← Back to Resources

NY S929: What Marketers Need to Know About New York's Health Privacy Bill

Jeremy MittlerDecember 16, 2025

In this interview with Keaton Wright from Target Continuum, Jeremy Mittler breaks down New York's S929 health privacy bill and why it could reshape healthcare advertising nationwide.

The Road to the Governor's Desk

In New York State government, passed legislation doesn't automatically go to the governor for signature—it has to be sent or called up by the governor. That happened recently with S929, following a public fight involving 50 different industry groups.

Major advertising industry groups, including the ANA, the NAI (Network Advertising Initiative), and even the IAB, were part of this 50-group coalition. The language wasn't soft—they were harsh in tone. We saw significant drama, and then right away, the bill got called by the governor.

Why This Bill Matters

This is the most important piece of state legislation in healthcare privacy since Washington's My Health, My Data Act, which is now two to three years in. But S929 is different—and what makes it unique is something we haven't seen in state law before.

The "Physical Presence" Trigger

All other state privacy laws cover companies doing business in that state and apply only to those processing data of residents of that state. In Washington, you have to be a Washington resident for the law to apply. That's how most states work.

New York is different, and this is what makes it potentially untenable from a compliance standpoint—and what may make it a de facto national standard.

There are three things to consider when determining if S929 applies to your company:

  1. New York residents: If you process data on New York State residents—that's clear and obvious.
  2. Physical presence: When someone is present in New York State at the time you're processing their data. This is the kicker.
  3. The compliance challenge: It's impossible to know in real-time where someone physically is when you're processing their data.

If this provision isn't changed, it may force companies to assume they need to worry about everyone in the country—making S929 a de facto national standard.

What This Means for Healthcare Marketers

For healthcare advertisers, the implications are significant. The bill's broad definition of "consumer health data" combined with the physical presence trigger means traditional approaches to audience targeting may need to be completely rethought.

Companies that have built their strategies around privacy-first principles will be better positioned to navigate this new landscape. Those relying on inferred or predicted health data face the greatest compliance risk.

Key Takeaways

  • S929 is the most significant state health privacy legislation since Washington's My Health, My Data Act
  • The "physical presence" trigger is unprecedented and may create a de facto national standard
  • Companies may need to treat all U.S. consumers as if they're covered by this law
  • Privacy-first audience strategies will be essential for compliance

Want to learn how Blueprint's privacy-first approach helps navigate evolving state privacy laws?

Read Our S929 AnalysisFollow Us on LinkedIn