20 States Pass Privacy Laws, Sensitive Data Definitions Expand

Science & Technology Law Section

What is sensitive data and why does it matter? Lawmakers and individuals seem to have a mutual understanding that there is a subset of personal information that warrants special protection, but drawing a clear line has become increasingly difficult in the digital age, when even the most innocuous information can be used for ulterior purposes.

Since 2018, 20 states have passed comprehensive consumer privacy laws with different definitions of "sensitive data" and "regulated entities", but most focus on data related to health diagnoses and children.

However, as new technologies emerge and litigation moves through the courts, our understanding of sensitive data expands beyond what anyone may have initially thought. Legal experts on the panel showed how past and ongoing lawsuits reveal unexpected gaps in these laws' coverage. Nancy Perkins summarized the issue by asking: "when does your exploration of particular website pages say something about you such that the use of that information is a use of your sensitive personal information?"

The Supreme Court's 2022 decision in Dobbs v. Jackson Women's Health highlighted how much "health data" exists outside typical healthcare settings that can be accessed by data brokers or law enforcement. To better protect individuals seeking out-of-state gender-affirming and reproductive services, Washington's 2024 My Health My Data Act was particularly groundbreaking in that it covers all business entities in the state and safeguards anyone whose data is collected there. Additionally, the law requires consumers to "opt in" to data collection and broadens the scope of gender-affirming, reproductive, and sexual health information to include the research of services, precise geolocation data, and non-health information that could be used to infer the type of care someone is receiving. Several states have expanded their laws to include similar provisions, but when it comes to how minutely these broader definitions can be interpreted, Cody Venzke noted, "we don't know at this point, and that remains to be seen as further enforcement actions proceed."

Although legislators have been working to grant individuals control over when and how their information is processed, the collection of sensitive data is often consented to because it is necessary to provide services. Data has long been considered an asset. What happens when a third party wants to access it?

In 2025, as part of an investigation, the DOJ subpoenaed hospitals and providers nationwide requesting patient records related to gender-affirming care for people under 19. While many of these cases are currently on appeal, in one instance the government amended its initial filing to request anonymized patient data. Patients and parents have argued that simply removing names and personal identifiers is not enough to conceal the identities of individuals whose most intimate details have been recorded by their doctors, raising the question of whether anonymization is even possible given the sheer amount of data an entity can gather.

High profile bankruptcy cases like 23andMe revealed in 2025 that when consumers agree to a company's terms of service, the protections they anticipated can be rendered obsolete in the event of an auction or acquisition. Referring to these instances as "transactions in the dark", Lucy Thomson explained that genetic data are "sensitive, persistent, and immutable" and that although some state laws address such information, they ultimately fail to protect against "possible exploitation and misuse".

In the same vein, Lauren Robbins posited that having protective laws is just one part of the picture and that another mode of enacting consumer and patient privacy "is by institutions that hold the data taking proactive steps to protect that information".

The fact remains that this data is out there and in the age of Al, private thoughts in the form of neural data have become the next frontier. With great technology comes great advancements but also great responsibility.

Endnotes

Author

View Bio →

Author

Mary-Elizabeth Vogel

Committees

This content was produced by:

• Law Student Engagement Committee

Related Content