New York's S929: One Signature Away From Becoming the Strictest Health Privacy Law
New York's S929 was sent to the Governor for signature. The strictest health privacy law in the country is now one signature away from becoming real. And the entire health advertising industry needs to pay attention.
Last week lawmakers and industry groups fought in public over this bill. Today the stakes just went up.
Here is the simple version.
What S929 Actually Does
S929 passed the New York legislature earlier this year. Now that it has been sent to the Governor, she has 30 days to sign it. She can also sign it with chapter amendments that make changes later. This is likely to happen given the strong opposition (more below).
The bill defines health data in an extremely broad way. Similar to Washington's MHMD, inferences are treated as health data.
That requirement is crystal clear. If you process regulated health data, you need consent.
The Part That Changes Everything
The law does not apply only to New York residents. It applies to anyone physically in New York at the moment their data is being processed.
This is the detail most people miss.
Companies cannot reliably detect who is in New York or when. Which means there is no practical way to carve New York out. No state-by-state switch to flip.
The only safe interpretation is to treat everyone as covered. That is how a state law becomes a de facto national standard.
Given these complexities, it would not be surprising to see this part updated. But we'll see.
This Has Become a Real Fight
Last week more than 50 companies and advocacy groups sent a letter urging the Governor to veto the bill. The bill's sponsors responded and pushed back hard.
This is now a very public tug-of-war over how health data should work in marketing and advertising.
Why Marketers Should Pay Attention
State privacy laws are converging on one theme. Regulators do not like model-based health targeting.
Most health audiences in the market today do not meet that bar.
How Blueprint Approached This From Day One
This is exactly why we built Blueprint Audiences the way we did.
- We removed inferences
- We removed predictions
- We build audiences using group-level insights only
- We know nothing about the individuals inside a group
And because we never assign a health attribute to a person, our method works the same in New York, Washington, Nevada, Colorado, and everywhere else. No scrambling every time a new law passes.
The rules are getting tougher, but they are also getting clearer. Design for the hardest states and you end up compliant everywhere else.
Key Takeaways
- S929 is not just another bill — it is a marker of where the entire industry is going
- Broad definition of health data — inferences are treated as health data, similar to Washington's MHMD
- Physical presence trigger — applies to anyone in New York at the moment of processing, not just residents
- De facto national standard — no practical way to carve out New York means treating everyone as covered
- Consent is required — if you process regulated health data, you need consent
- Model-based targeting under scrutiny — regulators are converging on restricting inference-based health targeting
Ready to Navigate the New Privacy Landscape?
The shift toward stricter health privacy laws is accelerating. At Blueprint Audiences, we help organizations navigate this complexity with privacy-safe audience solutions built for today's regulatory environment—and tomorrow's.
Connect with me on LinkedIn to follow along as this law unfolds—or visit Blueprint Audiences to learn more about our privacy-first approach.