Blog
New York Passes Health Information Privacy Act; ICO To Review UK’s Top Websites for Cookie Compliance
January 27, 2025

Want to receive these privacy recaps in your inbox each week? Subscribe here.
USA
New York Passes Health Information Privacy Act
The New York legislature passed S929 implementing the Health Information Privacy Act, which, if signed by the Governor, will take effect one year thereafter.
TAKEAWAY
The Health Information Privacy Act resembles, in several respects, Washington’s My Health My Data Act that went into effect in March 2024, but in some respects the New York bill goes one step further in its requirements.
For example, the New York bill requires “valid authorization” to either sell or process regulated health information, unless the processing is strictly necessary. Valid authorization requires the signature (which may be electronic) of the individual and date separately for each category of processing, along with disclosure the types of data to be processed, the nature and specific purposes of the processing, the name or categories of service providers or third parties to which the data will be disclosed and the specific purposes for such disclosure, any valuable consideration the regulated entity will receive for the processing, that failing to provide authorization will not affect the individual’s experience of using the products or services, the expiration date of the authorization (up to one year), and the mechanism for revoking authorization (which must be available through an interface the individual regularly uses in connection with the products and services and, if the user has an account, provide a list of processing activities the user has given authorization for, which can be revoked individually).
This goes above and beyond the requirements in Washington, which only requires heightened authorization for the sale (not any processing) of health information and does not require the same degree of disclosures or withdrawal mechanisms.
The New York bill includes a broad definition of regulated health information which, similar to Washington, includes any inference drawn or derived about an individual’s physical or mental health. Unlike the Washington law though, the New York law is only enforceable by the Attorney General and does not include a private right of action.
Watch our webinar on-demand to learn more about navigating sensitive data requirements in the U.S.
Europe
ICO To Review UK’s Top 1,000 Websites for Cookie Compliance
As part of its “online tracking strategy” for 2025, the UK Information Commissioner’s Office (ICO) announced its plans to bring the UK’s top 1,000 websites into compliance with data protection law.
This includes compliance with the ICO’s newly released “guidance for organisations implementing or considering implementing ‘consent or pay‘ models”, which allows for such models as long consent is freely given, which should be assessed using a list of factors listed by the ICO.
TAKEAWAY
The ICO’s review of the top 1,000 websites is a further extension of previous audits of the top 100 and then the top 200 websites, which resulted in communication of concerns to 134 of those websites, as well as a reprimand to Bonne Terre Limited (aka Sky Betting and Gaming) based on the “potential harms caused by the controvensions” on the website.
The ICO warned at that time that “there will be consequences if organizations breach the law, and people are denied the choice over targeted advertising” and urged “all organizations to assess their cookie banners now to make sure consent can be freely given before a letter arrives from the regulator.”
Watch our open demo showing how Sourcepoint technology can help you assess tracker risks on your website.
Want more of the privacy highlights that matter for consent management and digital marketing? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
New York Passes Health Information Privacy Act; ICO To Review UK’s Top Websites for Cookie Compliance
January 27, 2025The New York legislature passed new health privacy legislation...
Unauthorized Sharing of Location and Driving Data Draws Scrutiny from Texas AG, Illinois Class, and FTC
January 22, 2025Allstate is facing lawsuits from the Texas Attorney General...
New Jersey AG’s Office Provides FAQs Ahead of New Privacy Law; Danish DPA Focus on Shopping Apps
January 13, 2025New Jersey AG's office issued a set of 24...
Latest White Papers
Connecting Legal & Marketing Teams on Consent and Preferences
February 4, 2025Break down data silos and unlock better collaboration. Marketing...
Navigating Sensitive Data in the U.S.
February 4, 2025Download our comprehensive guide to learn how different states...
Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.