What is the My Health My Data Act, and why is its private right of action such a serious risk for advertisers?

Washington State's My Health My Data Act (MHMDA), codified at RCW Chapter 19.373, is the strongest consumer health privacy law in the United States, and its private right of action is what makes it uniquely dangerous for advertisers and the brands that rely on them. The act took effect for regulated entities on March 31, 2024 and for small businesses on June 30, 2024, and it reaches far beyond traditional healthcare companies: any business that collects data linkable to a consumer's physical or mental health status is in scope, whether or not it is a hospital, insurer or covered entity under HIPAA. The act requires a clear affirmative opt-in consent — freely given, specific, informed, voluntary and unambiguous — before consumer health data can be collected, and a separate consent before it can be shared; consent cannot be inferred, bundled, buried in a terms-of-use document or obtained through dark patterns, and collection and sharing require distinct consents. Selling consumer health data requires an even higher bar: a separate, signed written authorization that names the specific data, the buyer and the purpose. The provision that changes the risk calculus is the enforcement mechanism. Most US state privacy laws are enforced only by the state attorney general, which means a violation produces a regulator investigation at worst. MHMDA, by contrast, declares a violation to be an unfair or deceptive act under Washington's Consumer Protection Act, which carries a private right of action — meaning individual consumers, and the plaintiffs' bar behind them, can sue directly, seek actual damages and recover attorney's fees. For an advertiser, that converts a pixel misconfiguration that transmits health-linkable data from a theoretical regulatory exposure into class-action litigation risk. The practical implication is that any tracking technology a business deploys — a Meta Pixel, a Google tag, a TikTok pixel, an SDK in a mobile app — must be audited for whether it could transmit data that identifies a health condition, a treatment, a medication, or even a visit to a health-related page, before it is allowed to fire for Washington consumers without consent. Because the consent standard is opt-in and separate, the safe default is to suppress health-linkable data flows to advertising platforms entirely unless a specific, logged consent exists. For the broader federal-state framework that surrounds MHMDA, see the United States compliance reference , and audit your own tracking deployment with the AI Compliance Audit . The organizing principle is that MHMDA makes health-data mistakes suable by consumers, not merely investigable by regulators.

What exactly counts as consumer health data, and why is the definition broader than HIPAA?

The reason health-data compliance trips up so many advertisers is that the operative definition of "consumer health data" under laws like Washington's My Health My Data Act is dramatically broader than the protected health information that HIPAA governs, and it sweeps in data that marketing teams have historically treated as ordinary behavioral signal. HIPAA applies to covered entities — providers, plans, clearinghouses — and their business associates, and it governs protected health information held in that healthcare context. Consumer health data under MHMDA is defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present or future physical or mental health status. That status-based, linkability-based framing is the key: it does not require the data to originate from a clinical setting. It covers obvious categories like conditions, diagnoses, treatments, medications, test results, biometric and genetic data, and reproductive or sexual-health information. But because it includes anything that identifies health status, it also reaches inferences and proxies — the fact that a consumer viewed a page about a specific condition, searched for a symptom, added a particular medication to a cart, booked an appointment with a specialist, or used an app for fertility, mental health or addiction recovery. Precise location data that indicates a consumer sought health services is explicitly in scope. For an advertiser, this is the trap: a retargeting audience built from visitors to a "managing depression" article, a lookalike seeded from purchasers of a diabetes product, or a conversion event that fires when someone schedules a telehealth visit all involve consumer health data, even though none of it came from a medical record. The same logic appears in the comprehensive state privacy laws, which classify health data as sensitive data requiring opt-in consent (or, in California's model, a right to limit its use). The practical consequence is that the question is never "is this HIPAA data?" but "could this data, alone or combined, identify someone's health status?" — and if the answer is yes, it cannot be used for advertising without specific consent. California's 2025 Healthline settlement underscored how far this reaches: the state treated transmitting article titles that imply a consumer's medical diagnosis as a violation. To map which of your audiences and events touch health-linkable data, run the Legal Compliance Scan , and for sector-specific guidance see the healthcare compliance guide . The organizing principle is that consumer health data is defined by linkability to health status, not by whether it came from a doctor.

