The Veto of New York Senate Bill S929 Divergence in State Consumer Health Data Privacy Frameworks

The decision by New York Governor Kathy Hochul to veto Senate Bill S929, widely known as the New York Health Information Privacy Act, represents a watershed moment in the trajectory of privacy regulation within the United States. This legislative event serves as a critical inflection point that effectively pauses the expansion of what was poised to become the most stringent and operationally demanding consumer health data regime in the nation. The veto highlights the intensifying friction between the legislative imperative to safeguard sensitive health information in a post-Dobbs legal environment and the pragmatic necessity of maintaining a functional digital economy.

Senate Bill S929 was introduced to address the “HIPAA gap,” a regulatory void where health data collected by non-covered entities, such as mobile applications, wearable devices, and retail websites, lacks the federal protections afforded to clinical records held by doctors and hospitals. While the bill successfully passed both the New York State Senate and Assembly with significant margins, it encountered insurmountable resistance from the executive branch due to concerns regarding its expansive scope, punitive enforcement mechanisms, and the potential for severe economic disruption.

The rejection of this bill prevents New York, for the time being, from joining the cohort of states like Washington, Nevada, and Connecticut that have enacted dedicated frameworks for consumer health data. This divergence is not merely a matter of state politics but has profound implications for the national compliance strategies of multi-state organizations. Had S929 been enacted, its unique requirements, such as a twenty-four-hour delay for consent authorizations and a strict “opt-in” model for data retention, would have likely forced companies to bifurcate their operations or adopt New York’s restrictive standards globally.

This report offers an exhaustive examination of the vetoed legislation and its comparative context. It analyzes the specific provisions of S929 that led to its demise, contrasts them with the operative statutes in other jurisdictions, and explores the nuanced compliance challenges regarding entity-level versus data-level exemptions. The analysis further elucidates the operational relief felt by the business community while acknowledging the persistent uncertainty that looms over the privacy landscape in the absence of a unified federal standard.

 

Part I: The Context of Consumer Health Data Regulation

To understand the significance of the S929 veto, one must first appreciate the regulatory vacuum it was intended to fill. The United States lacks a comprehensive federal privacy law, relying instead on a sectoral approach where specific industries are governed by specific statutes.

The HIPAA Gap and the Post-Dobbs Reality

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is frequently misunderstood by the general public as a universal shield for health information. In reality, HIPAA applies only to specific “covered entities,” which include healthcare providers, health plans, and healthcare clearinghouses, as well as their “business associates”. This leaves a vast ecosystem of digital health products completely unregulated at the federal level regarding privacy. When a consumer inputs their menstruation cycle into a tracking app, or when a smart watch records a user’s heart rate, that data is typically governed only by the company’s privacy policy and the Federal Trade Commission’s prohibitions against unfair or deceptive acts.

The urgency to close this gap intensified dramatically following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022. The overturning of Roe v. Wade created a tangible fear that digital footprints, such as location data near reproductive health clinics or search histories for abortion services, could be weaponized by law enforcement in states where abortion is criminalized. State legislatures, particularly in Democrat-led states, mobilized to create “shield laws” and data privacy statutes to protect their residents from such surveillance. Washington led this charge with the My Health My Data Act, and New York’s S929 was drafted in this same spirit of protective urgency.

 

The Federal Trade Commission’s Role

In the absence of new federal legislation, the Federal Trade Commission (FTC) has become increasingly aggressive in policing the commercial use of health data. Recent enforcement actions against companies like BetterHelp, GoodRx, and Premom have established a de facto federal standard that treats the unauthorized sharing of health data for advertising purposes as a deceptive practice. However, the FTC’s authority is limited to enforcement after the fact and does not provide the comprehensive, prescriptive framework that state laws seek to establish. This limitation has driven states to act unilaterally, resulting in the current patchwork of compliance obligations that S929 sought to complicate further.

Part II: Anatomy of New York Senate Bill S929

New York Senate Bill S929 was designed to be a robust consumer protection statute. Its authors sought to create a legal framework where New Yorkers could “reclaim and retain control” of their healthcare information. However, the specific mechanisms proposed to achieve this goal were viewed by industry stakeholders as operationally unfeasible.

