.
- Vital signs, symptoms, and other measurements of information.
- Diagnoses, diagnostic testing, treatment, and medication.
- Gender-affirming care information.
- Reproductive or sexual health information.
- Biometric data, including imagery and voice recordings from which an identifier template can be extracted.
- Genetic data.
- Precise location information that reasonably indicates a consumer’s attempt to acquire or receive health services or supplies.
- Data that identifies a consumer seeking health care services.
- Health information that is derived or inferred from non-health data – in other words, otherwise non-sensitive data used in a manner that may reveal aspects of a consumer’s health.
Key takeaway: As a result of this law, your business may need to update its privacy policies, advertising practices, processes for managing data-related requests from consumers, and processes for gathering consent for collecting, sharing, and selling data that could be tied to a person’s health. You should also make sure that any vendors you work with that access health-related data have appropriate data privacy terms.
Consumer Data Laws
FTC Safeguards Rule
The Federal Trade Commission (FTC) Safeguards Rule requires many U.S. companies to protect consumer information through a variety of technical, physical, and administrative safeguards. Covered companies must have a written information security program that keeps customer information confidential, protects against security threats, and protects against unauthorized information access.
The Safeguards Rule applies to a broad definition of “financial institutions,” including some you might not expect. Mortgage and payday lenders, auto dealerships, account servicers, check cashers, credit counselors, non-federally insured credit unions, businesses that wire money between consumers, and finders that bring together buyers and sellers are just a few examples of companies covered by the Safeguards Rule.
The original version of the Rule took effect in 2003, but it was amended in 2021 and 2023. The 2021 amendment updated the Rule to keep pace with current technology, while the 2023 amendment requires covered entities to report certain security incidents and data breaches.
Key takeaway: If your business does anything related to customer financial data, including lines of credit, loans, or more general financial information in the U.S., you are likely bound by the FTC Safeguards Rule. You will need to develop a customer information protection program and assign a qualified individual to oversee it, among other actions.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The California Consumer Privacy Act (CCPA) grants California residents the right to know, delete, and opt out of sales of their data. It applies to any for-profit business that generates gross annual revenue of at least $25 million; buys, sells, or shares the personal information of at least 100,000 California consumers, devices, or households; or derives at least 50% of its annual revenue from selling consumers’ personal information. That includes many businesses located outside of California.
The California Privacy Rights Act (CPRA) amends the CCPA and has been in place since 2023. It adds the right for California residents to limit the use and disclosure of sensitive personal information, as well as to correct inaccurate personal information that a business has about them.
Even if your business doesn’t operate in California, it’s a good idea to do business in line with CCPA and CPRA requirements. The CCPA applies any time a qualifying business collects, sells, or shares the personal information of a California resident, even if that person is temporarily outside the state. Nevada, Colorado, and Virginia have passed similar laws protecting their own residents. Similar bills have been proposed in Washington and several other states.
Key takeaway: Even if your business isn’t in California, you may need to adhere to CCPA requirements, and you would be wise to prepare for similar laws passing in other states. As a starting point, you can make it easy for website visitors to opt out of cookies and avoid data-intensive marketing processes like behavioral retargeting. We recommend talking to a lawyer about how to comply with the CCPA.
International Data Laws
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. It aims to protect the personal data of individuals in the European Union (EU), but it applies to many businesses based outside the EU, including businesses in the U.S.
If your company sells goods or services in the EU or processes the personal data of anyone in an EU country, you need to follow GDPR law, no matter where your company is located. Under this law, you can only process an EU individual’s personal data if you do so in a way that is:
- Fair and transparent to the data subject.
- Done for legitimate purposes that are specified explicitly to the data subject when you collect it.
- Done only when and to the extent that it is absolutely necessary according to the specified purposes.
- Accurate and up-to-date.
- Stored only as long as needed for the specified purpose.
- Done in such a way as to ensure appropriate security, integrity, and confidentiality.
- Accountable, meaning you can demonstrate GDPR compliance.
Data security under GDPR often means taking both technical and organizational measures to protect personal data. You may need to require your employees to use two-factor authentication on accounts that store personal data, use cloud providers with end-to-end encryption, organize staff training, limit access to personal data, and add a data privacy policy to your employee handbook. You will also need to tell data subjects if you have a data breach within 72 hours unless you used technological safeguards like encryption to render data useless to an attacker.
Key takeaway: If your company gathers data from or sells anything to people in the EU, you need to follow GDPR law. That means considering data protection in everything you do, including designing new products and apps.
Learn How to Legally Protect Your Business
Businesses today face a complicated legal landscape, with many different data protection and privacy laws that may or may not apply. An experienced law firm can offer recommendations to help you meet all applicable legal requirements and reduce your risk of liability.
The Anderson Hunter Law Firm has been helping businesses and individuals in western Washington for over a century. Our business lawyers have the knowledge and experience you need, whether you’re forming a new business or protecting an existing one. Contact us today if your business needs ongoing or immediate legal counsel on data protection and privacy matters.