How do tracking pixels and SDKs leak health data to ad platforms, and what should advertisers do about it?

Tracking pixels and software development kits leak health data to advertising platforms through a mechanism that is invisible to most marketing teams: by default, they transmit the full context of the page or screen a user is on, including URLs, page titles, button text and form interactions, and when that context is health-related the transmission becomes a disclosure of consumer health data. A Meta Pixel placed site-wide will, unless specifically configured otherwise, send the URL and event data when a user views a page about a medical condition, clicks "book appointment," or completes a form indicating a health interest. A Google tag or a TikTok pixel behaves the same way. Mobile SDKs embedded in health apps have historically transmitted identifiers alongside in-app events that reveal the app's purpose. The FTC's enforcement record is built almost entirely on this pattern: it found that GoodRx used "plug-and-play" pixels and SDKs to disclose consumers' prescription and health-condition data to Facebook, Google, Criteo and others; that BetterHelp disclosed email and IP addresses together with mental-health questionnaire answers to Facebook, Snapchat, Criteo and Pinterest; and that Cerebral disclosed sensitive data of roughly 3.2 million consumers to LinkedIn, Snapchat and TikTok through tracking tools. The common thread is that no one intended to send health data — the tools simply transmitted whatever context they were placed in. The remediation is concrete and technical. First, inventory every pixel, tag and SDK across the property and map exactly what each one transmits and on which pages or screens. Second, remove or block tracking on any page that could reveal a health condition, treatment or interest — condition-specific content, symptom checkers, appointment booking, health forms, and pharmacy or telehealth flows. Third, strip health-revealing parameters from URLs and event payloads, and disable automatic event collection that captures page titles or form fields on sensitive pages. Fourth, where conversion measurement is genuinely needed, use server-side approaches that you can filter, rather than client-side tools that send raw context, and gate any health-linkable signal behind explicit consent. Fifth, document the configuration so you can demonstrate to a regulator or a court that the property does not leak health data by default. Because the same misconfiguration that produces an FTC action also produces MHMDA class-action exposure, the audit is not optional hygiene — it is the core control. Run a full tracking audit with the AI Compliance Audit , and align the broader data-collection workflow using the Meta lead-ads PII compliance workflow . The organizing principle is that pixels and SDKs leak whatever context they sit in, so health-related surfaces must be tracking-free by default.

What does the FTC enforcement wave from GoodRx to Healthline tell advertisers about their exposure?

The FTC enforcement wave that runs from GoodRx in 2023 through the Healthline settlement in 2025 is the clearest available map of advertiser exposure on health data, because each action turns on the same conduct — sharing health-linkable data with advertising platforms — and each one expanded the theory of liability. The GoodRx action, announced in February 2023, was the first enforcement of the Health Breach Notification Rule: the FTC alleged GoodRx shared consumers' prescription and health-condition information with Facebook, Google, Criteo, Branch and Twilio for advertising between 2017 and 2020 and failed to notify them, resulting in a $1.5 million civil penalty and an order that bans sharing health data for advertising outright. The BetterHelp action, finalized in July 2023, produced $7.8 million in consumer refunds — the first time the FTC returned money for health-data harms — over disclosures of email and IP addresses and mental-health questionnaire answers to Facebook, Snapchat, Criteo and Pinterest for advertising and retargeting, despite privacy promises to the contrary. The Premom action in May 2023 added a $100,000 penalty for a fertility app that shared reproductive-health data with Google and AppsFlyer. The Cerebral order proposed in April 2024 addressed a telehealth firm that disclosed sensitive data of about 3.2 million consumers — including medical and prescription histories and insurance information — to LinkedIn, Snapchat and TikTok via tracking tools, and barred most use or disclosure of that data for marketing. The through-line for advertisers is unmistakable: the FTC treats the act of letting health-linkable data flow to an ad platform as the violation, regardless of intent, and its standard remedy is a flat prohibition on sharing health data for advertising. The 2025 Healthline settlement, brought by the California Attorney General for $1.55 million — the largest CCPA settlement to date — pushed the theory further: it treated the transmission of article titles that imply a consumer's medical diagnosis as a violation and required Healthline to stop sending such titles, and it penalized failure to honor opt-outs. That extension matters because it reaches publishers and content sites, not just health-service providers; if your pages reveal what a reader is looking at and that implies a health condition, sending it to an ad platform is exposure. For an advertiser, the lesson is to assume that any health-linkable signal flowing to Meta, Google, TikTok, LinkedIn, Snapchat or Pinterest is a potential enforcement target, and to build the suppression and consent controls before, not after, a complaint arrives. Track new enforcement actions as they land on the Policy Change Tracker , and stress-test your posture with the Legal Compliance Scan . The organizing principle is that the FTC and state AGs penalize the data flow itself, so the only safe posture is to stop health-linkable data reaching ad platforms.

