Skip to main content

HB 2380

In Committee

House

Financial services apps

Protecting the personal information of consumers who use financial services applications on their mobile or internet-connected devices.

This status may be delayed. See Action History below for the latest updates.

How does a bill become law?
  1. Introduced: The bill is filed and assigned a number.
  2. Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
  3. Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
  4. Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
  5. Governor: The Governor reviews the bill and decides whether to sign or veto it.
  6. Signed: The bill has been signed into law.
Introduced: January 11, 2026
Last Action: January 12, 2026
Status: H ConsPro&Bus

AI Analysis

This analysis was generated by AI and may contain errors. It is not legal advice. Always refer to the official bill text for authoritative information.
People & CommunitiesPeople-leaningCorporate & Wealthy Interests

This bill gives Washington consumers new control over how their personal data is used by financial apps. It requires banks and other financial institutions to clearly disclose data practices and let users opt out of non-essential data collection and sharing—especially with third-party apps—while allowing data use that is strictly necessary to provide banking services.

  • Requires financial institutions to disclose to consumers when their personal information is collected, stored, or shared by the institution’s app—or by third-party apps—when such use is not essential to providing the banking service.
  • Gives consumers the right to opt out of non-essential collection, storage, or sharing of personal information through the financial institution’s mobile or internet app.
  • Prohibits financial institutions from collecting or sharing consumer data from third-party apps installed on the user’s device, unless the activity is necessary to provide the banking service.
  • Allows financial institutions to avoid the opt-out requirement only if their app is designed to collect, store, or share data *solely* for essential banking functions and in line with the consumer agreement.
  • Makes violations of the law enforceable under the Consumer Protection Act, allowing consumers or the Attorney General to sue for $7,500 per violation (or actual damages, whichever is greater).

Who is affected

  • Consumers of financial appsConsumers who use mobile or internet apps to access banking services (e.g., checking accounts, loans, investments) gain new rights to control how their personal data is collected and shared—especially with third-party apps—when that data is not essential to providing the banking service.
  • Financial institutionsBanks, credit unions, broker-dealers, and investment advisers that offer mobile or online banking must update their apps and privacy practices to comply with new disclosure and opt-out requirements, and may face penalties for violations.
  • Third-party app developersDevelopers and operators of third-party apps (e.g., budgeting, investment, or bill-paying apps) that integrate with financial institutions may lose access to consumer data unless financial institutions restrict such sharing or obtain explicit consumer consent.
Effective: July 1, 2026Fiscal impact: The bill authorizes statutory damages of $7,500 per violation (or actual damages, whichever is greater), which could result in significant liability for financial institutions that fail to comply. The Attorney General may recover restitution for injured consumers, but the bill does not specify state funding for enforcement.
Model: Intel/Qwen3-Coder-Next-int4-AutoRoundGenerated: Mar 19, 2026 at 7:56 PM

Pro/Con Analysis

Stronger case for benefits

Potential Benefits (5)
  • Consumers gain meaningful control over how their financial data is collected and shared — especially from third-party apps — reducing the risk of non-consensual data harvesting, identity theft, and surveillance-based pricing, which disproportionately harms low-income and vulnerable users who may lack resources to monitor or correct data misuse.

    Rights & LibertiesPeopleRef: Sec. 2(2)(c), Sec. 2(1)(a)(ii)
  • Mandatory clear disclosures and opt-out mechanisms empower consumers to make informed choices about data use, aligning with growing public expectations of digital privacy and reducing exploitative practices like behavioral tracking and microtargeting in financial services.

    Rights & LibertiesPeopleRef: Sec. 2(1)(a)(i), Sec. 2(2)(a)-(c)
  • Enforceability under the Consumer Protection Act with $7,500 statutory damages creates a strong deterrent against abusive data practices and gives consumers — especially those harmed by data misuse — a practical path to seek redress, even without proving specific monetary loss.

