Navigating U.S. Privacy Laws in 2025 for Pharma Media

• Tennessee (July 1): Affects businesses handling 100,000+ Tennesseans’ data. Consumers can opt out of targeted ads or profiling, requiring us to refine consent tools.

• Minnesota (July 31): Targets firms with 100,000+ Minnesotans’ data. Adds profiling scrutiny, meaning more transparency in how we segment audiences.

• Maryland (October 1): Covers 35,000+ Marylanders’ data. Bans unnecessary data sales and limits processing sensitive info (e.g., health or race), tightening behavioral ad options.

Already Live: States like California (CCPA/CPRA), Colorado, and Virginia – plus 14 others – let consumers opt out of data sales and ads. California’s strict rules push brands to prioritize first-party data, while lighter laws (e.g., Iowa) offer flexibility.

Ad Impact: More opt-outs mean smaller audiences unless brands adapt. Brands should enhance consent management and lean on new innovations to keep your ROI strong.

Connecticut, Nevada, and Washington State Consumer Health Data Laws

In Connecticut, Nevada and Washington, under their respective consumer health data privacy laws – Connecticut Data Privacy Act (CTDPA), Nevada’s Senate Bill 370 (SB 370), and Washington’s My Health My Data Act (MHMDA) – the need for consent to market health products to doctors or health professionals depends on whether consumer health data is being collected, processed, or shared in the process, and whether those professionals are acting as “consumers” under the law.

Connecticut (CTDPA)

• Definition of Consumer: Connecticut’s law has a consumer defined as an individual who is a resident of Connecticut acting in a personal capacity. Specifically, it refers to a natural person whose personal data is processed by a business, but it excludes individuals acting in a commercial or employment context. This means the law protects Connecticut residents when they’re engaging as private individuals – like when they are shopping, browsing online, or managing their personal health data – but not when they’re acting as employees, job applicants, or business representatives. The focus is on safeguarding personal and non-professional data use.

• Consent for Sharing: The CTDPA requires opt-in consent specifically for processing consumer health data, classified as sensitive personal data. This means businesses must obtain clear, affirmative permission from Connecticut residents before collecting, using, or sharing data that identifies an individual’s physical or mental health condition or diagnosis. Consent must be freely given, specific, informed, and unambiguous – implying no pre-checked boxes or implied agreement – ensuring robust protection for health-related information in personal contexts. The law does not apply consent requirements to data processed in a professional or employment context, as the definition of “consumer” excludes individuals acting in commercial or job-related roles.

• Geofencing Restriction: Businesses are prohibited from using geofencing – creating virtual boundaries based on real-world geographic locations – to track, identify, or collect data from consumers, or to deliver targeted ads, when the geofence is set within 1,750 feet of a mental health facility or a reproductive/sexual health facility. This applies regardless of consent, aiming to protect sensitive health-related activities.

Conclusion: Marketing to health professionals acting in their professional capacity does not require consent in Connecticut as long as their personal health data is not shared.

Nevada (SB 370)

• Definition of Consumer: Nevada defines a “consumer” as a natural person who is a resident of the state or whose consumer health data is collected in Nevada but excludes individuals acting in an employment context or a commercial (B2B) context. Doctors or health professionals receiving marketing as part of their professional roles would likely not be considered “consumers” under this law if the interaction is strictly business-to-business (e.g., marketing medical devices to a physician’s practice).

• Consent for Sharing: Consent is required to collect, use, or share “consumer health data,” which is personal information used to identify an individual’s health status. However, if the marketing does not involve consumer health data – say, it is just a general pitch about a product with no data collection – SB 370’s consent rules wouldn’t apply.

• Geofencing Restriction: Nevada prohibits using geofencing within 1,750 feet of healthcare facilities to collect or share data for marketing purposes. If marketing to doctors involves such tactics (e.g., targeting them based on their location at a hospital), it is banned outright, regardless of consent.

