ARTICLE
3 May 2026

IAB Health Privacy Insights

KD
Kelley Drye & Warren LLP

Contributor

Kelley Drye & Warren LLP logo
Kelley Drye & Warren LLP is an AmLaw 200, Chambers ranked, full-service law firm of more than 350 attorneys and other professionals. For more than 180 years, Kelley Drye has provided legal counsel carefully connected to our client’s business strategies and has measured success by the real value we create.
Explore Firm Details
The theme in this issue of Health Privacy Insights is that health-related advertising regulations are becoming broader and deeper.
United States Connecticut New York Privacy
Alysa Hutnik,Aaron Burstein,Andrea DeLorimier
+1 Authors
Kelley Drye & Warren LLP are most popular:
  • within Privacy and Antitrust/Competition Law topic(s)

Introduction

The theme in this issue of Health Privacy Insights is that health-related advertising regulations are becoming broader and deeper.

The now-familiar trend of restricting the use of health data for advertising is intensifying:

  • The Connecticut Attorney General’s most recent privacy enforcement report includes consumer health data among a handful of other top priorities, such as minors’ data, artificial intelligence, and opt-out rights.
  • After a veto in 2025, the New York legislature is again considering one of the most restrictive state laws governing health data. If enacted, the New York Health Information Privacy Act would ban the sale of “restricted health information” and require an extensive authorization for other advertising-related uses of such information. The Minnesota legislature is also considering a bill ( HF 2700) to amend its comprehensive consumer privacy law to set a heightened consent standard to share consumer health data.

But participants in the digital advertising marketplace – particularly brands – should be aware of how other advertising regulations and broader political developments surrounding health could affect them.

  • In the wake of New York’s Algorithmic Pricing Disclosure Act, a long list of states is considering measures that would go beyond requiring businesses to disclose when they engage in “surveillance pricing.” More than a dozen other states are considering algorithmic pricing legislation. New York is also considering amending its own law to ban the use of personal data in personalized algorithmic pricing, among other restrictions. State-level executive branch officials are also backing legislation and leading their own enforcement initiatives. For instance, Maryland Governor Wes Moore proposed legislation that was introduced as SB 387, the Attorney General of Alaska announced a “pricing compliance” initiative, and the California Attorney General in January 2026 announced an investigative sweep of the use of personal data to set prices in the retail, grocery, and hotel sectors.
  • Consistent with themes in the “Make America Healthy Again” movement, federal and state officials announced several regulatory and enforcement measures that target health claims and food additives.

Taken together, these actions and initiatives highlight the intense regulatory scrutiny of all aspects of health related advertising and the need for companies to consider their compliance and risk management processes holistically in this space.

Connecticut’s 2025 Enforcement Report Highlights Health Privacy Focus

The third Enforcement Report issued under the Connecticut Data Privacy Act (CTDPA) declares consumer health data (CHD) to be a continuing “priority,” alongside minors’ data, opt-out rights, and AI, for the state’s Office of the Attorney General (OAG). The Report also provides a reminder that the CTDPA’s CHD provisions apply to any company that does business in Connecticut; the CTDPA’s other jurisdictional thresholds do not apply to CHD processing. Companies in all areas of the digital advertising marketplace should pay close attention to the specific guidance set forth in the Report.

The Report raises a few points that may help companies assess whether any mechanisms they are using to obtain consent to process CHD fully comply with the OAG’s interpretation of Connecticut’s privacy law. Notably, the Report interprets the CTDPA’s data protection assessment section to include a disclosure requirement. Citing Conn. Gen. Stat. § 42-522(a), the Report states that “processing sensitive data, including voluntarily shared consumer health data, is unlawful when companies do not inform consumers about the heightened risks of harm inherent to such processing.”

Beyond this, the consent must be “a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer.” According to the Report, one of the elements of “freely given, specific, informed, and unambiguous agreement” is a sufficiently detailed disclosure about the types and purposes of CHD (and other sensitive data) collection. The Report identifies three things the OAG expects to see in CHD consent disclosures: (1) the categories of CHD collected; (2) “who it will be shared with;” and (3) the specific purposes for which it will be processed.

