Consumer Health Data Privacy Notices by the Numbers

Today, FPF is releasing an infographic that provides insights into how organizations are responding to the transparency requirements of recently enacted U.S. state health privacy laws. The infographic reflects a survey of privacy notices on the websites of 180+ companies across a variety of industries and sectors, from pharmaceutical to apparel.

Two key laws enacted on March 31, 2024 formed the basis for the survey, Washington’s My Health, My Data Act, and Nevada’s SB370. Both laws create specific obligations for online transparency notices on websites requiring detail about what health information is collected, although each law has a slightly different definition of health information (including reproductive and gender-affirming care information).

• The Washington ‘My Health, My Data’ Act (“MHMDA”) establishes a duty for regulated entities to maintain and adhere to a “consumer health data privacy policy” that makes a specific set of disclosures and to “prominently publish” a link to this policy on its homepage. WA MHMDA defines health information as “personally identifiable information that is linked or reasonably capable of being linked to a consumer” and “identifies the consumer’s past, present, or future physical or mental health status.” 

• Chapter 603A of the Nevada Revised Statutes (“NV SB 370”) establishes a duty for regulated entities to develop and maintain a consumer health data privacy policy that “clearly and conspicuously” makes a specific set of disclosures. The law defines a use-based range of “consumer health data” that applies to information that a regulated entity “uses to identify the past, present or future health status of the consumer,” excluding certain personal information concerning consumer shopping habits and interests.

Of the 180+ companies surveyed, 40% of the websites surveyed had a consumer health data notice or policy. When consulting the general privacy notice or policy, 62% of organizations provided notice that some form of health data was collected within the relevant statutory definitions. Several policies explicitly stated that no health data was collected, used, or sold per “as defined by state laws”. Although many consider WA MHMDA to require a standalone notice, 40% of the websites that had a notice bundled information related to MHMDA and NV SB 370 into the same text (ex. MHMDA “and similar laws”.)

Other findings:

• All industries, when taken separately, reflected an even or nearly even split in having a notice or not (ex: In a subsample of ten retailers, 50% would have a notice and 50% would not.) The exception to this was pharmaceutical and life sciences companies, where 90% of surveyed websites had notices.
• For 70% of surveyed websites that included notices, those notices were linked in the homepage footer; with two websites also linked notices from the consent or cookie banners
• 15% of websites with notices had entirely separate and explicit policies for WA MHMDA and NV SB 370.
• 87% of companies surveyed that are headquartered in Washington State had notices on their websites.

This data provides a birds-eye view of the landscape of approaches to transparency around consumer health data. Privacy leaders may use these metrics to compare their approaches in publishing privacy notices to broader industry norms, or to initiate discussion in their organizations, including on decisions to either create bundled or standalone notices, standalone notice webpages, or to link to notices on homepages.

The data in this survey were collected April 12-17, shortly after the enactment of the two relevant laws. The sampled organizations represent a highly diverse range of companies, with an emphasis on companies with a health focus or a wellness component. Many thanks to Niharika Vattikonda, Angela Guo, and Jeter Sison for the tireless data work on this project!

Limitations: Data was limited to websites accessed via desktop. App interfaces were not included in the survey. No virtual personal networks (VPNs) were used (ex. a VPN based in Washington state.)

Please reach out Jordan Wrigley, Data and Policy Analyst for Health & Wellness ([email protected]) to discuss these findings or to learn more about FPF Health & Wellness projects!