On May 3, 2023, New York Governor Kathy Hochul signed into law fiscal bill A.3007C/S.4007, which restricts the use of geofencing technologies around health care facilities. The law is likely to have significant implications for entities in the digital advertising space, particularly those that handle personal information regarding consumer health. It is yet another sign of a growing nationwide trend to more tightly regulate the handling of consumer health data. The law is set to go into effect on July 2, 2023.
Geofencing refers to the establishment of a virtual boundary around a specific location using location detection technology. When such a boundary is set up, it allows for the tracking of devices entering or exiting the area, and can be used for purposes such as delivering targeted digital advertisements to users within the geofenced area. For example, an adtech company may buy and sell information of consumers who have visited a particular furniture store, so that those same consumers can later be served targeted advertisements for the same or other furniture brands.
The New York law prohibits any person or entity from setting up a geofence around any health care facility, unless they own the facility. It applies to a broad range of health care entities, including hospitals, clinics, and any other entities providing medical care or related services. The law specifically restricts the use of geofencing for three main purposes:
- Delivering digital advertisements to a user
- Building consumer profiles
- Inferring the health status, medical condition, or medical treatment of any person at or within the health care facility
When compared to similar geofencing prohibitions, such as Washington State’s recently passed My Health My Data Act, the New York law is notable for its exemption of health care facilities’ own geofencing activities. Unlike the Washington law, which applies to any person or entity, the New York law allows health care facilities to use geofencing for their own digital advertising, profiling, and inference development. Both the New York and Washington laws prohibit geofencing activities without giving consumers the option to opt in to such collection. Additionally, the New York law does not include a private right of action, unlike the Washington law.
The New York law is another example of the increasing focus on, and protection of, consumer health data. It comes on the heels not only of the Washington My Health My Data Act, but also the FTC’s recent actions against healthcare-adjacent entities such as GoodRx, BetterHelp, and Premom, proving that the protection of consumer health data is becoming a top priority for regulators and lawmakers at the federal and state level. Companies should move quickly to do the following:
- Understand your data practices. Conduct a thorough review of your data handling practices, particularly if you handle any information that is even tangentially related to consumer health or wellness. Be sure to understand whether you collect or handle sensitive information concerning consumer health, wellness, biometrics, genetics, etc.
Specific to the New York law, understand where you get information from, to ensure you know whether or not you receive any information from a third party who creates geofences, regardless of whether you have established the geofence yourself, or receive the data from a third party. It may be difficult, or impossible, for a buyer to determine whether geofencing was used to develop individual profiles. Where possible, attempt to obtain representations and warranties from third parties concerning geofencing of data.
- Update privacy policies. To the extent necessary, ensure that your privacy policies accurately and comprehensively describe how you collect, share, use, secure, and otherwise handle personal information.
- Consider ditching geofencing altogether. The New York and Washington laws prove that the days of advertising using geofence information may be coming to an end. Not only are geofences almost categorically prohibited in the health care setting in these states, but precise geolocation information – location information accurate to within a few thousand feet – is considered “sensitive” under a growing number of comprehensive state privacy laws, including the California Privacy Rights Act. These sensitive data are subject to heightened requirements, including in some cases obtaining opt-in consent prior to its collection. It also tends to unnerve consumers when they understand that this information is being collected and used for purposes other than to obtain the original service or product they sought. And regulators for their part have shown an appetite for dismantling this business model. If you are an entity that establishes, buys, or sells precise location or geofence data, it is time to explore alternatives.