The NAI Develops Factor Analysis for Health-Related Sensitive Personal Information

Toward Clarity in Health-Related Advertising Privacy: A Practical Framework for Identifying Sensitive Health Data

The treatment of health-related personal information in the U.S. privacy landscape is complex and continually evolving. As U.S. laws and regulations have created a series of protections for health-related data outside of traditional healthcare contexts, businesses operating in the digital advertising ecosystem face a growing challenge: balancing consumers’ privacy while preserving the benefits of responsible health-related advertising.

To address this challenge, the NAI has developed a Factor Analysis for Health-Related Sensitive Personal Information (HSPI) (“Factor Analysis”), a structured tool designed to help businesses and policymakers evaluate when personal information processed in advertising contexts may, or may not, qualify as sensitive health data under evolving U.S. legal frameworks. It does so by distilling recurring elements across state laws, federal enforcement themes, and self-regulatory practice into a set of factors that are easier to understand and apply.

This Factor Analysis is grounded in a simple recognition: health-related data sensitivity is rarely determined by a single datapoint in isolation. Instead, sensitivity often emerges from a confluence of factors: how data is collected, what it contains; how it is used; and what risks it creates. Therefore, this document accounts for this nuance, providing a framework for businesses to provide a thoughtful contextual analysis to assist with their efforts to protect consumer data and maintain the benefits of health-related digital advertising.

The Benefits—and the Stakes—of Health-Related Advertising

Health-related advertising plays a meaningful role in the modern digital information ecosystem. Consumers increasingly turn to online resources to understand symptoms, explore treatment options, and manage wellness. In that environment, advertising helps connect individuals with educational campaigns, preventive care resources, and emerging health technologies. 

At the same time, health-related advertising must be conducted with heightened care. Privacy frameworks increasingly classify certain health-related personal information as “sensitive,” triggering enhanced obligations such as opt-in consent, heightened disclosures, and risk assessments. While the policy imperative to protect consumers from harm without undermining access to beneficial health information is clear, the regulatory framework is less clear, and far from uniform.

Why Over-Classification and Under-Classification Both Harm Consumers

The NAI has observed several unintended consequences arising from this regulatory patchwork:

1. Over-classifying all health-adjacent data as sensitive, imposing heightened restrictions even where data does not meaningfully implicate consumer health.
2. Under-classifying data that may fall within broad statutory definitions, creating compliance gaps.
3. Withdrawing from jurisdictions altogether, when uncertainty about “sensitive” classifications creates too many risks, reducing access to beneficial health-related advertising and content. 

None of these outcomes serves consumers well. Underinclusive approaches can expose consumers to privacy harms, while overbroad interpretations and uncertainty can stifle legitimate informational services. What is needed is nuance and a structured framework to operationalize it.

The NAI’s Five-Factor Framework for HSPI

To support consistent, well-reasoned decision-making, the NAI Factor Analysis identifies five recurring elements that appear across state laws, federal enforcement trends, and self-regulatory principles. Rather than dictating legal conclusions, the framework provides a tool for businesses to perform a pragmatic assessment to determine the sensitivity of data based on these five factors: 

Factor 1: The source of the PI being processed

While data originating from healthcare contexts—medical records, insurance claims, reproductive health apps—often directly implicates sensitivity, the same type of data may be collected from different sources, resulting in different outcomes.

Factor 2: The contents of the PI being processed

Some data elements are inherently health-linked: diagnoses, prescriptions, treatment information, or vital signs. Others may only weakly suggest health status, depending on context. 

Factor 3: The intended use of the PI

Perhaps the most operationally important factor: even neutral data can become sensitive if used to infer or assign a health condition to an individual—such as generating “pregnancy prediction scores” using non-sensitive product purchase data.

Factor 4: Whether consumers have a heightened expectation of privacy

Consumers may reasonably expect heightened privacy for certain categories of health-related information, particularly reproductive, sexual, or mental health topics, regardless of technical legal definitions. 

Factor 5: The risk of consumer harm

Sensitivity is naturally tied to potential harm: discrimination, economic exclusion, or misuse of intimate health inferences. This factor encourages balancing risks against consumer benefits. 

Applying the Framework: A Path Forward for Industry and Regulators

The document also provides hypothetical scenarios that show how the factors can be applied in real advertising contexts. These scenarios demonstrate a core takeaway: health-data sensitivity is not binary, it is contextual and fact-dependent.

In some cases, companies may already have a high degree of confidence that the PI they are processing has no nexus to consumer health or the human body and is therefore not HSPI. However, where companies have not already implemented a review process for relevant PI to identify and classify data that may qualify as HSPI, this Factor Analysis provides a model for how to do so. In addition, it may serve to supplement existing review processes for use cases that present novel or nuanced issues where analysis along different factors can help companies arrive at sound classifications. 

The NAI’s Factor Analysis is offered as a practical contribution to the current U.S. legal framework and evolving public policy landscape. It does not replace statutory interpretation or legal advice and is not intended to dictate how companies must classify data. However, it provides something increasingly necessary: a structured, transparent approach to reasoning through relevant considerations in close cases. 

For industry legal professionals, this framework offers a thoughtful and pragmatic methodology for approaching data classification grounded in consistent policy objectives and legal themes. For consumers, it supports a privacy ecosystem that protects against genuine harms while preserving the informational benefits of responsible digital advertising. And for regulators, it explains how to avoid overbroad classifications that can chill beneficial advertising and consumer access to information. 

For more information, contact: media@thenai.org.