Skip to main content
Data sharing Getty Images 2157339929

States Passing New Restrictions on Health Data Sharing

January 1, 2026

By Gregory Freeman

There is a rapidly expanding wave of state consumer-health-privacy laws reshaping how retailers, wellness brands, e-commerce companies, and digital platforms must handle data that can reveal or infer a person’s health status. These laws reach far beyond HIPAA and apply even when a business provides no medical services, says Paul F. Schmeltzer, JD, member with the Clark Hill law firm in Los Angeles. “Consumer health data” (CHD) now includes purchase patterns, browsing behavior, search queries, app activity, and geolocation near sensitive health locations — any of which can be used to infer pregnancy, mental health conditions, fertility status, chronic illness, or other health-related attributes.

Washington’s My Health My Data Act and Nevada’s SB 370 impose strict opt-in consent requirements, mandate standalone CHD privacy notices, and limit the ability to collect or share health-related information without affirmative authorization, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ.

Washington additionally prohibits geofencing around facilities such as clinics, pharmacies, and reproductive-health centers. California regulates non-HIPAA health data as “sensitive personal information,” triggering data-minimization, purpose-limitation, and consumer rights to access, delete, and opt out of sales or sharing. Connecticut now requires opt-in consent for any collection or processing of CHD and applies its requirements to nonprofits as well, Schmeltzer notes.

Regulators and plaintiffs’ attorneys are focusing heavily on online tracking technologies such as pixels, software development kits (SDKs), cookies, and loyalty tools that transmit URLs, purchase history, and location data capable of implying health conditions, Howard says. Businesses that rely on targeted advertising, personalization algorithms, or health-adjacent consumer profiling face substantial compliance risk. Across these states, organizations must treat health-adjacent data with the same rigor as regulated medical information, with robust consent, transparency, data-mapping, and vendor-contract controls, he says.

Schmeltzer and Howard offer this explanation of what counts as “consumer health data”:

  • Purchase history revealing health conditions, such as pregnancy tests or supplements;
  • Browsing or search activity tied to symptoms, treatments, or health topics;
  • Location data near clinics, pharmacies, or mental health facilities;
  • App usage patterns related to sleep, fertility, fitness, or stress;
  • Data that merely implies a health condition.

Key legal requirements are emerging across states. They cite opt-in consent before collecting or sharing CHD, standalone CHD privacy notices (Washington, Nevada), restrictions on health-related geofencing (Washington, Connecticut), mandatory rights to access, deletion, and opt-out (California), and applying to non-profits (Connecticut).

Schmeltzer and Howard say the highest-risk business practices include advertising pixels and analytics tools transmitting health-related URLs; loyalty programs combining purchase, location, and profile data; artificial intelligence (AI) recommendation engines that suggest health traits; and location-based marketing near sensitive health facilities.

Enforcement and litigation trends include attorney general scrutiny of “sale” or “sharing” of health-adjacent data, class actions emerging under Washington’s private right of action, pixel tracking and cookie litigation under California’s California Invasion of Privacy Act (CIPA) and state tort law, and increased focus on vendor contracts, data mapping, and transparency.

Even though you may be a covered entity under HIPAA, these laws may regulate other data, which under those laws would be classified as consumer health data outside the purview of HIPAA, Schmeltzer says. Therefore, you definitely want to look at your compliance obligations under these laws, including the notification and opt-in requirements, he says.

“It would be really a good time for them to just take an audit of any third-party vendors, for example, any business partners that may have access to or share consumer health data with the company,” Schmeltzer says. “By consumer health data, I’m talking about any data that reveals or infers something about the health of an individual. And this is incredibly broad. Because of the broadness of that definition, it’s got a lot of businesses sort of in consternation mode about what are their compliance obligations, and where the demarcation lines between just general data and when it becomes consumer health data.”

Howard notes that healthcare organizations are used to doing data analysis, data review, and risk assessments as it relates to protected health information (PHI) that they get from their patients or through their electronic health records. But now the definition of consumer health data is so broad that they are going to need to take a step back and take a look at any of the other areas where they are collecting data, he says.

“A lot of the areas or times that we see this come up is through marketing and advertising activity or even the analytics of a website. I know, and we all know, that covered entities have been kind of sweating the use of their pixels and tracking technologies for advertising and marketing on their website, especially because of the cases that we’ve seen come out of Texas and the different court decisions in that area,” Howard says. “But this is slightly different than all of that, because it’s not just looking at whether or not PHI is being collected and accessed by these organizations, but it’s actually consumer health data, which is separate and apart from the definition of PHI.”

Schmeltzer says healthcare organizations only now are becoming aware of this risk.

“It’s definitely something that’s sneaking up on a lot of businesses. These laws are sort of coming online in spurts. The first real notable one was Washington’s My Health My Data act and there was a sort of long rollout for that particular law,” he says. “But since then, we’ve had a few, such as Nevada’s SB 370, and the way that businesses are really finding out, unfortunately a lot of times, is through the threat of litigation and or the threat of regulatory sort of investigation.”

CIPA has been used recently to go after businesses that have a footprint in California that have technology that tracks users across websites without that user’s consent, Schmeltzer says.

“That’s a big thing recently and that sort of dovetails into all these state privacy laws that really are tackling consumer health data now,” Schmeltzer says. “Even under laws like CIPA, consumer health data and companies that traffic in consumer health data are getting ensnared because resourceful attorneys on the other side are arguing that there is a law from the late ‘60s, which was devoted to wiretapping and it is now all of a sudden applicable to tracking technology on a company’s website. So, I think a lot of companies in general are finding out about this, unfortunately, through the threat of litigation or regulatory action.”

Howard notes that some of these laws have been in effect since 2023 but are getting attention only recently because attorneys realized there is a private right of action and the possibility of class action lawsuits.

“I don’t think it’s been hiding. I just think it’s sneaking up on people. But I also think it’s important to point out that this is a trend that we’re seeing pop up in other states as well,” Howard says. “I was actually just reading this morning how Michigan’s legislature is still pondering and working on passing another consumer health data privacy law that will have similar measures to protect the consumer health data, similar geofencing restrictions and things like that. This isn’t just operating in a vacuum and a few jurisdictions. It’s starting to pop up more and more, so if it’s sneaking up now, it’s going to be running full force soon.”

Greg Freeman has worked with Clinican.com and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Clinician.com products. In addition to his work with Clinician.com, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.

Sources

  • John F. Howard, JD, Senior Attorney, Clark Hill, Scottsdale, AZ. Telephone: (480) 684-1133. Email: [email protected]
  • Paul F. Schmeltzer, JD, Member, Clark Hill, Los Angeles. Telephone: (213) 417-5163. Email: [email protected]