What is the geofencing ban around health facilities, and how does it constrain location-based advertising?

The geofencing ban in Washington's My Health My Data Act is one of the most absolute prohibitions in US privacy law, and it directly forecloses a category of location-based advertising that many brands and agencies have used without realizing it is now illegal in the state. The act makes it unlawful to implement a geofence around an entity that provides in-person health care services where the geofence is used to identify or track consumers seeking health care, to collect consumer health data, or to send notifications, messages or advertisements related to a consumer's health data or health services. A geofence is defined in the statute as a virtual boundary of 2,000 feet or less from the perimeter of the physical location — a wide radius that captures not just the building itself but the surrounding area. There is no consent exception to this prohibition: unlike the collection and sharing rules, which can be satisfied with opt-in consent, the geofencing ban is flat. For advertisers, this eliminates a set of tactics that location-based ad vendors have long offered: targeting people who visit a clinic, a hospital, a reproductive-health center, a mental-health facility, an addiction-treatment center or a specialty practice, and serving them ads based on that visit. It also forecloses the inverse — building audiences of people seen near health facilities and using them for retargeting or lookalike modeling — because that collects consumer health data through a geofence. The practical compliance steps are to identify any location-based or proximity targeting in active campaigns, confirm that none of it draws a boundary around or near a health-care facility, and instruct any location-data vendor to exclude health facilities from their targeting and audience-building entirely. Because the ban targets the health-care-seeking inference, even campaigns that are not nominally about health — a retailer targeting a shopping district that happens to include a clinic, for example — need to confirm the targeting logic does not capture health-facility visitors. Nevada's consumer health data law and Connecticut's health-data amendments include comparable geofencing restrictions, so the constraint is spreading beyond Washington. The safe operating rule is to treat health facilities as no-go zones for any location-based advertising, audience-building or notification, nationwide, rather than maintaining state-by-state exceptions. For the broader multi-state framework that surrounds these location rules, see the US state privacy laws 2026 analysis , and confirm your targeting posture with the Legal Compliance Scan . The organizing principle is that location-based advertising must treat health facilities as absolute exclusion zones, with no consent workaround.

What does a compliant health-data advertising workflow look like in 2026?

A compliant health-data advertising workflow in 2026 is built on a single premise — that health-linkable data does not flow to advertising platforms unless a specific, logged consent permits it — and it operationalizes that premise across data collection, audience building, measurement and documentation. The first stage is classification: map every data source, audience, event and page that could touch consumer health data, using the broad linkability standard rather than the narrow HIPAA definition, so that condition-specific content, symptom and treatment pages, appointment and telehealth flows, health-product purchases, and any location signal near care facilities are all flagged. The second stage is suppression by default: on every flagged surface, tracking pixels, tags and SDKs should be blocked or stripped of health-revealing context so that, absent consent, no health-linkable signal reaches Meta, Google, TikTok, LinkedIn, Snapchat or Pinterest. The third stage is consent where collection is genuinely required: build an opt-in that is separate, specific, informed and unbundled, names what health data will be collected and that it may be shared for advertising, logs the timestamp and exact language, and is as easy to withdraw as to give — and, for any sale of consumer health data, obtain the separate signed authorization the My Health My Data Act requires. The fourth stage is audience hygiene: never seed lookalike or custom audiences from health-linkable events, exclude health facilities from all location targeting, and honor universal opt-out signals like Global Privacy Control, which a growing list of states require platforms and advertisers to respect by January 1, 2026. The fifth stage is measurement discipline: where conversion tracking is necessary, prefer server-side approaches you can filter so that health-revealing parameters are removed before any data leaves your control. The sixth stage is documentation: keep records of the data map, the suppression configuration, the consent language and logs, the authorization forms, and the opt-out handling, because both the FTC and a class-action plaintiff will ask you to demonstrate the controls, not merely assert them. The seventh stage is monitoring: enforcement and state law are both moving quickly — Maryland's data-minimization law, new comprehensive statutes, and continued FTC actions — so the workflow must include tracking regulatory change and re-auditing when platforms change how their pixels behave. Because the same controls that satisfy MHMDA also satisfy the FTC's prohibitions, the comprehensive state laws and the geofencing bans, a single disciplined workflow clears the entire landscape. Operationalize the data map and audit with the AI Compliance Audit and the Legal Compliance Scan , and track regulatory change on the Policy Change Tracker . The organizing principle is suppression by default, consent where required, no health-seeded audiences, and documented controls.

