Blog
New York’s S9269 Advances as ICO Finalizes Consumer IoT Guidance
June 16, 2026
Want to receive these privacy recaps in your inbox each week? Subscribe here.
New York’s revised health privacy bill, S9269, has been sent to the Governor for signature, giving regulated entities just six months to prepare if enacted, half the time originally proposed. Across the Atlantic, the UK’s Information Commissioner’s Office has published finalized guidance for consumer IoT products, offering new graphics and examples to help organizations meet transparency and consent requirements.
Keep reading to learn more and discover my takeaways.
United states
New York Sends Consumer Health Privacy Bill to the Governor, Again.
New York S9269, which aims to enact the New York Health Information Privacy Act, has been sent to the Governor, six months after a similar bill (S929) was vetoed. If signed this time, the bill will take effect 6 months after enactment, which is shortened from the S929 effective date of 1 year after enactment. This places the new bill’s effective date around the same time the previous bill was set to take effect, giving companies half the preparation time.
TAKEAWAY
If signed, Regulated Entities under S9269 will be required to obtain “valid authorization” to process or sell Regulated Health Information unless strictly necessary, which is unchanged from S929. However, S9269 broadens certain carveouts to that requirement, specifically adding a carveout for “developing, improving, or repairing” a product, feature, or service, in addition to the existing carveouts for fraud, security, legal claims, and internal business operations. Like S929, S9269 expressly does not include carveouts for marketing, advertising, research or providing products to third parties.
The definition of “Regulated Entities,” like S929, still potentially reaches much further than Washington’s My Health My Data Act. However, it is now structured slightly differently from S9269. It still applies to entities that control the processing of regulated health information of a New York resident or someone physically present in New York, but it now only applies to entities located in New York if they control the processing of regulated health information of someone meeting the aforementioned criteria or who is seeking or receiving services in New York (S929 applied to all New York entities, irrespective of processing activities).
S9269’s definition of “Regulated Health Information” is now much closer to Washington’s definition. S929’s simpler, although arguably less precise definition (“any information that is reasonably linkable to an individual or a device and is collected or processed in connection with the physical or mental health of an individual”) has been replaced with a two-part test, covering information that is: (1) reasonably linkable directly or indirectly to an identified or identifiable individual, including via persistent unique identifiers, AND (2) collected or processed in connection with an individual’s past, present, or future physical or mental health status, with the same thirteen enumerated categories of health status that fall under the Washington definition.
Another change from S929 is S9269’s elimination of a 24-hour waiting period that S929 imposed on businesses. Previously, businesses could not seek valid authorization until 24 hours after an individual created an account or first used a product; S9269 no longer requires this.
S9269 also provides more flexibility for the signature process itself, allowing for a signature or “other form of unambiguous affirmative consent” instead of just a signature. Like in S929, valid authorization under S9269 must still be separate from any transaction, and individuals must be able to give or withhold consent to each processing category individually. S9269 does include some new requirements though that did not appear under S929: authorization requests must be in at least 12-point font and must explicitly state that the processing is not strictly necessary and that declining will not prevent use of the service. Like S929, but unlike Washington’s My Health My Data Act, S9269 does not explicitly provide a private right of action. However, unlike S929, S9269 specifically limits enforcement to the Attorney General, closing a potential loophole in the previous bill.
ICO Publishes Official IOT Guidance.
After a public consultation on its 2025 draft guidance, the UK Information Commissioner’s Office (ICO) published official guidance for consumer Internet of Things (IoT) products and services. The guidance covers the processing of personal information by organizations providing IoT products, as well as user devices where software or apps are installed that enable, configure or control an IoT product’s functionality.
TAKEAWAY
One notable update to the guidance from the original draft version was the addition of several demonstrative graphics and examples, including the following:
Request for consent to personalization on a connected TV: The graphic demonstrates how consent can be sought at appropriate points in the user journey, specifically when features become relevant. In the example, consent for personalization is sought after the user has started exploring apps and content categories on the TV. The user chooses from a list of “favorite shows” to personalize their content.
Multi-user scenarios to demonstrate the controls organization should implement to comply with the transparency principle: Examples now include a graphic of a smart home hub showing a dashboard with privacy settings and information that any user (registered or unregistered) can access and manage; a graphic showing a smart speaker’s accompanying app indicating available product controls for an additional user; a home hub device used in a flat-share, with screens providing certain information to all home hub account holders; and a mobile screen with an accompanying app for a smart security camera used by multiple users for a front door, displaying an activity log and guest access.
Further examples in response to a request for further clarity on relationships involving third-party services in IoT products: The guidance added further examples. The examples now cover controllers, joint controllers making converging decisions, joint controllers making common decisions, separate controllers processing the same personal information for their own purposes, and a processor for one purpose and a controller for another while processing the same personal information.
A LITTLE MORE PRIVACY, IF YOU PLEASE
- Children’s privacy laws: Global compliance overview
- What compliance scan does your website need?
- Opening up the server-side black box: Introducing Event Consent Monitoring
- Who actually enforces privacy laws? Data protection authorities explained
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
New Jersey Passes Age Appropriate Design Code and Amends Data Privacy Act with New Data Broker Rules
July 7, 2026New Jersey's latest privacy laws include a narrow AADC,...
New York’s S9269 Advances as ICO Finalizes Consumer IoT Guidance
June 16, 2026NY's S9269 health privacy bill heads to the Governor...
Texas App Store Accountability Act Injunction Lifted and CalPrivacy Issues Consumer Guidance
June 9, 2026Texas App Store Accountability Act injunction lifted and CalPrivacy...
Latest White Papers
Connecting Legal & Marketing Teams on Consent and Preferences
February 4, 2025Break down data silos and unlock better collaboration. Marketing...
Navigating Sensitive Data in the U.S.
February 4, 2025Download our comprehensive guide to learn how different states...
Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...