Expansive Definitions: Regulated Health Information

The bill proposed a definition of “Regulated Health Information” that was expansive in the extreme. It covered any information reasonably linkable to an individual or device that is collected or processed in connection with physical or mental health. Critically, this definition included “any inference drawn or derived about an individual’s physical or mental health.”

This inclusion of inferences meant that data not inherently health-related could become regulated if analyzed in a specific way. For example, a grocery retailer analyzing purchase history for trends might inadvertently create regulated health information if their algorithm inferred that a customer was pregnant based on their purchase of prenatal vitamins and unscented lotions. Under S929, this inferred status would trigger the full weight of the law’s consent and retention requirements.

The Scope of Regulated Entities

The definition of “Regulated Entity” in S929 extended jurisdiction to any entity that controlled the processing of regulated health information of a New York resident, or importantly, an individual “physically present” in the state. This “physically present” clause raised significant concerns regarding extraterritoriality and the practical difficulties of compliance. A tourist from Ohio using a health app while visiting Times Square could theoretically trigger New York’s strict privacy protections for that interaction, requiring the app developer to track the real-time location of all users to ensure compliance, a practice that itself raises privacy concerns.

The Consent Paradigm and “Strict Necessity”

S929 operated on a strict “opt-in” model. Processing of health data was prohibited unless the individual provided valid authorization or the processing was “strictly necessary” to provide a product or service requested by the consumer.

The definition of “strictly necessary” was explicitly narrow. It excluded activities related to marketing, advertising, research and development, or providing products to third parties. This meant that standard operational practices, such as using analytics to identify app crashes or improve user interface design, would likely have required separate, affirmative consent from the user.

Furthermore, the authorization process was burdened with friction. The bill mandated that a request for authorization be separate from other permissions and, most controversially, be made at least twenty-four hours after an account was created. This “twenty-four-hour rule” was intended to prevent coercive consent during onboarding but would have effectively broken the functionality of many services. A user downloading a telemedicine app for an immediate consultation would be legally barred from authorizing the retention of their medical history until the following day, rendering the app useless for its immediate purpose.

Geofencing Prohibitions

The bill included a ban on the use of geofencing technology around healthcare facilities. It prohibited establishing a virtual boundary within a certain distance of medical providers for the purpose of identifying, tracking, or sending advertisements to individuals. Unlike similar laws in other states that require a specific intent to track, the New York proposal was criticized for potentially creating strict liability for location-based services that inadvertently overlapped with the perimeter of a healthcare facility.

Enforcement and Penalties

The enforcement structure of S929 was designed to be punitive. It empowered the New York Attorney General to seek civil penalties of up to fifteen thousand dollars per violation or twenty percent of the revenue obtained from New York consumers, whichever was greater.

The “percent of revenue” penalty model is a significant departure from standard per-violation fines. For a large technology company with diverse revenue streams, a privacy violation in a minor health-related feature could theoretically result in a fine calculated based on the company’s entire New York revenue. This disproportionality was a central argument in the business community’s lobbying efforts against the bill.

Part III: The Veto – Analysis of Governor Hochul’s Decision

Governor Hochul’s veto of S929 was not a rejection of the principle of privacy but a pragmatic decision based on the bill’s operational flaws and potential for economic harm. In Veto Memo 135, the Governor articulated a clear rationale for her refusal to sign the legislation.

The Rationale for Rejection

The Governor’s veto memo highlighted that while the protection of health data is a priority, the bill as drafted would impose “complex new obligations” that would create “significant confusion” for businesses and consumers alike. She noted that the bill passed the legislature with ample time for negotiation, yet “good-faith negotiations on chapter amendments” were not fruitful until the very end of the year.

Chapter amendments are a unique feature of New York’s legislative process where the Governor agrees to sign a bill on the condition that the legislature passes specific amendments in the subsequent session to fix identified flaws. In the case of S929, the gap between the legislature’s intent and the executive’s requirements was too wide to bridge. The Governor’s office reportedly sought changes to the “strict necessity” standard, the removal of the twenty-four-hour consent delay, and clearer exemptions for entities already regulated by federal law. When these changes could not be guaranteed, the veto became the only viable option to prevent a flawed law from taking effect.