The Report also clarifies what does not constitute sufficient consent. According to the Report, “‘consent’ does not include . . . acceptance of general or broad terms of use or a similar document that contains descriptions of personal data processing along with other, unrelated information . . .”

Although the OAG has not yet announced any CHD-related enforcement actions, companies that rely on consent to process Connecticut residents’ CHD should assess whether their processes satisfy the expectations summarized in this Report.

New York Moves Toward Health Data Privacy Law (Again)

Two months after New York Governor Kathy Hochul S9269). vetoed a health data privacy bill at the end of 2025, legislators began this year by introducing a revised version of the New York Health Information Privacy Act (NYHIPA) (S9269)

If enacted, NYHIPA would join the growing list of state laws that severely restrict the use of health-related data in advertising. Notably, NYHIPA would ban the sale of “regulated health information” (RHI) to “third parties,” following the highly restrictive approach of Maryland’s consumer privacy law. (Maryland’s sales ban applies to all sensitive data, not just health data.)

Moreover, NYHIPA would generally require “regulated entities” to obtain an individual authorization to process RHI unless it is “strictly necessary” to provide a service to the individual, for internal business activities, or for a narrow list of other purposes. Advertising and marketing are expressly excluded from this list. NYHIPA would also extend individual rights to New Yorkers over their RHI and establish a broad array of data security and contractual obligations for regulated entities.

A few elements of NYHIPA would create significant challenges for companies that use RHI in advertising, even if they do not sell RHI in doing so.

First, the threshold for a company to become a “regulated entity” is low. This term applies to any entity that controls the processing of RHI about an individual who is a New York resident, is physically present in New York, or is seeking or receiving services in New York from an entity located in the state. There are no revenue or other jurisdictional thresholds.

Second, the definition of RHI is extremely broad. Like the definition of “consumer health data” under Washington’s My Health My Data Act, RHI includes any individual, health-related information that is inferred, derived, or extrapolated from non-health information.

Third, NYHIPA’s authorization requirements are stringent and detailed. Among other details about the types and purposes of RHI to be processed, an authorization under NYHIPA must include the names, where “readily available,” or categories of third parties and service providers that will process RHI.

Finally, NYHIPA would grant the New York Attorney General extensive enforcement and regulatory authority. Any violation of the law would be subject to a civil penalty of up to $15,000 - which could accumulate quickly in digital advertising settings – in addition to injunctive and equitable monetary relief. The Attorney General would also gain the authority to issue regulations as necessary to implement the law.

“Surveillance Pricing” Regulations Could Add to Health-Related Advertising Obligations

Driven by a potent combination of concerns about inflation, affordability, and artificial intelligence, federal and state policymakers are accelerating efforts to restrict personalized, algorithmic, and data‑driven pricing practices. This widespread interest has already produced at least one state law targeting “surveillance pricing,” and more bills are advancing. Although the regulations that have been enacted and proposed so far are not specific to health data or health-related products, they introduce additional data governance obligations for companies that market health products.

The most recent legislation to pass was New York’s Algorithmic Pricing Disclosure Act, which took effect on November 10, 2025. The Act requires businesses that dynamically set the prices of goods or services using algorithms informed by consumer personal data to provide a clear and conspicuous disclosure, “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA.”The Act provides civil penalties up to $1,000 per violation.

The Act’s disclosure requirements, however, may be just a first step. New York legislators are considering a ban on surveillance pricing. Two pending bills, S8623 and A9349, would prohibit personalized algorithmic pricing based on personal data, subject to exemptions for certain loyalty benefits, subscription models, and a few other circumstances. The bills would also prohibit the collection and disclosure of personal data to support surveillance pricing.

Regulators in other states are also taking aim at surveillance pricing. California remains a key player in this space. Despite the failure of a “surveillance pricing” bill (AB 446) in 2025 that would have broadly restricted “surveillance pricing” tied to behavioral, biometric, and device-level data, the California Attorney General announced an “investigative sweep” of the use of “consumers’ personal information to set targeted, individualized prices for products and services” in the retail, grocery, and hotel sectors. The Attorney General’s announcement ties the enforcement sweep to the CCPA’s purpose limitation principle and illustrates how regulators could use existing laws to scrutinize the use of personal data to set prices for consumers for goods or services – including health-related goods and services. Alaska Attorney General Stephen Cox in January 2026 announced a sweep focusing on “pricing compliance” in grocery stores.