Health Data & Ad Targeting Compliance 2026: MHMDA Rules

Quick Answer

Consumer health data is now the single highest-risk signal an advertiser can send to an ad platform in the United States, and in 2026 the rules around it come from three directions at once. First, Washington's My Health My Data Act (MHMDA), in effect for regulated entities since March 31, 2024 and for small businesses since June 30, 2024, defines "consumer health data" extremely broadly — any personal information linkable to a consumer that identifies their past, present or future physical or mental health status — and requires separate opt-in consent to collect it and a separate signed authorization to sell it. Critically, MHMDA is enforceable through Washington's Consumer Protection Act, which carries a private right of action, so consumers themselves can sue. Second, the FTC has run a multi-year enforcement wave under the Health Breach Notification Rule and Section 5, banning GoodRx (a $1.5 million civil penalty), BetterHelp ($7.8 million in consumer refunds), Premom ($100,000) and Cerebral from sharing health data with advertising platforms via tracking pixels and SDKs — and California's $1.55 million Healthline settlement, the largest CCPA settlement to date, extended the theory to article titles that imply a diagnosis. Third, nearly every comprehensive state privacy law treats health data as sensitive data requiring opt-in consent or a right to limit. The compliant posture is to treat any health-linkable data as untouchable for advertising unless you have specific, logged, separate consent, to audit every pixel and SDK for what it transmits, and to never deploy a geofence around a health facility. Screen targeting and copy with the Legal Compliance Scan, audit your tracking with the AI Compliance Audit, and track enforcement on the Policy Change Tracker.

Consumer Health Data and Ad Targeting in 2026: My Health My Data Act, Pixel Leakage and the FTC Enforcement Wave

Why Health Data Is the Highest-Risk Ad Signal

Of every data signal an advertiser can send to a platform, consumer health data now carries the steepest legal exposure in the United States. It is governed not by one rule but by a stack of them — a dedicated state statute with a private right of action, a multi-year FTC enforcement campaign, and the sensitive-data provisions of nearly every comprehensive state privacy law — and they all point the same direction: health-linkable data does not belong in an advertising pipeline without specific consent.

The danger is that almost none of this data looks like medical records. It is a page view on a condition article, a symptom search, a telehealth booking, a fertility-app event, or a visit near a clinic. Marketing teams have treated these as ordinary behavioral signals for years. In 2026, sending them to Meta, Google, TikTok, LinkedIn, Snapchat or Pinterest is the conduct that regulators and plaintiffs target.

"A consumer's health information is among the most sensitive information about them... Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information.
— FTC, on the GoodRx enforcement action (2023)"

This guide explains the My Health My Data Act and its private right of action, what counts as consumer health data, how pixels and SDKs leak it, the FTC enforcement wave from GoodRx to the Healthline settlement, and the absolute geofencing ban around health facilities. Audit your tracking with the AI Compliance Audit, stress-test targeting with the Legal Compliance Scan, and track enforcement on the Policy Change Tracker.

My Health My Data Act and the Private Right of Action

Washington's My Health My Data Act (MHMDA), codified at RCW Chapter 19.373, is the strongest consumer health privacy law in the country. It took effect for regulated entities on March 31, 2024 and for small businesses on June 30, 2024, and it reaches any business that collects health-linkable data — not just HIPAA-covered entities.

