HB 2380
In CommitteeHouse
Financial services apps
Protecting the personal information of consumers who use financial services applications on their mobile or internet-connected devices.
This status may be delayed. See Action History below for the latest updates.
How does a bill become law?
- Introduced: The bill is filed and assigned a number.
- Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
- Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
- Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
- Governor: The Governor reviews the bill and decides whether to sign or veto it.
- Signed: The bill has been signed into law.
AI Analysis
This bill gives Washington consumers new control over how their personal data is used by financial apps. It requires banks and other financial institutions to clearly disclose data practices and let users opt out of non-essential data collection and sharing—especially with third-party apps—while allowing data use that is strictly necessary to provide banking services.
- Requires financial institutions to disclose to consumers when their personal information is collected, stored, or shared by the institution’s app—or by third-party apps—when such use is not essential to providing the banking service.
- Gives consumers the right to opt out of non-essential collection, storage, or sharing of personal information through the financial institution’s mobile or internet app.
- Prohibits financial institutions from collecting or sharing consumer data from third-party apps installed on the user’s device, unless the activity is necessary to provide the banking service.
- Allows financial institutions to avoid the opt-out requirement only if their app is designed to collect, store, or share data *solely* for essential banking functions and in line with the consumer agreement.
- Makes violations of the law enforceable under the Consumer Protection Act, allowing consumers or the Attorney General to sue for $7,500 per violation (or actual damages, whichever is greater).
Who is affected
- Consumers of financial apps — Consumers who use mobile or internet apps to access banking services (e.g., checking accounts, loans, investments) gain new rights to control how their personal data is collected and shared—especially with third-party apps—when that data is not essential to providing the banking service.
- Financial institutions — Banks, credit unions, broker-dealers, and investment advisers that offer mobile or online banking must update their apps and privacy practices to comply with new disclosure and opt-out requirements, and may face penalties for violations.
- Third-party app developers — Developers and operators of third-party apps (e.g., budgeting, investment, or bill-paying apps) that integrate with financial institutions may lose access to consumer data unless financial institutions restrict such sharing or obtain explicit consumer consent.
Pro/Con Analysis
Stronger case for benefits
Potential Benefits (5)
Consumers gain meaningful control over how their financial data is collected and shared — especially from third-party apps — reducing the risk of non-consensual data harvesting, identity theft, and surveillance-based pricing, which disproportionately harms low-income and vulnerable users who may lack resources to monitor or correct data misuse.
Rights & LibertiesPeopleRef: Sec. 2(2)(c), Sec. 2(1)(a)(ii)Mandatory clear disclosures and opt-out mechanisms empower consumers to make informed choices about data use, aligning with growing public expectations of digital privacy and reducing exploitative practices like behavioral tracking and microtargeting in financial services.
Rights & LibertiesPeopleRef: Sec. 2(1)(a)(i), Sec. 2(2)(a)-(c)Enforceability under the Consumer Protection Act with $7,500 statutory damages creates a strong deterrent against abusive data practices and gives consumers — especially those harmed by data misuse — a practical path to seek redress, even without proving specific monetary loss.
Rights & LibertiesPeopleRef: Sec. 3Banks and credit unions that prioritize privacy and security may gain competitive advantage by offering fully “clean” apps (no third-party data sharing), attracting privacy-conscious consumers — particularly younger users who value data sovereignty and may switch institutions based on this feature.
Business & EmploymentPeopleRef: Sec. 2(3)(b)(iii)Reducing data leakage to third-party apps lowers the risk of large-scale data breaches originating from less-secure fintech partners — protecting consumers from fraud and identity theft, especially those with limited financial literacy who may unknowingly grant excessive permissions to budgeting or investment apps.
Public SafetyPeopleRef: Sec. 2(1)(a)(ii), Sec. 2(2)(b)
Potential Concerns (5)
Financial institutions will need to redesign apps and internal data governance systems to comply with opt-out requirements, potentially increasing operational costs and limiting data-driven product development — especially for institutions offering free or low-fee services that rely on data monetization to offset costs.
Business & EmploymentPeopleRef: Sec. 2(1)(a)(ii), Sec. 2(1)(b)The $7,500 per-violation statutory damages provision creates significant liability exposure for financial institutions, potentially discouraging innovation in app features or partnerships with third-party fintech providers due to fear of litigation — especially for smaller credit unions and community banks with limited legal resources.
Business & EmploymentPeopleRef: Sec. 3The exemption for data use “necessary to provide a banking service” is ambiguous — without clear regulatory guidance, institutions may over-comply (e.g., disabling useful features like fraud detection or personalized budgeting tools) or under-comply (risking enforcement), creating uncertainty that could delay or reduce investment in digital banking improvements.
Business & EmploymentLean peopleRef: Sec. 2(3)(a)Third-party app developers (e.g., Mint, YNAB, personal finance tools) may lose access to aggregated, anonymized, or user-consented data flows from financial institutions, reducing their ability to offer integrated financial management tools — especially harmful for small developers who rely on bank data partnerships to sustain their business models.
Business & EmploymentPeopleRef: Sec. 2(1)(a)(ii), Sec. 2(1)(b)By limiting financial institutions’ ability to share data with third-party apps, the bill may hinder law enforcement access to transaction data in fraud or financial crime investigations — though the bill does not explicitly prohibit law enforcement access, the opt-out framework could create operational friction in data requests from non-consenting users.
Public SafetyLean peopleRef: Sec. 3
Who Is Most Affected
Low- and middle-income consumers benefit most: they are more likely to use free banking apps that monetize data, more vulnerable to identity theft, and less able to afford legal recourse without strong statutory damages. The opt-out right and $7,500 penalty significantly improve their ability to protect themselves.
Large financial institutions with mature data governance teams may absorb compliance costs more easily than small banks and credit unions, which face disproportionate burden. However, all institutions benefit from reduced liability risk if they proactively comply — though the $7,500 penalty still creates significant risk exposure.
Third-party app developers — especially small and mid-sized fintechs — face major disruption: they lose access to data that previously enabled seamless budgeting, investment, and loan underwriting features. Only large platforms with alternative data sources (e.g., direct user onboarding) may adapt; others may shrink or exit the market.
Attorneys and consumer rights groups stand to benefit from increased enforcement opportunities under the Consumer Protection Act, especially class actions — but this is an indirect effect, not a direct stakeholder group.
State courts and the Attorney General’s office will face increased caseloads related to data privacy enforcement, but the bill does not allocate new funding — potentially straining existing resources without offsetting support.