Economic and Operational Concerns

A coalition of industry groups, including Tech:NYC and the Partnership for New York City, lobbied heavily against the bill. They argued that the bill’s requirements would place New York businesses at a severe disadvantage compared to competitors in other states. The compliance costs associated with building unique consent flows for New York users, combined with the risk of massive revenue-based fines, were portrayed as an existential threat to the state’s growing tech sector.

The Governor’s decision also reflected a concern for the “affordability” and “service continuity” for New Yorkers. By potentially forcing companies to withdraw services from the New York market rather than face the liability of the new law, S929 could have reduced consumer access to valuable digital health tools.

Part IV: Washington’s My Health My Data Act – The Benchmark

To fully understand the divergence in state laws, one must examine the Washington My Health My Data Act (MHMDA), which served as the inspiration for S929 but differs in critical ways. Enacted in 2023, the MHMDA established the first comprehensive state framework for consumer health data privacy.

Scope and Definitions

The MHMDA defines “consumer health data” broadly to include any personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. This includes individual health conditions, reproductive or sexual health information, and biometric data.

Crucially, Washington’s law includes a “private right of action.” This provision allows consumers to sue companies directly for violations of the act, utilizing the Washington Consumer Protection Act to seek damages. This has made the MHMDA the most feared privacy statute in the country, as it exposes companies to the risk of class-action litigation for technical violations, bypassing the prosecutorial discretion of the Attorney General.

Data-Level Exemptions

Washington employs a “data-level” exemption for HIPAA. It exempts “protected health information” (PHI) governed by HIPAA, but it does not exempt the entity itself. This means that a hospital or healthcare provider is subject to the MHMDA for any data it collects that is not PHI. For example, if a hospital’s website uses tracking pixels to monitor visitor behavior on its homepage, that data is likely consumer health data under the MHMDA, even though the hospital is a HIPAA-covered entity. This creates a complex dual-compliance regime where organizations must segregate their data assets and apply different legal standards to each.

The Geofencing Standard

Washington’s law prohibits any person from implementing a geofence around an entity that provides in-person healthcare services where the geofence is used to identify or track consumers seeking those services. The boundary is defined as 2,000 feet from the perimeter of the facility. This provision is operative and strict, effectively creating a “digital quiet zone” around medical providers in the state.

Part V: Nevada and Connecticut – The Alternatives

While New York attempted to surpass Washington’s stringency, Nevada and Connecticut adopted more moderate approaches that prioritize business continuity and alignment with existing frameworks.

Nevada Senate Bill 370: The Business-Friendly Pivot

Nevada’s Senate Bill 370, modeled on Washington’s law, contains significant deviations that make it more palatable to industry.

1. Narrower Scope: Nevada defines “consumer health data” as data used to identify the health status of the consumer. This “use-based” limitation suggests that the mere collection of data is not enough to trigger the law; the entity must actively use it to infer health status.
2. Entity-Level Exemptions: Perhaps the most significant difference is Nevada’s use of “entity-level” exemptions. The law exempts any person or entity subject to HIPAA or the Gramm-Leach-Bliley Act (GLBA) entirely. This means that hospitals, banks, and insurers operating in Nevada are completely exempt from the state’s consumer health data law, as they are already regulated by federal statutes. This avoids the dual-regulation complexity found in Washington.
3. No Private Right of Action: Enforcement of SB 370 is the exclusive domain of the Nevada Attorney General. There is no private right of action, significantly lowering the litigation risk for businesses.

Connecticut Senate Bill 3: The Integrated Approach

Connecticut chose not to create a standalone health data law. Instead, Senate Bill 3 amended the existing Connecticut Data Privacy Act (CTDPA) to create a new category of “consumer health data”.

1. Sensitive Data Classification: The law classifies consumer health data as “sensitive data,” which requires strict opt-in consent for processing. This integrates health data compliance into the existing privacy governance framework that companies have already built for the CTDPA.
2. Moderate Geofencing: Connecticut adopted a ban on geofencing around mental, reproductive, and sexual health facilities, with a radius of 1,750 feet. This aligns with Nevada’s distance but is narrower than Washington’s 2,000 feet.

