Health data privacy takes center stage as legislation advances

Julie Rubash, Chief Privacy Counsel
March 13, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Health Data Privacy Takes Focus From All Angles

Three major developments occurred over the last week in health data privacy:

1. The Washington state House of Representatives passed (moving the legislation to the Senate) HB 1155, a bill that would prohibit the sale of non-HIPAA-protected consumer health data and require consumer consent before personal health-related data is shared or collected.

2. U.S. Senators introduced the Uphold Privacy Act, federal legislation that would restrict companies’ ability to collect or use information about personal health without user consent and prohibit profiting off of personally identifiable health data for advertising purposes

3. A class action lawsuit (Case 5:23-cv-01033-NC) was filed against online mental health counseling service BetterHelp, alleging that its sharing of identifying data and health information with third-party advertising platforms (despite promises that user health information would stay private) constituted a deceptive and unfair marketing practice. 


These developments, combined with increasing action from the FTC regarding health data privacy and progressing health data legislation in several other states, demonstrate that health data privacy is taking center stage in the eyes of legislators, regulators and plaintiffs’ attorneys. 

Read more about the proposed FTC settlement with BetterHelp.

Three States Pass Comprehensive Privacy Bills Through One Chamber

The Hawaii and Iowa Senates and Oklahoma House passed comprehensive privacy bills, moving the legislation through to the opposite chamber. 


These states join Montana and Indiana, totalling five states that have passed comprehensive privacy legislation through one chamber in 2023.

All of these bills largely resemble existing comprehensive state privacy laws, with the exception of Oklahoma, which would be the first state to require explicit opt-in consent for the general collection and processing of personal information.

This is the third year that such legislation has passed the Oklahoma House, however, and previous attempts have failed to see movement in the Senate. 


UK Introduces Data Protection Reform Bill

UK Technology Secretary Michelle Donelan introduced the Data Protection and Digital Information Bill, which her press release described as a “new common-sense-led UK version of the EU’s GDPR”.

According to the press release, the goal of the legislation is to take the best elements of GDPR and provide businesses with more flexibility, while still maintaining adequacy with the EU.


The legislation still requires the same lawful bases for processing Personal Data as the UK GDPR (which may include consent or legitimate interest, among other bases). It also continues, like existing PECR, to require consent for access to terminal equipment for certain purposes.

However, it does provide more specific detail than the UK GDPR and PECR about the purposes that may constitute legitimate interest under the UK GDPR or an exception to the consent requirement under PECR, presumably to aid in taking the guesswork out of the consent process for businesses. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]