Pharmaceutical advertisers want health data so that they can effectively tailor the $18 billion spent annually on drug pitches to those audiences most likely to buy these products. However, a recent privacy law out of Washington State may force substantial changes in the field—potentially exposing a huge number of companies to liability and enforcement actions. This could forever change how these companies leverage health data to target their customers.
The “California Effect” and Washington’s Ambitious New Health Privacy Law
The “California Effect” occurs when a state with a sufficient market share passes a new regulation that becomes a de facto nationwide law, because many firms opt to shape their policies to meet that regulation in all of their products. This is also called “regulatory harmonization” or the “Brussels Effect” (a nod to the reach of EU regulations), and we’ve seen it play out for several privacy statutes in the past (e.g., for “cookie” consents).
This is why it will be interesting to monitor Washington State’s new “My Health My Data” (MHMD) Act in the coming months and years. MHMD protects a far greater range of information than most preexisting privacy statutes in the U.S., containing notably broad definitions of what it means to “collect” and “process” consumer health data (emphases added):
(5) “Collect” means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.
(20) “Process” or “processing” means any operation or set of operations performed on consumer health data.
Although MHMD does not apply to “deidentified” or “publicly-available” data, it does apply to data that could “reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such a consumer.” Further, the statute explicitly lists “cookie IDs,” “IP addresses,” and “any other form of persistent unique identifier” as types of “personal information” protectable under the law.
To understand why this language has the potential to change the entire pharmaceutical advertising industry, let’s review how this field operates.
Pharmaceutical Targeted Advertising
To start, drug advertising is well-protected under the First Amendment (despite misgivings from some members of the incoming Trump administration). This is a massive industry in the U.S. — last year, more money was spent on pharma advertising than on tech advertising. So, the stakes are high to get the most use from those dollars.
In the modern era of “targeted” advertising, advertisers often want to know as many specifics about their audience as possible. With more data, advertisers can send more finely tailored ads to consumers in increasingly personalized platforms. Advertisers frequently track consumers through advertising IDs (Ad IDs), gathering detailed information about the devices ads appear on, including the time, service provider, app used, and IP address. If a publisher has data on a user (i.e., personally identifiable information associated with a user’s profile), this can further help to create much more finely-targeted advertisements.
Targeted advertising for pharmaceuticals has become big business, with enormous incentives to pinpoint those with conditions treated by various drugs. But there’s reason to believe MHMD may change this paradigm for good.
“My Health My Data” and the Future of Pharma Advertising
As many experts have noted, the MHMD language is very broad, and likely implicates many widely-used advertising techniques. For example, under the statute, advertisers leveraging health data while tracking users’ Ad IDs (which are clearly “persistent unique identifiers”) or IP addresses would open themselves up to liability under MHMD. Because the law includes those who “process” data in Washington, which experts note is home to some of the largest cloud service providers in the country, the law might extend to businesses nationwide. And, because compliance with this regulation only in Washington might be challenging, many will probably opt to just make MHMD coherence their nationwide approach, creating a “Washington Effect” akin to the “California Effect”.
Does this mean that pharma advertising will go away forever? No chance — there’s just too much money in targeting specific audiences with specific drugs for people to step away from it. Companies wishing to “process” health data in a manner compliant with MHMD have a few options available to them.
To start, companies could opt to adhere to the MHMD statutory requirements to process consumer health data (e.g., by obtaining informed opt-in consent for “collecting” and, separately, for “sharing” consumer health data). However, this may prove too burdensome for many companies and will require businesses to track health data they use to ensure it remains “de-identified” at every step of the data transfer process.
Another option is to only use “de-identified” data, which is carved out from MHMD. But (as others have discussed), “de-identified” data can often be “re-identified” by cross-referencing it with publicly available data. Experts have shown how easily this can be done in the advertising space, and of course, advances in artificial intelligence will probably make it far easier. Because regulators have shown a willingness to hold companies liable for their vendors’ violations of privacy laws in the past, even businesses who rely on third-party vendors should be cautious to ensure that these partners aren’t “re-identifying” personal health data at any point.
Businesses could also avoid identifiable health data altogether, leveraging “synthetic” or “surrogate” data, or only working with vendors who sell aggregated data (to avoid any allegations of individual re-identification). It is unclear if the common industry practice of “adding noise” (i.e., inserting alternative data into a record to obfuscate which sources are from identifiable individuals) would prove sufficiently “de-identified” under MHMD. So, companies using this technique would be wise to consider whether their practices suffice to avoid liability under MHMD’s exceptionally broad protections.
What “My Health My Data” Means for Advertisers, Publishers, and Consumers
Because MHMD is written so ambiguously, many predict a wave of class actions over the coming years targeting companies “processing” health data in Washington State. While this will certainly help to clarify the reach of MHMD, a more mutually beneficial solution would be for companies to get ahead of these increased regulations by taking proactive steps to avoid liability. With this, companies could avoid liability, consumers’ health data could remain protected, all while allowing the legislative intent of MHMD to prevail.
Vincent Joralemon was a Petrie-Flom Student Fellow (J.D. 2024) in the Berkeley-Harvard Exchange Program. His current research focuses on tensions between the patent incentive system, the FDA approval process, and insurance carriers. At Berkeley Law he led the Intellectual Property Law Society and served on the editorial board of the Berkeley Business Law Journal.