What MHMDA Requires

Action	Standard	Enforcement
Collect health data	Separate opt-in consent — freely given, specific, informed, unambiguous	WA Consumer Protection Act
Share health data	A second, separate consent (distinct from collection)	WA Consumer Protection Act
Sell health data	Separate signed written authorization naming data, buyer and purpose	WA Consumer Protection Act
Geofence health facilities	Prohibited outright — no consent exception	WA Consumer Protection Act

The decisive feature is enforcement. Most state privacy laws are enforced only by the attorney general; MHMDA declares a violation an unfair or deceptive act under Washington's Consumer Protection Act, which carries a private right of action. Consumers can sue directly, seek actual damages and recover attorney's fees — turning a pixel misconfiguration into class-action exposure. For the surrounding framework, see the United States compliance reference.

What Counts as Consumer Health Data

The definition is far broader than HIPAA. Consumer health data is any personal information linked or reasonably linkable to a consumer that identifies their past, present or future physical or mental health status. It does not need to come from a clinical setting — inferences and proxies count.

In Scope by Default

Direct signals: conditions, diagnoses, treatments, medications, test results, biometric and genetic data, reproductive and sexual-health information.
Behavioral proxies: viewing a condition-specific article, searching a symptom, adding a medication to a cart, booking a specialist or telehealth visit, using a mental-health, fertility or addiction app.
Location: precise location data indicating a consumer sought health services.

The question is never "is this HIPAA data?" but "could this, alone or combined, identify someone's health status?" California's 2025 Healthline settlement treated transmitting article titles that imply a diagnosis as a violation — proof of how far the standard reaches. Map your exposure with the Legal Compliance Scan and see the healthcare compliance guide.

How Pixels and SDKs Leak Health Data

Pixels and SDKs transmit the full context of the page or screen they sit on — URLs, titles, button text, form interactions. When that context is health-related, the transmission is a disclosure of consumer health data, and it happens whether or not anyone intended it.

The Leakage Pattern

Page context: A site-wide Meta Pixel sends the URL and event when a user views a condition page, clicks "book appointment," or submits a health form.
Automatic events: Default automatic collection captures page titles and form fields on sensitive pages without explicit setup.
App SDKs: Mobile SDKs in health apps transmit identifiers alongside in-app events that reveal the app's purpose.

Every FTC health-data action turns on this pattern. The fix is technical: inventory every pixel, tag and SDK; remove tracking from any surface that reveals a health interest; strip health-revealing parameters from URLs and payloads; prefer filterable server-side measurement; and gate any health-linkable signal behind explicit consent. Run a full audit with the AI Compliance Audit.

The FTC Enforcement Wave: GoodRx to Healthline

The FTC's enforcement record is the clearest map of advertiser exposure, because each action turns on the same conduct — letting health-linkable data flow to an ad platform — and the standard remedy is a flat ban on sharing health data for advertising.

The Enforcement Record

Company	Year	Outcome	Conduct
GoodRx	Feb 2023	$1.5M civil penalty (first HBNR case)	Shared prescription/condition data with Facebook, Google, Criteo via pixels/SDKs
BetterHelp	Jul 2023	$7.8M consumer refunds	Shared email/IP + mental-health answers with Facebook, Snapchat, Criteo, Pinterest
Premom	May 2023	$100,000 penalty	Shared reproductive-health data with Google and AppsFlyer
Cerebral	Apr 2024	Order barring health data for marketing	Disclosed ~3.2M consumers' data to LinkedIn, Snapchat, TikTok
Healthline (CA AG)	2025	$1.55M — largest CCPA settlement	Sent article titles implying a diagnosis; failed to honor opt-outs

The Healthline settlement extended the theory to publishers and content sites: if your pages reveal what a reader is viewing and it implies a health condition, sending that to an ad platform is exposure. Assume any health-linkable signal reaching Meta, Google, TikTok, LinkedIn, Snapchat or Pinterest is a potential enforcement target. Track new actions on the Policy Change Tracker.

