DeadlineHigh Impact
California Delete Act creates DROP deletion mechanism for data brokers
California's Delete Act requires data brokers to participate in the Data Broker Requests and Opt-Out Platform, with deletion-processing obligations beginning in 2026.
Operator impact: Clinic lead vendors, list brokers, enrichment providers, data brokers, and agencies should review whether patient-adjacent lead data, health-interest segments, and retargeting audiences create data broker compliance exposure.
Effective Jan 1, 2026
Deadline Aug 1, 2026
EffectiveHigh Impact
Connecticut consumer health data amendments restrict health-facility geofencing
Connecticut's privacy framework includes consumer health data protections and geofencing restrictions affecting mental health, reproductive health, and sexual health facility contexts.
Operator impact: Connecticut clinics should review location-based advertising, retargeting audiences, lead-source enrichment, consumer health data classification, consent, vendor contracts, and patient acquisition workflows.
ProposedHigh Impact
New Jersey consumer health data privacy bill targets providers and patient data
New Jersey S2969 would establish data privacy protection requirements for consumer health data, health care providers, and patients.
Operator impact: New Jersey clinics should monitor this bill while reviewing privacy policies, consent capture, lead forms, health-data collection, third-party sharing, and advertising-platform integrations.
ProposedHigh Impact
Illinois Protect Health Data Privacy Act remains a high-impact proposed privacy bill
Illinois HB3494 would create the Protect Health Data Privacy Act and impose privacy-policy, collection, sharing, storage, and consent requirements around health data.
Operator impact: Illinois-facing clinics, telehealth groups, med spas, and wellness funnels should track the bill and review how they collect, store, share, sell, and use health-related lead and patient data.
EffectiveHigh Impact
Illinois BIPA remains a high-impact risk for aesthetic imaging and biometric workflows
Illinois Biometric Information Privacy Act creates consent, retention, and disclosure obligations for biometric identifiers and biometric information.
Operator impact: Illinois med spas and aesthetic clinics using facial analysis, skin scanners, photo-mapping, biometric login, voiceprint tools, or AI imaging should review written consent, retention schedules, destruction policies, and vendor agreements.
EffectiveHigh Impact
Texas biometric identifier law applies to capture and commercial use of biometric data
Texas Capture or Use of Biometric Identifier law regulates capture, disclosure, retention, and destruction of biometric identifiers for commercial purposes.
Operator impact: Texas med spas, aesthetic clinics, and AI-enabled clinics should review facial imaging, biometric logins, voice AI, skin scanning, patient consent, retention schedules, and vendor use of biometric data.
ProposedMedium Impact
California patient-data advertising watch opened
California is queued for ongoing review around patient data, tracking pixels, consent language, and lead-generation handoffs.
Operator impact: Review landing pages, analytics tags, CRM automations, consent capture, and vendor data flows before scaling paid traffic.
EffectiveHigh Impact
Maryland Online Data Privacy Act creates consumer health data pressure point
Maryland's Online Data Privacy Act took effect October 1, 2025 and includes sensitive-data obligations relevant to consumer health data and digital health marketing workflows.
Operator impact: Maryland-facing clinics should review health-data classification, consent, minimization, analytics tags, retargeting, CRM data flows, vendor contracts, and patient request workflows before scaling digital acquisition.
Effective Oct 1, 2025
Deadline Apr 1, 2026
EffectiveHigh Impact
California AB 45 restricts health care facility geofencing and health-location data use
California AB 45 prohibits certain geofencing and personal-information use around in-person health care service locations.
Operator impact: California clinics, agencies, and lead vendors should review location-based advertising, competitor conquesting, facility geofencing, retargeting, location data vendors, and reproductive or gender-affirming care campaign workflows.
EffectiveHigh Impact
Minnesota Consumer Data Privacy Act creates new privacy obligations
Minnesota Consumer Data Privacy Act took effect July 31, 2025 and creates privacy rights and business obligations around consumer data collection and use.
Operator impact: Minnesota-facing clinics should review consumer request workflows, data inventories, profiling, automated processing, CRM fields, lead-source data, analytics tags, and vendor agreements.
EffectiveHigh Impact
Virginia restricts reproductive and sexual health information use without consent
Virginia SB 754 prohibits obtaining, disclosing, selling, or disseminating personally identifiable reproductive or sexual health information without consumer consent.
Operator impact: Virginia-facing women’s health, sexual health, hormone, telehealth, and wellness clinics should review lead forms, consent capture, data sharing, ad pixels, vendor contracts, and reproductive or sexual health campaign workflows.
