Skip to main content


State by state: Navigating the legislative patchwork of health data in the U.S.

March 8, 2024

In the absence of a successful attempt to establish comprehensive, nationwide data privacy legislation with the American Data Privacy and Protection Act, the landscape of data protection laws continues to change and evolve on a state-by-state basis.

President Biden’s administration is currently crafting a draft executive order (“EO”) to concentrate federal endeavors toward establishing a unified standard for data privacy and security within the United States.

This proposed EO would explicitly forbid U.S. entities and individuals from participating in data transactions that could furnish adversary nations with sensitive or government-related personal data, along with data that might compromise U.S. national security.

Let’s zoom back to the states, where all the buzz is happening… and what you probably missed in the latest updates on U.S. privacy bills. Click on each state to know more!

Did you know? This is the first U.S. healthcare privacy law to apply to non-hospital establishments. It is broader in scope than other U.S. state privacy laws, notably the CCPA, and particularly covers small businesses (i.e., collecting, processing, selling or sharing consumer health data from fewer than 100,000 consumers during the previous year): this is the Washington’s My Health, My Data Act (MHMDA). It comes into force on March 31, 2024.

The Act has significant implications for the Life science industry. Indeed, Life science entities must proactively adapt their data management strategies, including granting consumers the ability to access their information, the right to withdraw their consent and to have their data deleted. MHMDA focuses on a broad definition of “consumer health data” including specific health conditions to biometric data, bodily functions, reproductive health, and even inferences drawn from non-health data. Regulated entities must maintain a “consumer health data privacy policy” linked separately and distinctly on the business’s homepage. To reduce the risk of legal actions, it is advised that entities grasp the scope of “consumer health data” and carefully assess all the data they manage to determine its potential relevance to the MHMDA.

Did you know? The Texas Data Privacy and Security Act (TDPSA) will apply to many companies (i.e., almost anyone conducting business in Texas or providing products or services used by Texans and who handles or participates in the sale of personal data), but small businesses only have one singular requirement: obtaining consent before engaging in the sale of sensitive data.

Larger companies face significant compliance requirements under this legislation, especially if they handle sensitive or biometric data, such as specific privacy policy disclosure obligation, or Data Protection Agreements for certain processing activities.

Did you know? Another round for the New York Health Information Privacy Act that passed the State Senate with a unanimous vote of 61-0 on January 22, 2024, marking its second consecutive year of advancement in the Empire State.

This legislation, mirroring Washington’s approach, concentrates on overseeing health information associated with an individual’s physical or mental well-being.

The features of the law encompass consumer rights, rigorous data security standards, and a distinctive ‘valid authorization’ provision, mandating a 24-hour waiting period between health data registration and service activation, providing sufficient time for individuals to consider their decision before any health-related services are activated.

Despite the absence of a private right of action, the law defers to the Attorney General for the formulation of regulations. This approach hints at the potential evolution of a distinctive healthcare privacy protection model within this state.

Did you know? Nevada Bill (SB 370) provides for a Geofencing Prohibition that prohibits the implementation of geofences near designated healthcare facilities for purposes including tracking consumer movements, collecting health data, and sending related notifications or advertisements.

Nevada legislation is mostly inspired by Washington’s MHMDA but provides for a narrower interpretation of “consumer health data”, less stringent consent standards, and no private right of action. These distinctive features position Nevada as an equally compelling and promising jurisdiction.

Did you know? Illinois has been at the forefront of implementing comprehensive biometric privacy legislation at the state level.

As the Biometric Information Privacy Act (BIPA) of 2008 continues to develop, taking a proactive stand becomes essential. Businesses must conduct comprehensive evaluations of their biometric data security measures and enhance them as needed to adhere closely to BIPA standards. This entails obtaining explicit written consent for data collection and integrating strong data protection measures. Businesses must also stay abreast of legislative changes as they may have substantial implications to their operations.

Did you know? An amended version of Colorado HB 1058 has passed unanimously and aims to broaden the definition of sensitive data to include biological data and neural data (could reveal intimate information about health, mental states, emotions and cognitive functioning).

The Colorado Privacy Act (CPA) does not impose a revenue threshold (unlike the CCPA), which could result in small businesses falling under the scope of comprehensive privacy obligations. Besides, the CPA provides for several rights, including the obligation to avoid secondary use and the duty of care.

Last but not least… the California Court of Appeals ruled that the recently enacted CCPA regulations take immediate effect, rather than being enforced later in March (originally planned on March 29).


Several bills draw inspiration from Washington’s My Health My Data Act, with states like Illinois, New York, Vermont, and Hawaii actively pursuing similar legislation.

Meanwhile, other states are still refining their consumer privacy bills, indicating that the legislative environment is in a state of constant flux. Staying vigilant and informed about potential changes is essential for businesses to ensure compliance and avoid any potential non-compliance issues.

united states privacy


Manon Darms

CIPP/US, Data Protection Lawyer & Personal Development Lead


Nicole Rensonnet

Certified Data Protection Officer & Onboarding and Continuing Training Lead

We are supporting our U.S. clients in all topics related Data Protection & Privacy. Our team of experts can support you in a lot of local regulations. If you are interested, feel free to reach out to our team for support.

Contact us