    Rights & LibertiesPeopleRef: Sec. 3
  • Banks and credit unions that prioritize privacy and security may gain competitive advantage by offering fully “clean” apps (no third-party data sharing), attracting privacy-conscious consumers — particularly younger users who value data sovereignty and may switch institutions based on this feature.

    Business & EmploymentPeopleRef: Sec. 2(3)(b)(iii)
  • Reducing data leakage to third-party apps lowers the risk of large-scale data breaches originating from less-secure fintech partners — protecting consumers from fraud and identity theft, especially those with limited financial literacy who may unknowingly grant excessive permissions to budgeting or investment apps.

    Public SafetyPeopleRef: Sec. 2(1)(a)(ii), Sec. 2(2)(b)
Potential Concerns (5)
  • Financial institutions will need to redesign apps and internal data governance systems to comply with opt-out requirements, potentially increasing operational costs and limiting data-driven product development — especially for institutions offering free or low-fee services that rely on data monetization to offset costs.

    Business & EmploymentPeopleRef: Sec. 2(1)(a)(ii), Sec. 2(1)(b)
  • The $7,500 per-violation statutory damages provision creates significant liability exposure for financial institutions, potentially discouraging innovation in app features or partnerships with third-party fintech providers due to fear of litigation — especially for smaller credit unions and community banks with limited legal resources.

    Business & EmploymentPeopleRef: Sec. 3
  • The exemption for data use “necessary to provide a banking service” is ambiguous — without clear regulatory guidance, institutions may over-comply (e.g., disabling useful features like fraud detection or personalized budgeting tools) or under-comply (risking enforcement), creating uncertainty that could delay or reduce investment in digital banking improvements.

    Business & EmploymentLean peopleRef: Sec. 2(3)(a)
  • Third-party app developers (e.g., Mint, YNAB, personal finance tools) may lose access to aggregated, anonymized, or user-consented data flows from financial institutions, reducing their ability to offer integrated financial management tools — especially harmful for small developers who rely on bank data partnerships to sustain their business models.

    Business & EmploymentPeopleRef: Sec. 2(1)(a)(ii), Sec. 2(1)(b)
  • By limiting financial institutions’ ability to share data with third-party apps, the bill may hinder law enforcement access to transaction data in fraud or financial crime investigations — though the bill does not explicitly prohibit law enforcement access, the opt-out framework could create operational friction in data requests from non-consenting users.

    Public SafetyLean peopleRef: Sec. 3

Who Is Most Affected

Consumers of financial appsPositive Impact

Low- and middle-income consumers benefit most: they are more likely to use free banking apps that monetize data, more vulnerable to identity theft, and less able to afford legal recourse without strong statutory damages. The opt-out right and $7,500 penalty significantly improve their ability to protect themselves.

Financial institutionsMixed Impact

Large financial institutions with mature data governance teams may absorb compliance costs more easily than small banks and credit unions, which face disproportionate burden. However, all institutions benefit from reduced liability risk if they proactively comply — though the $7,500 penalty still creates significant risk exposure.

Third-party app developersNegative Impact

Third-party app developers — especially small and mid-sized fintechs — face major disruption: they lose access to data that previously enabled seamless budgeting, investment, and loan underwriting features. Only large platforms with alternative data sources (e.g., direct user onboarding) may adapt; others may shrink or exit the market.

Consumer advocacy and legal communityPositive Impact

Attorneys and consumer rights groups stand to benefit from increased enforcement opportunities under the Consumer Protection Act, especially class actions — but this is an indirect effect, not a direct stakeholder group.

State government (enforcement agencies)Negative Impact

State courts and the Attorney General’s office will face increased caseloads related to data privacy enforcement, but the bill does not allocate new funding — potentially straining existing resources without offsetting support.

Sponsors

Representative Low(Republican)District 39Primary
Representative Kloba(Democrat)District 1Secondary
Representative Graham(Republican)District 6Secondary