Part VI: Comparative Legal Analysis

The veto of S929 has preserved a diverse regulatory landscape. The following analysis highlights the key technical differences that compliance officers must navigate.

Table 1: Comparative Framework of State Health Data Laws

Feature	Washington (MHMDA)	Nevada (SB 370)	Connecticut (SB 3)	New York (S929 – Vetoed)
Effective Date	March 31, 2024	March 31, 2024	July 1, 2023	Vetoed
Definition Style	Broad; “Reasonably linkable” to health status.	Use-based; “Used to identify” health status.	Integrated; “Sensitive Data” under CTDPA.	Extremely Broad; “Processed in connection with” health.
HIPAA Exemption	Data-Level: Exempts PHI only.	Entity-Level: Exempts Covered Entities.	Entity-Level: Exempts Covered Entities.	Weak/Ambiguous; leaned toward Data-Level.
GLBA Exemption	Data-Level: Exempts GLBA data.	Entity-Level: Exempts Financial Institutions.	Entity-Level: Exempts Financial Institutions.	Weak/Absent; created conflict for banks.
Enforcement	AG & Private Right of Action.	AG Only.	AG Only.	AG Only (Revenue-based penalties proposed).
Geofencing	2,000 ft limit.	1,750 ft limit.	1,750 ft limit.	Proposed ban; strict liability concerns.

Entity vs. Data Level Exemptions: The Compliance Crucible

The distinction between entity-level and data-level exemptions is the single most critical factor in determining the compliance burden of these laws.

Entity-Level Exemption (Nevada, Connecticut):

This is a “safe harbor” approach. If an organization is a hospital regulated by HIPAA, the state law does not apply to any of its data. This recognizes that the entity is already subject to a comprehensive federal security and privacy regime. It simplifies compliance by allowing the organization to follow one set of rules (federal) for all its operations.

Data-Level Exemption (Washington, Proposed NY):

This is a “gap-filling” approach. It exempts only the specific data that is regulated federally. If a hospital collects data that falls outside the technical definition of “Protected Health Information” (PHI) under HIPAA, that data becomes subject to the state law.

• Operational Impact: A hospital must build a “firewall” in its compliance program. Patient records are governed by HIPAA. Website visitor logs are governed by the MHMDA. This requires two different privacy policies, two different consent flows, and two different deletion protocols for the same organization. S929’s failure to provide clear entity-level exemptions would have imposed this complex burden on New York’s massive healthcare and financial sectors.

Consent Mechanics: Opt-In vs. Authorization

Washington and the proposed New York bill differ significantly in how they operationalize consent.

Washington: Requires “valid authorization” for the sale of data, which must be a separate document signed by the consumer. For collection, it requires “affirmative consent” unless necessary for the requested service.

New York (Vetoed): Would have required “valid authorization” for processing and retention, not just sale. The S929 authorization had to be distinct from other consents. Most disruptively, the bill proposed a twenty-four-hour waiting period before such authorization could be requested.

• Operational Impact: The twenty-four-hour rule would have killed the “onboarding” flow of apps. A user could not sign up and immediately get the full benefit of a data-intensive service. This friction was designed to be a “speed bump” for privacy but was viewed by industry as a “roadblock” to utility.

Geofencing Technicalities

The geofencing bans in WA, NV, and CT share a common goal but differ in technical execution.

• Radius: Washington uses 2,000 feet. Nevada and Connecticut use 1,750 feet.
• Trigger: All bans generally prohibit using a geofence to “identify or track” consumers seeking health services.
• The NY Difference: S929’s proposed ban was feared to be broader because it lacked the specific intent requirements found in other statutes, potentially creating strict liability for any location-based ad service that inadvertently served an ad near a clinic. Given the density of medical offices in New York City, compliance would have been nearly impossible without disabling location services entirely.

Part VII: Operational Implications for Businesses

The veto of S929 provides immediate operational relief, but the compliance landscape remains treacherous.

The “Lowest Common Denominator” Strategy

For national companies, the “lowest common denominator” strategy involves adopting the strictest standard as the global baseline to simplify operations.

