The forecasted firestorm of new data privacy legislation in 2025 is building. As consumer advocates double down on their ground game at the state level and legislatures continue to experiment with new creative tweaks to the baseline standard, we are likely to see many new laws this year.
The IAPP is already tracking at least eight states with active comprehensive privacy proposals. But this trend is not limited to comprehensive consumer privacy bills. Targeted sectoral bills are also spreading rapidly. The legislative trends from prior sessions are not showing any signs of slowing down.
This includes health privacy protections. Through a series of procedural moves designed for swift passage, a New York bill made its way through both chambers of the state legislature not even a full month into the 2025 legislative session.
The New York Health Information Privacy Act is a strong consent-driven framework with broad implications for any organization that operates in New York or collects health-related data of individuals within the state's borders. After passing the legislature, the bill is likely to be signed by Gov. Kathy Hochul, D-N.Y. If she does not sign or veto the bill by next Monday 3 Feb., it will pass into law with an effective date one year later.
Just like Washington's My Health My Data Act, the swift passage of the bill was sparked and fueled by concerns about reproductive health data. But in a direct echo of earlier expansive health laws, the scope and operational implications of the likely-to-be-signed legislation are far broader than reproductive health.
Quid pro code
Before you read about the substance of this unique proposal, note that other commentators have pointed out the governor's propensity to use "chapter amendments,” which mean the legislative text could be marked for clean-up in the coming months. In exchange for her signature, the governor frequently negotiates with legislative leadership and the bill's sponsors for a guarantee to pass updated text. If this process is ongoing — as might be inferred by the plethora of stakeholder outreach to the governor — the existing law will be signed on schedule and passed into law, but later in this session the original sponsors will propose amended text, pre-approved by the governor, which will also be passed and signed in keeping with the agreement.
'It's common sense'
State Sen. Liz Krueger, D-N.Y., a sponsor of the bill, recently spoke about the intent of her bill. Her remarks are worth catching up on because they remind us how legislators view the stakes for health privacy and why these concerns lead to favoring supercharged consent regimes.
"Only health data that is accessible through your hospitals and doctors is HIPAA-protected. Anything else is fair game. So, let's say you buy your menstrual products at a specific store or through a specific online source and then you stop buying them. They can be selling that data, where there's an assumption that now you're pregnant or now you've gone through menopause.
Whose business is that to have that information about you? Nobody's business!
In fact, there's an example over 12 years old now of a specific store tracking a woman's purchases in their store — 'Aha! Looks like she's pregnant!' — then sending out emails to her family members: 'Congratulation on your pregnancy!'
Except suppose you've had a miscarriage. Suppose you didn't plan on continuing that pregnancy or sharing that information with your family members. Why the hell is this sellable product? And there's example after example after example.
So, my bill would put in a privacy requirement that, only if you opt in that they can share that kind of information about your health care and sell it, can they do so. It's common sense."
Nothing is certain but death and consent forms
Irrespective of the sponsor’s statement, as drafted, the opt-in requirements in the bill are about much more than sharing or selling covered data.
A legal basis is required for any processing of an individual's regulated health information. Processing means "an operation or set of operations performed on regulated health information, including but not limited to the collection, use, access, sharing, sale, monetization, analysis, retention, creation, generation, derivation, recording, organization, structuring, storage, disclosure, transmission, disposal, licensing, destruction, deletion, modification, or deidentification of regulated health information."
The legal basis receiving the most attention is the strong consent requirement — an annually renewed signed authorization form, physical or digital, which allows the individual to provide separate authorization for each "category of processing activities." Further, consent cannot be conditional. That is, a request for authorization must note that "failing to provide authorization will not affect the individual's experience of using the regulated entity's products or services.”
Come back tomorrow with your data
Adopting a mechanism usually only seen in U.S. laws regulating marriages, abortions or gun purchases, the bill would require a 24-hour waiting period when companies rely on the authorization basis for processing covered data.
That is, a request for authorization is required to be made separate from "any other transaction or part of a transaction" and must be made at least 24 hours after "an individual creates and account or first uses the requested product or service."
If not relying on consent, processing covered data is banned unless it is "strictly necessary" for one of the following listed purposes, which come with their own notice requirements:
(A) providing or maintaining a specific product or service requested by such individual;
(B) conducting the regulated entity's internal business operations, which exclude any activities related to marketing, advertising, research and development, or providing products or services to third parties;
(C) protecting against malicious, fraudulent, or illegal activity;
(D) detecting, responding to, or preventing security incidents or threats;
(E) protecting the vital interests of an individual;
(F) investigating, establishing, exercising, preparing for, or defending legal claims; or
(G) complying with the regulated entity's legal obligations.
Potentially adopting a rare banning provision, depending on how one reads the bill, selling data for valuable consideration might be entirely prohibited.
Invisible threads are the strongest ties
The New York bill eschews the usual list of covered data types in favor of something more straightforward, but nonetheless ripe for significant interpretive debate.
"Regulated health information" is defined based on a two-part conjunctive test. First, data must be "reasonably linkable to an individual, or a device." Neither "individual" nor "device" are defined terms, raising the opportunity for this law to include situations outside of a consumer or patient context, such as in the employment relationship.
The second prong of the test is based on the connectedness of any given data to "the physical or mental health of an individual." Any reasonably linkable information that is collected or processed "in connection with" these attributes is regulated health information.
The definition goes on to name a few undefined special categories of information, which are subject to their own tests for inclusion in the scope of covered data. If my legislative interpretation is correct, "location or payment information" is covered if it "relates to an individual's physical or mental health" with no requirement to be reasonably linkable.
And finally, "any inferences drawn or derived about an individual's physical or mental health" need only meet the link-ability requirement to fall within the scope. This makes some logical sense, as such information may not have been collected in connection with health but could be inferred after the fact.
Rulemaking authority, fines, and disgorgement
For those concerned about ambiguous language, it is important to note the bill would authorize the New York attorney general to issue clarifying regulations.
The attorney general is also empowered with broad enforcement authority, including a statutory maximum penalty of USD15,000 per violation or "twenty percent of revenue obtained from New York consumers within the past fiscal year, whichever is greater." In addition, the statute explicitly provides for injunctive authority, restitution, and "disgorgement of any profits obtained directly or indirectly" through a violation.
Unlike the Washington MHMDA, the New York bill does not authorize a private right of action.
Further reading
Smarter privacy lawyers than I have already opined at length about the possible ambiguities and extensive operational implications of the New York bill.
- Future of Privacy Forum Director of U.S. Legislation Keir Lamont, CIPP/US, analyzed the unexpected departures in the bill from provisions generally included in all privacy laws, from exemptions for public data to a framework for verifying data requests, as well as a lack of common exemptions.
- Husch Blackwell Partner David Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, and Associate Ashton Harris point out the conflict between the apparent structure of the "sale" restrictions, which appears to be a flat ban, and the requirements of requests for authorization, which appear to imply sales can be authorized.
- Hintze Law Partner Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, and Associate Felicity Slater, CIPP/US, remind us that they dove deep into the potentially disruptive consequences of the bill almost a year before everyone else, when nearly the same bill was first introduced in the prior session.
Please send feedback, updates and your signed authorization form to cobun@iapp.org
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