The defeat of AB 446 did not mean the end of dynamic pricing legislation in California. State legislators are considering AB 2564, which would ban “surveillance pricing,” defined as “offering or setting a customized price for a good for a specific consumer or group of consumers, based, in whole or in part, on personally identifiable information collected through electronic surveillance technology . . . .”

In addition, at least 15 other states have considered surveillance pricing in the current legislative session. Some mirror California’s AB 446 and AB 2564, while others take a narrower approach. For example, Maryland’s “predatory” pricing bill (SB 387), as revised in the state Senate, would ban, among other things, the use of personal data by food retailers and food delivery services to increase prices.

Surveillance pricing legislation is developing some of the variability that marks state privacy legislation. Some state legislation would adopt the opt-out framework that has become familiar to the digital advertising marketplace, rather than banning the use of personal data to set consumer prices. For instance, HB 4248 in Illinois would, among other things, require businesses to allow consumers to opt out of the use of their personal data to set prices and would prohibit businesses from charging such consumers more than a “non-personalized baseline price” for the goods or services at issue. Other bills, such as Colorado’s HB 26-1210 would regulate areas that are exempt from state privacy laws. Specifically, HB 26-1210 would generally prohibit individualized, algorithmic wage setting. The rapid developments in this area warrant close attention to understand the potential impacts on adtech and digital advertising.

MAHA Puts Focus on Food and Health Claims in Ads

Regulatory scrutiny of health-related advertising is expanding beyond the privacy arena. For companies operating across the digital advertising ecosystem, this shift is significant: even when enforcement does not arise under data privacy laws, it can reshape advertiser demand and disclosure expectations.

At the federal level, a September 2025 presidential memorandum, followed by inquiry activity from the U.S. Department of Health and Human Services (HHS) and the U.S. Food and Drug Administration (FDA), signals potential tightening of standards governing prescription

drug advertising. The memorandum suggests that such “advertisements can mislead the public about the risks and benefits, encourage medications over lifestyle changes, inappropriately intervene in the physician-patient relationship, and advantage expensive drugs over cheaper generics.” Although formal rulemaking has not yet occurred, these actions indicate closer oversight of pharmaceutical marketing.

Food-related health claims are under similar scrutiny. In March 2025, Secretary Kennedy directed the FDA to explore changes to the “Generally Recognized as Safe” framework, which currently allows manufacturers to determine that certain ingredients are safe without premarket FDA approval. Any finalized rulemaking could affect how food and ingredient claims are substantiated and communicated in advertising.

At the state level, legislatures are advancing measures targeting ultra-processed foods, including restrictions on such products in schools, proposed statewide bans, and package labeling requirements. These legislative efforts reflect a broader push to regulate how food-related health information is presented to consumers.

Health advertising-related enforcement is also accelerating under existing unfair and deceptive trade practices laws, particularly in Texas. Recent matters include:

  • General Mills settlement – resolved allegations that certain cereals were marketed as “healthy” or “nutritious” despite the presence of artificial dyes.
  • Kellogg's settlement – addressed similar claims regarding the marketing of cereals containing synthetic dyes.
  • Johnson & Johnson / Tylenol litigation – alleges failure to adequately disclose certain health risks associated with use during pregnancy.

Summary and Practical Recommendations

Taken together, federal policy signals and state legislative and enforcement trends reflect a broader regulatory turn toward prescription and health-related advertising. Companies should view these developments as early indicators of shifting expectations that may affect advertiser risk going forward. Businesses should:

  • Monitor potential federal rulemaking that could alter advertising standards in pharmaceutical and food sectors;
  • Reassess substantiation and disclosure practices for health-related claims in light of recent legislation and enforcement activity; and
  • Evaluate internal review processes for categories that may draw heightened regulatory scrutiny.
  • Assess consent disclosures and mechanisms governing sensitive data processing for specificity, unambiguous choice, and other state requirements.

Originally published by IAB Legal Affairs & Public Policy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Alysa Hutnik
Alysa Hutnik
Photo of Aaron Burstein
Aaron Burstein
Photo of Alexander Schneider
Alexander Schneider
Photo of Andrea DeLorimier
Andrea DeLorimier
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More