The Geofencing Ban Around Health Facilities

MHMDA makes it unlawful to implement a geofence around a facility providing in-person health care to identify or track consumers seeking care, collect health data, or send health-related notifications or ads. A geofence is defined as a boundary of 2,000 feet or less from the perimeter — and there is no consent exception.

What This Forecloses

Proximity targeting: serving ads to people who visit a clinic, hospital, reproductive-health center, mental-health or addiction-treatment facility.
Audience building: collecting people seen near health facilities for retargeting or lookalike modeling.
Incidental capture: non-health campaigns whose location logic happens to include a facility within the radius.

Nevada and Connecticut have comparable restrictions, so the constraint is spreading. The safe rule is to treat health facilities as absolute exclusion zones for any location-based advertising, audience-building or notification — nationwide, not state-by-state. See the US state privacy laws 2026 analysis for the wider picture.

A Compliant Health-Data Advertising Workflow

The workflow rests on one premise: health-linkable data does not reach an ad platform unless a specific, logged consent permits it.

Seven Stages

1. Classify: Map every source, audience, event and page touching health-linkable data, using the broad linkability standard.
2. Suppress by default: Block or strip tracking on flagged surfaces so no health signal flows absent consent.
3. Consent where required: Separate, specific, unbundled opt-in; signed authorization for any sale; logged language and timestamp.
4. Audience hygiene: No lookalikes seeded from health events; exclude health facilities from location targeting; honor Global Privacy Control.
5. Measurement discipline: Prefer filterable server-side measurement; strip health-revealing parameters before data leaves your control.
6. Document: Keep the data map, suppression config, consent logs, authorizations and opt-out handling.
7. Monitor: Track regulatory change and re-audit when platforms change pixel behavior.

Because the same controls satisfy MHMDA, the FTC prohibitions, the comprehensive state laws and the geofencing bans, one disciplined workflow clears the landscape. Operationalize with the AI Compliance Audit and the Legal Compliance Scan.

Health-Data Advertising Compliance Checklist

[ ] Every pixel, tag and SDK inventoried and mapped to what it transmits and where
[ ] Tracking blocked or stripped on condition, symptom, treatment, appointment and telehealth surfaces
[ ] No custom or lookalike audiences seeded from health-linkable events
[ ] Health facilities excluded from all location and proximity targeting (no geofence within 2,000 ft)
[ ] Separate, logged opt-in consent before any health-linkable data is collected for ads
[ ] Signed written authorization on file before any sale of consumer health data
[ ] Server-side measurement filtered to remove health-revealing parameters
[ ] Global Privacy Control and universal opt-out signals honored
[ ] Data map, suppression config, consent logs and authorizations documented
[ ] Enforcement and new state laws tracked on the Policy Change Tracker

Audit tracking with the AI Compliance Audit, confirm targeting with the Legal Compliance Scan, and monitor enforcement on the Policy Change Tracker.

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#Consumer Health Data#My Health My Data Act#FTC#Health Breach Notification Rule#Meta Pixel#Ad Targeting#GDPR#State Privacy#Advertisers#Compliance Guide 2026#Healthcare

Share This Report

Tweet Share

Consumer Health Data and Ad Targeting in 2026: My Health My Data Act, Pixel Leakage and the FTC Enforcement Wave

Why Health Data Is the Highest-Risk Ad Signal

My Health My Data Act and the Private Right of Action

What MHMDA Requires

What Counts as Consumer Health Data

In Scope by Default

How Pixels and SDKs Leak Health Data

The Leakage Pattern

The FTC Enforcement Wave: GoodRx to Healthline

The Enforcement Record

The Geofencing Ban Around Health Facilities

What This Forecloses

A Compliant Health-Data Advertising Workflow

Seven Stages

Health-Data Advertising Compliance Checklist

Don't miss the next policy change.

Report Keywords — Run AI Compliance Audit

Share This Report

Related Posts

Maryland's MODPA in 2026: Data Minimization, the Sensitive-Data Sale Ban and What It Means for Ad Targeting

Dark Patterns in Your Ad Funnel: The EU Digital Fairness Act and FTC Crackdown in 2026

EU DSA Article 26 — Political Advertising Transparency: First-Year Implementation Data Across 27 Member States

Related Resources

All Tools

Platform Guides

Knowledge Hub

Policy Tracker