New York and Connecticut Prohibit Geofencing near Health Care Facilities

New York State and Connecticut have recently enacted laws that prohibit “geofencing” near health care facilities. The New York State law took effect on July 2, 2023, and Connecticut’s on October 1, 2023. These geofencing laws, enacted partly in response to the Supreme Court Dobbs decision (to prevent advertisers from targeting people receiving reproductive services), have far-reaching implications.

What Is Geofencing?

Geofencing involves setting up a virtual perimeter around a specific real-world zone or location. In the advertising world, geofencing can deliver advertisements to specific zip codes, Wi-Fi or IP addresses, or to a certain event such as a concert or conference by using GPS, which increases the ad campaign’s efficiency. Businesses large and small can, and do, use geofencing to advertise. Businesses can do this themselves, through an app, like Snapchat, or through a digital marketing company.

In the health care industry, geofencing can be used for a variety of purposes. For example, a telehealth company might run targeted advertisements to the cellphones of patients in a brick and mortar waiting room; a medical equipment supplier could advertise directly to potential buyers (hospitals, clinics etc.); or a health insurance company could advertise specific products to potential enrollees in a nursing home or assisted living facility. Some personal injury law firms have reportedly run advertisements to patients crossing geofences set up around emergency rooms.[1]

The New York Law

Under General Business Law section 394-g, and as detailed below, it is now unlawful in New York for any person or entity to set up a geofence around any health care facility, except around their own health care facility. Under the New York law, geofencing means using any technology to establish “a virtual boundary of 1,850 [about 1/3 of a mile] feet radius, or less … around a particular location that allows a digital advertiser to track the location of an individual user and electronically deliver targeted digital advertisements directly to such user’s mobile device upon such user’s entry into the geofenced area.” The statute defines “health care facility” broadly to mean “any governmental or private entity that provides medical care or related services” including the building or structure in which the facility is located.

Specifically, the law prohibits any person, corporation, partnership, or association from establishing a geofence around a health care facility, except their own, “for the purpose of delivering a digital advertisement, for the purposes of building a consumer profile, or to infer health status, medical condition, or medical treatment of any person at or within a health care facility.” Further, the law prohibits any person, corporation, partnership, or association from delivering digital advertisements to a user at or within a health care facility, except their own, through the use of a geofence. Practically, this also means that a geofence can’t be used to acquire consumer health information from a health care facility for the purpose of sending a “delayed advertisement” to a patron once they leave a geofenced area, nor can a geofence be used to acquire and later sell information. Innocent buyers of such information may be unable to readily discern how the underlying data was collected, which poses unique compliance concerns.

There is no private cause of action, or penalty, explicitly provided in the law. Enforcement will be left primarily to the New York State Attorney General, who has not been afraid to use other aspects of the General Business Law to pursue allegations against advertisers in the past.[2]

The Connecticut Law

Effective October 1, 2023, Connecticut’s Data Privacy Act prohibits the use of a geofence “to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer’s health data.”

While New York’s law focuses on prohibiting “digital advertisements,” Connecticut’s is arguably broader in that it prohibits sending “any notification” to consumers regarding their health data, and also prohibits the sale, tracking or collection of that data. The Connecticut law includes an exception for state regulators, institutions of higher education, and several other groups. Importantly, Connecticut’s law is limited to a much narrower set of facilities compared to New York, as noted above. In addition, Connecticut’s law is restricted to consumers, which leaves open the possibility of geofence campaigns directed towards employees and management, if implemented appropriately. The law can be enforced only by the Connecticut Attorney General and violations constitute an unfair trade practice. We also note that both the New York law and Connecticut law raise potentially novel free speech questions under the First Amendment.

Stakeholders in the health care industry, particularly those with robust sales and marketing teams, should understand the scope and impact of these new laws. These laws and others are part of an emerging patchwork of authority regarding consumer health data and information.

[1] https://www.npr.org/sections/health-shots/2018/05/25/613127311/digital-ambulance-chasers-law-firms-send-ads-to-patients-phones-inside-ers

[2] https://ag.ny.gov/press-release/2022/attorney-general-james-secures-94-million-google-and-iheartmedia-over-misleading