The Shifting Landscape of State Consumer Health Data Laws

On February 10, 2025, a private plaintiff in Washington State filed a putative class action lawsuit against Amazon.com Inc. and Amazon Advertising, LLC (“Amazon”). She alleges violations of Washington’s My Health My Data Act, which came into force on March 31, 2024 and provides a private right of action. Namely, the plaintiff alleges that Amazon’s advertising software development kits, which are used by numerous mobile app developers, harvested her consumer health data, including her location and biometric data, without her consent. This is the first lawsuit of its kind, and it marks a significant moment in the realm of consumer health data protection.

Currently, Washington, Nevada, and Connecticut have enacted consumer health data laws, with New York poised to join them if Governor Hochul signs Senate Bill 929 into law. These state laws were prompted largely by the Supreme Court's overturning of Roe v. Wade in 2022, as state legislatures scrambled to address privacy concerns of health data not otherwise subject to the federal Health Insurance Portability and Accountability Act (“HIPAA”), such as information from period tracking apps or purchases of reproductive healthcare products. In some cases, states regulate entities that do not collect traditional health information but instead make inferences about an individual’s health based on their non-health product purchases.

These state-level laws represent a significant shift in the privacy landscape, because they require that businesses receive opt-in consent from consumers, which is not the norm in the United States. These heightened privacy law requirements have also increased the cost of doing business, particularly for SaaS, DTC, and Consumer Tech brands that do not operate in traditional healthcare settings or are otherwise HIPAA-covered entities.

Below we provide an overview of each state’s laws, and what they require of businesses.

Washington's My Health My Data Act

Washington's My Health My Data Act (“MHMD”) applies to entities that conduct business in Washington or produce products and services targeted to Washington consumers, and determine the purpose and means of collecting consumer health data. (When it first went into effect last March, MHMD contained a small business exception to provide more time for implementation; that delay sunsetted in June 2024.)

The law defines consumer health data broadly, including not only traditional health information but also biometric data and precise location information that could indicate health-related activities. Most consumer health apps, even for fitness or dieting purposes, are implicated, as they record or measure “bodily functions, vital signs, symptoms, or measurements of information.” The definition also includes “inferences” made about consumers from non-health data, such as a retailer assigning shoppers a “pregnancy prediction score” based on their purchase of certain products. HIPAA-covered data is excluded.

Key requirements of MHMD for regulated entities include:

1. Obtaining opt-in consent for collecting or sharing consumer health data beyond what is necessary to provide a requested product or service. (MHMD defines “collect” broadly, as “to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.”)

2. Maintaining a consumer health data-specific privacy policy, and “prominently” publishing a link to the policy on the homepage. 

3. Establishing, implementing, and maintaining reasonable data security and cybersecurity protocols.

4. Limiting access to consumer health data to necessary employees, processors, and contractors.

5. Limiting processing of consumer health data “pursuant to” and “consistent with” a binding contract between the processor and the regulated entity. (Processors must in turn “assist” regulated entities with fulfilling their obligations under the law.)

6. Honoring consumer rights to access and delete their health data, as well as revoke their previously given consent.

7. Obtaining authorization for the sale of health data, defined broadly to include exchanges for "valuable consideration."

8. Restricting geofencing of healthcare facilities to collect health data or send health-related communications.

MDMD exempts data that is anonymized (cannot reasonably be linked to, or used to infer information about, a consumer) where the organization takes reasonable measures to prevent reidentification. It also exempts data subject to certain federal and state privacy laws, such as HIPAA (mentioned above), as well as the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act, the Social Security Act, and Washington’s state insurance rules. There are also narrow exceptions for certain types of research and clinical trials.

The Washington State Attorney General can enforce violations of MDMH. Violations of MDMH may be a per se violation of Washington’s Consumer Protection Act, which authorizes a fine of up to $7,500 per violation. 

The law also provides a private right of action, allowing individuals to bring lawsuits directly against businesses for violations, as in Maxwell et al. v. Amazon.com, Inc. and Amazon Advertising LLC.

Nevada's Consumer Health Data Law

Nevada's Senate Bill 370 (SB 370) applies to entities that collect consumer health data from Nevada consumers, including non-residents if their data is collected in the state. The law does not exempt non-profits. HIPPA-covered entities are exempt from the law (and information that has been de-identified in accordance with HIPAA), as are businesses that must comply with the Gramm-Leach-Bliley Act. There are also narrow exemptions for research, state agencies, and law enforcement.

Key features of SB 370 include:

1. Requiring “affirmative, voluntary consent” for the collection and sharing of consumer health data. 

2. Mandating consent for sharing consumer health data, which must be “separate and distinct” from the consent for collection. 

3. Requiring written authorization for selling consumer health data, with specific content requirements. (Businesses may not condition the provision of goods or services on receiving authorization to sell data.) 

4. Allowing consumers to revoke their consent.

5. Maintaining a consumer health data privacy policy, which “clearly and conspicuously” establishes the categories of data collected and shared, and the purposes for the collection and sharing, among other things.

6. Limiting processing of consumer health data “pursuant to” a contract between the processor and the regulated entity. (If a processor processes consumer health data outside the scope of or inconsistently with their contract with a regulated entity, it will be “deemed a regulated entity.”)

The Nevada Attorney General enforces SB 370 and may seek injunctions and civil penalties of up to $10,000 per violation. Unlike Washington's law, SB 370 does not include a private right of action.

Connecticut's Expanded Data Privacy Law

Connecticut took a different approach than Washington and Nevada by amending its existing comprehensive privacy law to include a definition of consumer health data. The amendment’s impact now creates obligations and limitations on health-related data that is not covered by HIPAA—similar to Washington’s MDMH and Nevada’s SB 370. But, Connecticut’s law is narrower in scope than Washington’s and Nevada’s comparable laws.

