Fight Over NY Health Privacy Bill Escalates Into 'Much Bigger Battle'
New York must not give in to staunch industry efforts to stop a health data privacy bill, said state Sen. Liz Krueger and Assemblymember Linda Rosenthal in an emailed statement Wednesday. The Democratic sponsors of the bill (S-929/A-2141) responded to a Monday letter to Gov. Kathy Hochul (D) from many tech industry, advertising and other business groups calling for a veto.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“We are well aware that any legislation that is viewed as upending the cash cow will be met with vehement opposition -- especially one that places restrictions on the largely unregulated sale of personal health data -- but ceding our legislative responsibility to the very entities that stand to benefit from the sale of people's information, is a grave and dangerous mistake,” wrote Krueger and Rosenthal.
The state legislature could finally send the bill to Hochul this month, nearly a year after lawmakers quickly passed it in January. That would start a 30-day shot clock for the governor to sign or veto. In an interview last week, Rosenthal told Privacy Daily that she’s still discussing any changes the governor might seek to make (see 2511260029). Hochul hasn't said where she stands on the bill, and her office didn’t comment Wednesday.
The New York bill passed by overwhelming margins in the legislature, despite compliance concerns raised by businesses, which said the bill was potentially more onerous than Washington state’s similar 2023 My Health My Data Act. Supporters of the health privacy bill include Ben & Jerry’s, the New York Civil Liberties Union (NYCLU), more than 200 health care providers and many public advocates. In addition, Rosenthal said last week that she had support from the New York attorney general’s office. AG Letitia James (D) didn’t comment Wednesday.
The industry groups, which included Tech:NYC, Partnership for New York City, TechNet, NetChoice, the State Privacy & Security Coalition, DoorDash and Warby Parker, wrote in their letter to Hochul that changes to the bill proposed so far wouldn’t address their concerns (see 2512020069).
“As drafted, [the New York bill] would reclassify routine transactions, standard consumer interactions, and basic product development practices as regulated health information,” the industry groups wrote. “As a result, the bill would subject a vast range of New York businesses and nonprofits to complex new obligations that go beyond the frameworks adopted in Connecticut, Washington, and every other state with consumer health privacy protections. The operational impact could raise compliance costs across industries, create new affordability challenges for New Yorkers, and undermine service continuity at a time when many sectors are already operating under tight margins.”
On Wednesday, Krueger and Rosenthal responded that the bill’s intent is “to protect New Yorkers’ most sensitive health data from being used and sold without their knowledge and authorization.” The legislators added, “Right now, the personal health information and data that New Yorkers upload to their most trusted apps is available for use by social media companies, ad giants, data brokers and third parties. This common-sense bill … simply puts an end to that exploitative practice.”
NYCLU dismissed the industry letter. “Of course businesses that unethically profit off of collecting, sharing, and selling personal health data would be against giving New Yorkers the right to control over their own personal health data,” said Allie Bohm, the public advocacy group's senior policy counsel, in a statement emailed to us Wednesday. “Between period tracking apps, search engines, fitness trackers and the like, companies have huge swathes of intimate health information at their disposal -- without New Yorkers even realizing it."
“We originally introduced this legislation back in 2020,” but the need for the measure “has never been more urgent,” Rosenthal and Krueger said. “Women's basic civil rights are being eroded before our very eyes, the LGBTQIA+ community is under attack and the federal government is sharpening its surveillance over New Yorkers and all Americans. States are the last line of defense, especially in the absence of any meaningful data privacy policies in Washington, D.C.”
Those in the privacy space should watch closely, said Jeremy Mittler, a health care data privacy expert and CEO at Blueprint Audiences. “This has escalated into a much bigger battle than expected,” he emailed us Wednesday. “The pushback shows how consequential [the possible health privacy law] could be for New York as well as the national privacy landscape.”
Mittler said he expects Hochul will sign S-929 “with refinements, but even a revised version would reshape how health data is used in advertising.”