EffectiveHigh Impact
Delaware Personal Data Privacy Act creates privacy obligations for consumer health funnels
Delaware Personal Data Privacy Act became effective in 2025 and creates consumer privacy rights and controller obligations relevant to health-adjacent digital marketing and lead workflows.
Operator impact: Delaware-facing clinics and vendors should review consumer request workflows, sensitive data handling, opt-out mechanisms, privacy notices, targeted advertising, and CRM/vendor data sharing.
EffectiveHigh Impact
FTC Health Breach Notification Rule remains critical for health funnels and apps
FTC's amended Health Breach Notification Rule clarifies obligations for many non-HIPAA health apps and related entities, including breach notices for unauthorized disclosures of identifiable health data.
Operator impact: Clinics using quiz funnels, symptom screeners, pixels, CRMs, apps, SMS tools, or patient portals should review data flows before sending health-related events to advertising or analytics platforms.
EffectiveHigh Impact
Oregon Consumer Privacy Act creates broad sensitive-data obligations
Oregon Consumer Privacy Act creates consumer privacy obligations and applies to sensitive personal data, with relevance for non-HIPAA health, wellness, and lead-generation workflows.
Operator impact: Oregon-facing clinics should review privacy notices, consent, sensitive-data processing, analytics tags, CRM data flows, patient lead forms, opt-out workflows, and third-party data disclosures.
EffectiveHigh Impact
Texas Data Privacy and Security Act applies to sensitive-data and health lead funnels
Texas Data Privacy and Security Act creates consumer privacy obligations, including requirements around sensitive data and consumer rights.
Operator impact: Texas-facing clinics should review privacy notices, opt-out mechanisms, sensitive-data consent, CRM data flows, retargeting, patient lead forms, vendor contracts, and data-protection assessments.
EffectiveMedium Impact
Florida Digital Bill of Rights creates privacy duties for large digital operators
Florida Digital Bill of Rights creates consumer privacy obligations for covered digital businesses and includes rights around personal data collection and use.
Operator impact: Larger Florida-facing clinic platforms, lead generators, and healthcare marketing vendors should review whether thresholds apply and assess privacy notices, data sharing, targeted ads, sensitive data, and consumer request workflows.
EffectiveHigh Impact
Washington My Health My Data Act governs non-HIPAA consumer health data
Washington's My Health My Data Act protects personal health data that may fall outside HIPAA, including consumer health data collected and shared by digital health, wellness, and lead-generation tools.
Operator impact: Washington-facing clinics should review website pixels, quiz funnels, symptom screeners, CRM events, retargeting, consent language, data sale/sharing, and vendor contracts before scaling paid acquisition.
Effective Mar 31, 2024
Deadline Jun 30, 2024
EffectiveHigh Impact
Nevada SB 370 creates consumer health data privacy obligations
Nevada SB 370 creates consumer health data privacy requirements, including privacy-policy, consent, sale, and geofencing restrictions for certain health data activities.
Operator impact: Nevada-facing clinics and wellness funnels should review health-data privacy policies, affirmative consent, ad platform data flows, geofencing, lead generation, data sharing, and consumer request workflows.
EffectiveHigh Impact
California AB 352 strengthens reproductive health information privacy
California AB 352 amended health information rules to strengthen privacy protections for reproductive health information and related medical information sharing.
Operator impact: California women’s health, fertility, hormone, telehealth, and primary care clinics should review EHR segmentation, information-sharing settings, out-of-state records requests, patient authorization, and reproductive health data workflows.
EffectiveMedium Impact
Utah Consumer Privacy Act remains relevant for health-adjacent lead data
Utah Consumer Privacy Act creates privacy obligations for covered businesses, including opt-out rights and sensitive-data notice requirements.
Operator impact: Utah-facing clinics and vendors should review whether UCPA thresholds apply to health lead forms, quizzes, targeted advertising, CRM data sharing, and sensitive-data processing.
EffectiveHigh Impact
New York bans certain geofencing around health care facilities
New York General Business Law § 394-g restricts geofencing around health care facilities for digital advertising, consumer profiling, or inferring health status.
Operator impact: New York clinics, agencies, and lead-generation partners should review geofenced ad campaigns, competitor-conquesting campaigns, event audiences, inferred-condition audiences, and location-data vendors.
EffectiveHigh Impact
Colorado Privacy Act governs sensitive data and profiling in health-adjacent funnels
Colorado Privacy Act creates consumer privacy obligations, including duties around sensitive data, opt-out rights, profiling, and data protection assessments.
Operator impact: Colorado-facing clinics should review health lead forms, symptom screeners, CRM segmentation, retargeting, automated profiling, sensitive-data consent, and vendor data protection assessments.
