NY bill shields abortion and gender care health data

From fitness watches to period-tracking apps, health products are increasingly collecting personal data from everyday activities. The issue has drawn increased attention since the Supreme Court overturned Roe v. Wade, amid reports of data being used to target anti-abortion ads at clinic visitors and to prosecute people seeking gender-affirming care across state lines.

New York bill seeks to protect abortion and gender-affirming care data

Last year, Albany lawmakers passed a bill to prohibit companies from collecting and selling health data without users' consent - but business groups argued its provisions were too far-reaching, and Governor Kathy Hochul vetoed it. Now, legislators have introduced a narrower version they hope can make it past the governor's desk.

What is this?

Senate Bill 9269, called the New York Health Information Privacy Act, would prevent companies from collecting and selling data about a person's mental and physical health without their consent. The amended bill limits the legislation's scope and adds new exemptions for data already governed by existing state and federal regulations. It exempts public agencies and governments, and protects only health data collected while someone is in New York state. Under the proposed law, companies that collect or sell health data without a user's consent could be fined up to $15,000.

"It passed last year, and I'm confident it will pass again," said Assembly sponsor Linda Rosenthal. "It's the discussions with the governor and her team that will be dispositive on what happens to this bill."

Senator Liz Krueger, who has sponsored the act since 2023, reintroduced it in February.

"Most of us think our healthcare data is protected by federal HIPAA laws, but so much of it is not," Krueger said. "Our health data is being collected, tracked, and sold to third parties by the very companies that are supposed to be taking care of us, as well as online social platforms, including women's health apps, mental health apps, TikTok, and even dating apps, monetizing our most intimate information to boost their profits."

Where did it come from?

The legislation comes as restrictions on reproductive and gender-affirming care are on the rise across the country. Thirteen states have banned abortion since Roe was overturned, and most states have restricted health care for trans youth. Police in some of these states have reportedly used health and location data to prosecute people seeking abortions out of state. In 2024, the location data provider Near Intelligence allegedly tracked and sold data on people's Planned Parenthood visits to an anti-abortion group's ad campaign. A year later, officials in Illinois found that Texas police tracked a woman seeking an abortion across state lines using license plate data.

Hochul has signed legislation shielding the information of New York doctors from out-of-state liability for providing gender-affirming care, and last year signed another bill strengthening parallel protections for abortion providers. But these laws do not protect the data that companies collect about those doctors' patients.

Federal privacy laws preventing the sale of health data primarily apply only to doctors, insurers, and related businesses. They do not cover the consumer health data increasingly collected by private apps and services. Fitness wearables, period tracking apps, and therapy sites have all reportedly collected and sold health data without their users' knowledge. At least 11 states have enacted health privacy laws since 2018. Washington enacted the My Health My Data Act in 2023, allowing people to withdraw their consent to be surveilled and request that their data be deleted.

Who's for and against it?

New York Civil Liberties Union, which endorsed the bill last year, contends that the legislation is necessary to protect individuals seeking gender-affirming and abortion care in New York.

Allie Bohm, the group's senior policy counsel, mentioned TikTok's new privacy policy changes as the most recent example of technology companies collecting users' health data. The social media app announced in January that it changed its privacy policy to collect new user data, including mental and physical health diagnoses.

The New York City Bar Association also supported last year's bill, noting that third-party companies routinely collect and sell private health data but avoid federal health data protections.

Opponents of last year's bill accused New York's legislation of going far beyond health privacy bills enacted in other states and expressed concern that such a broad and complex new regime would raise compliance costs for a range of businesses.

The Business Council of New York State, which opposed last year's bill, said the reintroduced legislation still does not address its concerns.

"As written, NYHIPA increases operational costs for all businesses, service organizations, and nonprofits, potentially limiting services and making things more expensive for both consumers and businesses," said Chelsea Lemon, the group's senior director of government affairs.