OSERAN HAHN
Attorneys at Law
Practice eyebrow

Privacy & Data Protection

Privacy law is a moving patchwork, and a company collecting customer data is exposed to more of it than it realizes. As outside general counsel, we build the privacy policies, vendor terms, and breach-response plan a company needs, and we keep it compliant as the rules multiply.

Talk to an attorney

Founded

1965

Attorneys

11

AV-rated

Martindale-Hubbell

Office

Bellevue, WA

Founded

1965

Attorneys

4

AV-rated

Martindale-Hubbell

Office

Bellevue, WA

Privacy and data protection attorneys for Bellevue and Seattle companies

Oseran Hahn advises companies on privacy and data protection: the privacy policies they publish, the data-processing terms they sign with vendors, the breach-response plan they need before an incident, and the growing list of state and federal rules that apply once a company collects personal data. Washington has no single comprehensive privacy statute, so compliance is a patchwork of the state's My Health My Data Act, breach-notification law, and the other states' and countries' laws that reach a company's customers. We build a program that fits the company's actual data.

What this work involves

What our Bellevue and Seattle general counsel attorneys handle

Privacy compliance is a patchwork, not a single statute, and the exposure grows quietly as a company collects more data. We draft the privacy policies and disclosures a company publishes; we navigate Washington's My Health My Data Act, which reaches far more companies than most expect; we paper the vendor and data-processing agreements that move data; we build the breach-response plan the law requires; and we extend the program to the multistate and international rules a company's customers trigger.

Privacy policies and the compliance patchwork

There is no single comprehensive privacy law in Washington or at the federal level, so a company's obligations are assembled from many sources: Washington's sector-specific statutes, the federal rules that apply to particular data, and the comprehensive privacy laws of other states and countries that reach a company's customers wherever it is based. We draft the privacy policy and the disclosures a company actually needs given the data it collects, rather than a generic template, and we keep them accurate as the company's data practices and the law change. An inaccurate privacy policy is itself a source of liability.

Washington's My Health My Data Act

Washington's most significant recent privacy law catches far more businesses than most expect. The My Health My Data Act regulates consumer health data broadly, well beyond HIPAA-covered providers, and reaches many ordinary companies that collect data touching health, wellness, or related inferences (RCW 19.373). It requires specific consent, restricts the sale of health data, bans geofencing around health facilities, and, critically, is enforceable by private lawsuit through the Consumer Protection Act (RCW 19.86). We assess whether a company is covered and build the consent and data practices the Act requires.

Vendors, data processing, and collection

Most of a company's data risk runs through its vendors, the analytics tools, payment processors, marketing platforms, and cloud services that touch customer data. We paper the data-processing agreements that govern those relationships, advise on what the company can collect, share, and retain, and review a vendor's security and privacy posture before the company hands over data. Getting the vendor contracts right is what keeps a vendor's breach or misuse from becoming the company's liability.

Data breach response

A breach is a when, not an if, and Washington law puts the company on a clock. The state's breach-notification statute requires notifying affected Washington residents within thirty days of discovering a breach, and notifying the Attorney General when more than five hundred residents are affected (RCW 19.255.010). Mishandling a breach also carries Consumer Protection Act exposure (RCW 19.86). We help companies build an incident-response plan before a breach and run the notification and legal response when one happens, so the company meets its deadlines instead of discovering them mid-crisis.

Multistate and international compliance

A company's privacy obligations are set by where its customers are, not just where it is. Once a company has customers in California, it likely faces the California Consumer Privacy Act and its amendments, other states have passed their own comprehensive laws, and any EU customers bring the General Data Protection Regulation into play. Rather than chase each law separately, we help companies build one privacy program calibrated to the strictest rule that actually applies to them, which is usually cheaper and steadier than a patchwork of one-off fixes.

    Why Oseran Hahn

    Privacy, built for your data.

    Counsel for Pacific Northwest companies navigating a privacy landscape that changes every year, with attorneys who build a program around the data a company actually collects rather than a generic checklist. We keep the company compliant and ready when a breach or a new law arrives.

    We map your actual exposure.

    Privacy obligations depend on the data you collect and where your customers are. We assess what actually applies, including the My Health My Data Act that catches companies off guard, instead of handing you a template.

    We get you ready for a breach.

    Washington gives you thirty days to notify after a breach. We build the incident-response plan before one happens, so you meet the deadline instead of finding it mid-crisis.

    One program, not a patchwork.

    California, other states, the EU. We build a single program calibrated to the strictest rule that applies, which is steadier and cheaper than chasing each law as it surfaces.

      Common questions

      What clientsask us first.

      Does Washington have a privacy law like California's?

      Not a single comprehensive one. Washington's general consumer-privacy bill has failed repeatedly, so there's no CCPA-style statute here. Instead you have a patchwork: the My Health My Data Act (RCW 19.373), breach-notification law, and sector-specific rules, plus other states' and the EU's laws if your customers are there. We figure out which actually apply to you.

      We're not a healthcare company. Does the My Health My Data Act apply to us?

      Possibly, and that surprises a lot of companies. The Act defines consumer health data broadly and reaches far beyond HIPAA providers, covering many businesses that collect data touching health, wellness, fitness, or related inferences (RCW 19.373). Because it's enforceable by private lawsuit through the Consumer Protection Act, getting this wrong is costly. We assess whether you're covered and what compliance requires.

      How much do we need to worry about our vendors?

      A lot, because most data risk runs through them. The analytics, payment, marketing, and cloud vendors that touch your customer data can turn their breach or misuse into your liability without the right contracts. We put data-processing agreements in place, advise on what you can collect and share, and review a vendor's security posture before you hand over data.

      We think we've had a data breach. What now?

      Move quickly, because Washington requires notice to affected residents within thirty days, and notice to the Attorney General if more than five hundred residents are affected (RCW 19.255.010). We help you assess the scope, meet the notification deadlines, manage the legal exposure including under the Consumer Protection Act (RCW 19.86), and document the response. Having a plan in place before this happens makes all the difference.

      We have customers in other states and overseas. Does that change things?

      Yes. Privacy law follows your customers, so California's CCPA, other states' comprehensive laws, and the EU's GDPR can all apply based on where your customers are, not just where you operate. We help you build one privacy program calibrated to the strictest rule that applies, which is more efficient than complying with each regime separately.

      When should we bring in privacy counsel?

      When you start collecting meaningful customer data, before you launch a product or feature that uses personal data, when you sign a major data vendor, and immediately if you suspect a breach. Privacy problems are far cheaper to prevent than to remediate, and the breach clock starts running whether or not you have a plan.

        Insights

        Recentarticles.

        View all articles
        No items found.

        A privacy question?

        Privacy policies, My Health My Data Act compliance, vendor data terms, breach response, and multistate privacy programs for Washington companies.

        Oseran Hahn P.S. · 11225 SE 6th St, Suite 100 · Bellevue, WA 98004

        This content is provided for general informational purposes only and does not constitute legal advice. Viewing this page does not create an attorney-client relationship.