Conclusion: For marketing health products to doctors in Nevada, you likely do not need consent if it is a B2B interaction not involving their personal health data. If it does involve collecting or sharing their health data as consumers (not professionals), consent is required unless an exception applies.

Washington (MHMDA)

• Definition of Consumer: Washington’s law also defines a “consumer” as a natural person who is a Washington resident or whose health data is collected in the state, excluding those acting in an employment or B2B context. Similar to Nevada, doctors or health professionals receiving marketing in their professional capacity (e.g., as practitioners, not patients) would generally not be “consumers” under MHMDA.

• Consent for Sharing: Consent is required to collect, share, or sell consumer health data – broadly defined as data linked to physical or mental health – unless it is necessary to provide a product or service the consumer requested. If the marketing is purely professional and no consumer health data is involved, MHMDA’s consent rules do not apply.

• Geofencing Restriction: Washington bans geofencing around healthcare facilities to collect or share data for marketing, effective since July 23, 2023. Marketing to doctors via geofencing (e.g., targeting them at a medical facility) is prohibited, even with consent.

Conclusion: Marketing health products to doctors in Washington does not require consent if it is a B2B transaction and does not involve collecting or sharing their personal health data as consumers. If their health data is used, consent is needed unless an exception applies.

Key Considerations

• B2B Exemption: All three states carve out employment and commercial contexts from their definitions of “consumer,” meaning marketing to doctors or health professionals in their professional roles typically falls outside these laws’ scope unless their personal health data is implicated.

• Data Usage: If marketing involves collecting or sharing consumer health data (e.g., tracking a doctor’s health-related behaviors as an individual, not a professional), consent is required in these states, subject to exceptions like providing a requested service

• Practical Implication: For typical marketing of health products to doctors – say, pitching a new drug or device to their practice – you generally wouldn’t need consent under either law, as long as you are not processing their personal health data or using prohibited tactics like geofencing.

In short, in Connecticut, Nevada and Washington, you do not need consent to market health products to doctors or health professionals in a professional capacity, provided no consumer health data is collected or shared in the process. If it is, consent becomes necessary unless an exception applies.

Key Federal Privacy Laws

Federal laws hit specific data types critical to the pharma media industry. Here is how they shape our work:

• Video Privacy Protection Act (VPPA): Protects video-viewing data (e.g., streaming habits). Brands cannot use what someone watches on YouTube or Hulu for ads without consent. Violations cost $2,500 each, so we are cautious with video as a source of targeting.

• Health Insurance Portability and Accountability Act (HIPAA): Locks down health data – like prescriptions or diagnoses. If your campaign touches healthcare (e.g., pharma ads), brands cannot use HIPAA-covered info without explicit permission. Deidentified data using HIPAA’s safe harbors is generally acceptable in most cases. Non-compliance risks millions in fines, so Throtle relies on de-identified data instead.

Federal Trade Commission (FTC) Rules

• COPPA: Kids under 13 need parental consent for data use – crucial for family-targeted campaigns. Throtle does not use data on children under 18 years of age.

• GLBA: Financial data gets extra scrutiny; Throtle limits its use in ads. Throtle does not use financial data in our products.

• Section 5: Misleading privacy claims (e.g., “we don’t track you”) can trigger fines – think $5 billion like Facebook’s 2019 hit.

The FTC expects clear disclosures, so we ensure your ads align with our privacy policies.

What This Means for Your Campaigns

• Targeting Shifts: Consumers opt-outs and data restrictions shrink traditional pools. Throtle are pivoting to privacy-first solutions – lookalike modeling, consented first-party data, and additional solutions – to keep brands reach intact.

• Compliance Costs: New state laws mean more tech upgrades and security standards (e.g., consent platforms).

Jonathan McLeod, Director of Compliance at Throtle, has over 15 years of experience in healthcare compliance, regulatory policy, and government relations. He previously led delegate oversight at Oscar Health and held key compliance roles at HCSC and Tessellate, with a strong background in legislative advocacy and policy development. This piece is an adaptation of an original article from Throtle.