Blog

New York Passes Health Information Privacy Act; ICO To Review UK’s Top Websites for Cookie Compliance

Julie Rubash, General Counsel and Chief Privacy Officer
January 27, 2025
Illustration of statue of liberty along with text that says "A little privacy, please" and "week of January 27, 2025"

Want to receive these privacy recaps in your inbox each week? Subscribe here.

USA

New York Passes Health Information Privacy Act

The New York legislature passed S929 implementing the Health Information Privacy Act, which, if signed by the Governor, will take effect one year thereafter.

TAKEAWAY

The Health Information Privacy Act resembles, in several respects, Washington’s My Health My Data Act that went into effect in March 2024, but in some respects the New York bill goes one step further in its requirements.

For example, the New York bill requires “valid authorization” to either sell or process regulated health information, unless the processing is strictly necessary. Valid authorization requires the signature (which may be electronic) of the individual and date separately for each category of processing, along with disclosure the types of data to be processed, the nature and specific purposes of the processing, the name or categories of service providers or third parties to which the data will be disclosed and the specific purposes for such disclosure, any valuable consideration the regulated entity will receive for the processing, that failing to provide authorization will not affect the individual’s experience of using the products or services, the expiration date of the authorization (up to one year), and the mechanism for revoking authorization (which must be available through an interface the individual regularly uses in connection with the products and services and, if the user has an account, provide a list of processing activities the user has given authorization for, which can be revoked individually).

This goes above and beyond the requirements in Washington, which only requires heightened authorization for the sale (not any processing) of health information and does not require the same degree of disclosures or withdrawal mechanisms.

The New York bill includes a broad definition of regulated health information which, similar to Washington, includes any inference drawn or derived about an individual’s physical or mental health. Unlike the Washington law though, the New York law is only enforceable by the Attorney General and does not include a private right of action.  

Watch our webinar on-demand to learn more about navigating sensitive data requirements in the U.S.

Europe

As part of its “online tracking strategy” for 2025, the UK Information Commissioner’s Office (ICO) announced its plans to bring the UK’s top 1,000 websites into compliance with data protection law.

This includes compliance with the ICO’s newly released “guidance for organisations implementing or considering implementing ‘consent or pay‘ models”, which allows for such models as long consent is freely given, which should be assessed using a list of factors listed by the ICO.

TAKEAWAY

The ICO’s review of the top 1,000 websites is a further extension of previous audits of the top 100 and then the top 200 websites, which resulted in communication of concerns to 134 of those websites, as well as a reprimand to Bonne Terre Limited (aka Sky Betting and Gaming) based on the “potential harms caused by the controvensions” on the website.

The ICO warned at that time that “there will be consequences if organizations breach the law, and people are denied the choice over targeted advertising” and urged “all organizations to assess their cookie banners now to make sure consent can be freely given before a letter arrives from the regulator.”

Watch our open demo showing how Sourcepoint technology can help you assess tracker risks on your website.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

New York Passes Health Information Privacy Act; ICO To Review UK’s Top Websites for Cookie Compliance

January 27, 2025

The New York legislature passed new health privacy legislation...

Unauthorized Sharing of Location and Driving Data Draws Scrutiny from Texas AG, Illinois Class, and FTC

January 22, 2025

Allstate is facing lawsuits from the Texas Attorney General...

Latest White Papers

Connecting Legal & Marketing Teams on Consent and Preferences

February 4, 2025

Break down data silos and unlock better collaboration. Marketing...

Navigating Sensitive Data in the U.S.

February 4, 2025

Download our comprehensive guide to learn how different states...

Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]