Comparing New Health Privacy Laws and Their Impact on the Digital Advertising Industry
By Meaghan Donahue – [last updated June 29, 2023]
In the wake of the U.S. Supreme Court’s Dobbs v. Jackson Women’s Health decision, the 2023 legislative session has seen a number of states attempt to pass health-specific privacy laws that put limits on the collection, sharing, and selling of non-HIPAA personal health data. As of this writing, three states –Washington, Nevada, and Connecticut – have passed legislation that broadly define “consumer health data ” and require opt-in consumer consent before regulated entities can collect, share, or sell it. Further, WA and NV implement a heightened standard of consent before the sale of this data, requiring covered entities to obtain written and signed consumer authorization. The laws also contain geofencing prohibitions – WA and NV prohibit geofencing around in person medical facilities, including hospitals and clinics, and CT prohibits it around any mental health facility or reproductive or sexual health facility. New York State took a different approach, passing a stand-alone prohibition on geofencing as part of a larger fiscal bill last month that similarly restricts the ability to create the virtual boundaries around any health care facility. WA’s and NV’s laws are standalone pieces of legislation, while CT’s law amends the CTDPA, making consumer health data a subset of sensitive information.
While substantially similar, these laws also contain key differences, highlighted in greater detail in this comparison chart:
- The Washington My Health My Data Act provides for both Attorney General and private enforcement, while the others only provide for Attorney general enforcement. This has been a major point of contention for members of the industry, concerned that the private right of action may lead to frivolous lawsuits inconsistent with the intent of the law.
- Nevada’s definition of “consumer health data” varies from Washington’s, clarifying that the data in question must actually be used to identify the past, present or future health status of an individual, as opposed to merely being capable of doing so. Nevada also carves out information about a consumer’s shopping habits and interests from its definition. Connecticut’s approach to consumer health data is also materially different and more narrow – defined as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.”
- Washington’s law sets its geofencing prohibitions at 2,000 feet or less from the perimeter of the physical location, while New York’s is 1,850 feet, and Nevada’s and Connecticut’s is 1,750 feet.
Once effective, these laws will have a major impact on the digital advertising industry, and will create new opt-in requirements for many advertising practices utilizing a large (and ambiguous) category of data. These laws effectively extend beyond what is required by HIPAA and FTC authority. While supportive of the underlying goals of these new laws, the NAI shares the concerns of companies across the digital advertising industry that the sweeping definitions could stifle a range of safe and valuable health advertising practices. To compare the major provisions and definitions, and highlight the potential implications to targeted advertising, the NAI has created this chart. As we continue to engage with state lawmakers and members of the industry on the topic of health data, we welcome feedback or questions.