• Before S929 Veto: Companies were bracing for New York to become the new baseline. The twenty-four-hour rule and strict opt-in requirements would have likely been applied nationally to avoiding building a “New York-only” version of their app.
• After S929 Veto: Washington’s MHMDA remains the strict baseline. Companies must comply with Washington’s “homepage link” requirement and “valid authorization for sale” requirement. Since Washington’s law applies to any entity “doing business” in the state, effectively all major US companies are caught in its net.

Data Inventory and Classification

The primary challenge for businesses is the “inference” problem. Laws in Washington and Nevada (and the vetoed NY bill) broaden the definition of health data to include inferences.

• Action Item: Companies must audit their analytics and marketing algorithms. If a retailer uses purchase history to assign a “pregnancy score” to a customer (as in the infamous Target example), that score is now “Consumer Health Data” in Washington and Nevada. It must be deleted upon request and cannot be sold without specific authorization.
• S929 Relief: The veto saves companies from S929’s even broader definition which included data “processed in connection with” health, a vague standard that could have captured non-inference data simply based on context.

Advertising and AdTech

The digital advertising ecosystem is particularly impacted by these laws. The definition of “sale” in Washington and the vetoed NY bill includes sharing for “other valuable consideration.”

• Tracking Pixels: The use of Meta Pixel or Google Analytics on health-related pages is legally perilous. In Washington, this sharing is likely a “sale” requiring signed authorization, which is impossible to obtain in the milliseconds of a webpage load.
• Operational Shift: Companies are moving to “contextual advertising” on health pages (ads based on the content of the article) rather than “behavioral advertising” (ads based on the user’s history), to avoid the definition of “sale.” The veto of S929 allows this transition to happen at the pace dictated by Washington and the FTC, rather than the abrupt halt S929 would have forced.

Employee Data

A critical bullet dodged by the veto was the regulation of employee data. S929 did not clearly exempt data processed in an employment context.

• The Risk: Employers collecting sick notes, managing health insurance, or administering wellness programs could have been deemed “Regulated Entities.”
• The Consequence: HR departments would have needed to obtain revocable, separate authorizations from employees to process their disability accommodations or sick leave. This would have created administrative chaos.
• Comparison: Washington and Nevada explicitly exempt data processed in an employment context. The veto ensures that New York employers do not face this unique burden.

Part VIII: Future Trajectories

The veto of S929 is a pause, not a full stop. The political pressure to protect reproductive health data remains high, and the Governor’s veto memo explicitly invited the legislature to try again.

The Return of S929

It is highly probable that a revised version of the New York Health Information Privacy Act will be introduced in the next legislative session. To secure the Governor’s signature, the new bill will likely:

1. Align with Washington/Nevada: Adopt clearer definitions that match the existing state frameworks to allow for interoperability.
2. Include Entity-Level Exemptions: Add robust exemptions for GLBA and HIPAA regulated entities to avoid the “dual-regulation” trap.
3. Remove Operational Poison Pills: Eliminate the twenty-four-hour consent delay and the strict “no marketing” necessity clauses.
4. Refine Enforcement: Likely reduce the revenue-based penalty to a more standard per-violation fine structure.

The Federal Outlook

The entire state-level legislative flurry is driven by the lack of a federal privacy law. The American Privacy Rights Act (APRA) has been proposed to preempt this patchwork, but its passage remains uncertain due to disagreements over preemption and private rights of action. Until Congress acts, New York and other states will continue to function as “laboratories of democracy,” experimenting with different ways to regulate the digital health economy.

Veto of New York Senate Bill S929 was a victory for operational Pragmatis

The veto of New York Senate Bill S929 was a victory for operational pragmatism over legislative idealism. By rejecting a bill that was out of step with the emerging national consensus, Governor Hochul prevented the creation of a “New York anomaly” that would have fragmented the digital market. However, the underlying message to the business community is clear: the era of unregulated consumer health data is ending. Washington has set the bar, Nevada and Connecticut have reinforced it, and New York will inevitably join them. Companies that use the reprieve of the veto to delay their compliance programs are making a strategic error; the trajectory of the law is unmistakably toward greater transparency, stricter consent, and enhanced consumer control over the most sensitive details of their lives.