Health advertising and US privacy law – what is at stake?

March 2025 | SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2025 Issue

Connecting the right content to the right consumer is an essential part of any advertising campaign. Healthcare is no different. Targeted digital advertising in the healthcare space presents patients with valuable information about specific medications, treatment options and practitioners, as well as options for individuals to take an active role in their medical care. In addition, health advertising is the largest and fastest growing digital advertising market vertical.

However, state and federal regulators have made it a priority to limit the use of health-related personal information for digital advertising. The US Supreme Court’s decision in Dobbs v. Jackson Women’s Health and the concern that law enforcement will use browsing histories, location information and other data to identify individuals seeking abortions in states where it is under heightened restrictions has been an important driver of these changes.

However, restrictions on health data use have expanded well beyond the realm of reproductive health and are affecting nearly all sectors of the health and wellness industries, ultimately impacting the data available to connect consumers to relevant health advertising.

The shifting legal and regulatory landscape

Unlike the European Union and many other jurisdictions around the world, the US does not have a national comprehensive privacy law. Instead, the collection and use of consumer personal information, including health information, is governed by state-level laws and by the Federal Trade Commission (FTC).

To date, 20 US states have passed comprehensive privacy laws, and all include health data that is not governed by the Health Information Portability and Accountability Act (HIPAA) as a subcategory of ‘sensitive’ data. Most also require opt-in consent to process sensitive data, but vary in the scope of health data that they include in this category.

Some limit the scope of the definition to ‘medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional’, while others include any personal data that is ‘collected and analysed concerning a consumer’s health’. California, Colorado and several other states include inferences that ‘reveal’ health conditions in their definitions of sensitive data, even if the personal data that is used to make the inference is not sensitive.

In addition to the numerous comprehensive state privacy laws, Washington state and Nevada have enacted laws specifically to regulate ‘consumer health data’ – any personal data that ‘identifies the consumer’s past, present, or future physical or mental health status’, including, among other things, ‘individual health conditions, treatment, diseases, or diagnosis’, the ‘use or purchase of prescribed medication’, and even ‘bodily functions’.

These laws require detailed consent to ‘collect’ or ‘share’ consumer health data. ‘Selling’ consumer health data requires an even more stringent ‘authorisation’, which requires detailed disclosures and the physical signature of the consumer granting the authorisation. In most use cases for digital advertising, these requirements are effectively impossible to meet, and many businesses are attempting to avoid consumer health data in these states entirely. Washington’s law also offers consumers a private right of action to sue for a violation of their rights under the law, which many anticipate could be used broadly based on the sweeping definition of consumer health data.

At the federal level, the FTC has made it a priority to increase enforcement ‘against illegal use and sharing of highly sensitive data’, including health data that is not protected under HIPAA.

The FTC has long asserted that sharing health-related personal data with third party advertising technology companies without consent constitutes an unfair practice. However, its definition of health data has rapidly expanded.

In recent enforcement cases, the FTC has defined health data broadly to include ‘individually identifiable information relating to the past, present, or future physical or mental health or condition(s) of a consumer’, including ‘information concerning medical or health-related purchases’ (see United States v. Monument, Inc.).

Settlements with location data brokers have also emphasised that precise location information can be used to reveal where an individual seeks medical care, the type of medical care they seek, as well as other health-related attributes (see In the Matter of X-Mode Social, Inc.). As a result of these expanded interpretations, data that has traditionally been considered ‘safe’ for use in advertising may now fall into the FTC’s interpretation of health information and be subject to heightened requirements.

The FTC under the second Trump administration is poised to reduce its use of rulemaking and take a less expansive view of unfair practices under section 5. Many have speculated that this will also mean a less expansive approach to defining and regulating the use of health information.

However, even if the FTC becomes less aggressive in this space, activity in blue-leaning states is only expected to rise. For example, California and Colorado have already indicated a commitment to combatting the effects of Republican-led federal priorities, particularly those related to reproductive healthcare. As a result, companies should continue to expect new laws and focused enforcement action at the state level.

How the digital advertising industry is adapting

The uptick in legal and regulatory scrutiny of health advertising practices has forced the industry to adapt quickly and, in many instances, change fundamental business practices. While many questions remain unanswered about how regulators and courts will interpret statutory definitions of health data, there exist concrete mitigating steps companies can take to reduce their risk of liability under these new enforcement trends, as outlined below.

Seeking opt-in consent across the US. The most straightforward approach to dealing with health data regulation is to apply a uniform consent standard nationally, even if doing so exceeds applicable legal requirements. This approach offers conceptual simplicity and may not require significant changes over time unless states begin to ban certain types of sensitive data processing altogether. However, this approach presents challenges – namely that many participants in the digital advertising marketplace do not interact directly with consumers and have little prospect of collecting consent on their own. In this case, businesses must rely on partner contracts and due diligence, which requires companies to accept some risk.

Suppressing health data in opt-in states. Another approach is to refrain from processing health data about residents of states that require consent. However, this approach is not always viable if a company does not have information about users’ location at the state level. Additionally, this strategy becomes more cumbersome and disruptive to implement and maintain with each new state privacy law, and does not account for FTC risk.

Increasing due diligence. Contracts are central to any compliance approach, but regulators have made clear that relying solely on privacy compliance representations in an agreement will not insulate a party from liability. How to conduct due diligence on the scale that health-related advertising in particular requires is a subject of active discussion within the industry. The absence of settled due diligence standards does not undercut the clear message that relying exclusively on contractual assurances of consent or other conditions relating to health data will fall short of regulators’ expectations.

Avoiding high risk campaigns. Another option is to rely on targeting strategies that do not rely on high risk health data, or even require health data at all. For example, a pharmaceutical company could target ads for prostate cancer treatments to men over 50, not because they had recently searched for information about the disease or because their individual characteristics indicate that they are likely to develop prostate cancer, but because men in this age group are more likely than the general population to find the advertisement relevant. The difference between these two approaches is that the population-based segment does not rely on individual-level information about a consumer’s likelihood of having a disease.

Pursuing deidentification. Since federal and state privacy laws do not apply to deidentified data, this is an option that arises frequently in health-related digital advertising. The legal requirements for deidentification, however, are stringent. The fact that a persistent identifier that is stored in a cookie, for example, cannot be used directly to identify a consumer by name without additional information (if at all) does not mean that data associated with the identifier is ‘deidentified’. On the whole, advertising industry participants have accepted that broad statutory definitions generally require them to treat device- or individual-level information associated with advertising as personal data. This is not to say that that deidentifying health data for digital advertising is not feasible, but it requires careful analysis and implementation to understand and manage risks.

Despite the uncertainties that accompany the transition of a new presidential administration, the rush to regulate health data is unlikely to slow down any time soon. The results of enforcement and private suits over the coming months and years could help to resolve legal ambiguity and clarify compliance expectations.

Until then, companies should continue to identify best practices and document their compliance efforts, including strong internal and partner due diligence practices that identify the presence of health information and prevent its misuse.

Aaron Burstein and Alysa Hutnik are partners and Meaghan Donahue is an associate at Kelley Drye & Warren LLP. Mr Burstein can be contacted on +1 (202) 342 8453 or by email: aburstein@kelleydrye.com. Ms Hutnik can be contacted on +1 (202) 342 8603 or by email: ahutnik@kelleydrye.com. Ms Donahue can be contacted on +1 (202) 945 6622 or by email: mdonahue@kelleydrye.com.

Aaron Burstein, Alysa Hutnik and Meaghan Donahue