Before the amendment, the Connecticut Data Privacy Act (CTDPA) already classified certain health data as “sensitive data” to the extent it “reveal[s] . . . mental or physical health condition or diagnosis.” The amendment (which took effect on October 1, 2023) expands this definition to include “consumer health data,” which is in turn defined as “any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis.”

Key aspects of Connecticut's law include:

1. Requiring opt-in consent for consumer health data, which cannot be bundled with unrelated information.

2. Defining consent as a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement. (Consent also does not include hovering over, muting, pausing, or closing a given piece of content, or an agreement obtained through use of dark patterns.)

3. Applying to entities that are consumer health data controllers, even if they do not meet the other thresholds in the CTDPA.

Like Washington’s MHMD and Nevada’s SB 370, the amendment does not contain an exemption for nonprofit entities. But it does retain the CTDPA’s other entity-level exemptions, including for state and local government agencies and their contractors, higher education institutions, and entities governed by HIPAA and the Gramm-Leach-Bliley Act.

The Connecticut Attorney General enforces the CTDPA, and there is no private right of action. Violations of the CTPA can result in civil penalties, injunctive relief, restitution, and disgorgement. The penalties can be up to $5,000 per violation, under Connecticut Unfair Trade Practices Act. 

New York's Proposed Health Information Privacy Act

New York's Health Information Privacy Act (“NY HIPA”), which awaits Governor Hochul’s signature (or veto), would govern the processing of regulated health information, defined broadly to include information processed in connection with an individual's physical or mental health. Unlike the other state laws, New York’s proposed law has various and specific requirements regarding how to implement the opt-in consent (and revocation) methods for consumers. These requirements may be burdensome and difficult to implement for most businesses, requiring heavy Product and Engineering resources.

Unlike Washington’s MHMD, the proposed New York law does not contain numerical thresholds for what constitutes a small business. The law would regulate for profit and non-for-profit entities, small businesses, and non-New York-based companies that collect health data pertaining to a New York-based resident.

Key proposed features of NY HIPA (Senate Bill 929) include:

1. Requiring authorization before processing an individual’s regulated health information, which must be made separately from any other transaction and “at least twenty-four hours after” an individual creates an account or first uses the requested product or services.

2. Allowing individuals to provide or withhold authorization for each separate category of processing activities.

3. Providing an effective, efficient, and easy-to-use mechanism for individuals to revoke authorization at any time, through the same interface that the individual regularly uses.

4. Creating strong data subject rights and notice requirements. For example, within thirty days of receiving a request to access or delete one’s health information, the regulated entity would have to make available a copy of all regulated health information it maintains about that individual or delete the information, depending on the request.

5. Communicating data subject rights requests to any service providers (unless impossible or it involves disproportionate effort) that processed the individual’s health information within one year preceding the deletion request, and then the service providers in turn must delete the information within thirty days of receiving notice. 

6. Maintaining a publicly available retention schedule for disposing of an individual’s regulated health information, which, in no event, can be later than sixty days after it is no longer necessary to maintain the information for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization. 

As of now, NY HIPA has not been enacted. If signed into law, the New York Attorney General would be responsible for its enforcement, with a six year statute of limitations for any action or special proceeding. The proposed law also provides that the Attorney General may implement further rulemaking.

The Takeaways

As the landscape of consumer health data privacy laws continues to evolve, businesses operating in or targeting consumers in Washington, Nevada, Connecticut, and potentially New York must remain vigilant and proactive in their compliance efforts. These state-level consumer health data laws represent a significant shift in the privacy landscape, extending protections beyond traditional healthcare settings and HIPAA-covered entities. 

Key takeaways for businesses include:

• Broader scope: Consumer health data is being defined more expansively, encompassing a wide range of information beyond traditional medical records. Even companies that do not think they collect consumer health data (such as restaurants that record allergies or health conditions) may be subject to certain states’ laws.

• Stricter consent requirements: Opt-in consent is becoming the norm, with some states requiring separate consent for the collection, sharing, and selling of data. This is a remarkable shift, as most state comprehensive privacy laws are built around opt-out consent. (Even California’s CCPA—which many tech companies are subject to based on their gross annual revenue exceeding $25 million—requires only opt-outs for disclosing or sharing sensitive personal information.) Practically speaking, this means that unless a company is a HIPAA-covered entity, it is unlikely to have opt-in consent mechanisms already built into its user interfaces and data flows. Complying with these laws may require a heavy lift from the Product and Data teams, and/or an expensive third-party solution for consents and data subject rights requests.

• Enhanced consumer rights: Laws are granting consumers greater control over their health data, including rights to access, delete, and revoke consent.

• Increased enforcement: With state attorney general enforcement and, in the case of Washington, the added private right of action, the stakes for non-compliance are higher than ever. Both businesses and class action attorneys, alike, will be tracking the motion practice in the lawsuit against Amazon and whether the judge broadly applies or limits the scope of Washington’s MDMH.

• Varied compliance requirements: Each state law has its unique features, necessitating a nuanced approach to compliance across different jurisdictions.

Another KEY takeaway is that these heightened privacy law requirements have also increased the cost of doing business, particularly for SaaS, DTC, and Consumer Tech companies.

As more states consider similar legislation, businesses collecting and processing consumer health data will need to carefully navigate this complex and evolving environment.  Companies should consider conducting thorough data protection assessments, updating privacy policies (including creating new ones), and, if necessary, implementing appropriate opt-in consent mechanisms. These tools are part of the services that AMBART LAW provides, in our fractional outside GC program. You can learn more these cost-effective and predictable-fee services below or by scheduling a consultation.

or…