The Healthcare Advertiser’s Guide to Navigating Changes in Privacy Regulations

The digital advertising landscape is shifting rapidly, and for healthcare and pharmaceutical marketers, the stakes are higher than ever. With evolving privacy regulations, increasing scrutiny on data practices and the challenge of balancing precision targeting with consumer protection, advertisers must rethink their strategies to stay effective and compliant.

To tackle these pressing issues, PurpleLab recently hosted a webinar titled “The Healthcare Advertiser’s Guide to Navigating Changes in Privacy Regulations.” Moderated by Ted Sweetser, VP of Ad Partnerships and Strategy at PurpleLab, the discussion featured insights from Andrew Lucking, General Counsel at PurpleLab, and Yashina Burns, SVP of Privacy & Legal Affairs at DeepIntent

They explored: 

  • The latest developments in privacy laws.
  • Best practices for using privacy-enhancing technologies.
  • How healthcare advertisers can build sustainable and privacy-conscious marketing strategies.

In this Q&A recap, we dive into the key insights from the discussion – covering everything from privacy-enhancing technologies and state-level compliance challenges to the evolving role of AI and what lies ahead in 2025. This conversation provides the essential guidance to pharma marketers, healthcare advertisers and industry leaders looking to future-proof their strategy.

Ted: Privacy-Enhancing Technologies (PETs) have gained significant traction in recent years. From your perspective, what notable advancements have emerged in this space, and what best practices should tech companies follow to ensure these technologies are effective and privacy-preserving?

Yashina: PETs have been around for a long time. Differential privacy, for example, is a technique that’s been used by the US Census Bureau, Uber, Apple, and a lot of established technology companies.

We’re seeing more differentiated approaches these days. The idea of PETs is that one party doesn’t have full access to the other party’s data, but they’re still able to obtain insights that can direct advertising or other efforts including measurement.

There’s a big difference between just using PETs versus implementing robust organizational and operational controls. Privacy-enhancing technology alone is NOT a substitute for an all-encompassing, comprehensive suite of privacy protections.

Ted: How do you approach state-level privacy laws?

Andrew: It’s tough because these laws are passing at breakneck speed. While states are trying to converge on some level of uniformity, the truth is that they’re still not at all uniform. That means that we have multiple disparate regimes to comply with. 

The NAI has had guidance regarding evolving state laws. If you have a robust compliance backbone, it’s just a matter of tweaking and confirming that what you’re doing abides by the law. Not every new state law has a GDPR-like impact. A lot of these state-to-state differences are just nuances rather than earth-shattering differences.

Yashina: That’s a really good point, Andrew, I highly recommend that everyone check out NAI’s health advertising guidelines. They take into consideration all state laws, including those that address more sensitive data fields, as well as considering that the law is continually evolving. 

The NAI (as well as IAB and DAA) have working groups that specifically keep track of laws for you and give you live updates with really useful information.

Andrew: One of the benefits of being tuned into these working groups is that they tend to come to a consensus on the impact of state privacy laws. That makes it easier to build a compliance practice around them.

T: The industry has historically been split in terms of physician and consumer promotion, as a lot of marketing strategies have been divergent between those two. Have there been any variations in your considerations when talking about physician promotion versus consumer promotion?

Y: I think the key difference is that with physicians, there are fewer privacy concerns because typically you’re working with publicly available information.

From a policy perspective, it’s important that we still focus on reaching the consumer population because there is a lot of evidence that when patients see information about their health condition, they’re more likely to have conversations with their healthcare provider about it. Those conversations can help inform the physician as well.

It’s a two-way street. Consumer promotion is really important, but understanding the fact that this pertains to a person’s health condition, makes it a much more sensitive topic. We want to be mindful of that, and that’s where privacy enhancement becomes important.

T: In the age of formulary gap issues where I’m sure tens of millions of people will have trouble accessing GLP-1s this year, for instance, the ability to raise awareness about how to lower costs for the consumer is a substantial public benefit.

Y: Yeah, absolutely. And again, from a policy standpoint, I know there’s this inherent tension between the idea of privacy and reaching out to the consumer. But where I think health advertising is a little different from your average targeted advertising is that there’s health equity and access to health information. 

To have health equity, you need to have relevant information going out to targeted populations in a privacy-mindful way. That’s where PETs like lookalike modeling come into play. That means we’re not going to target people that we know are patients, but we’re going to look at certain attributes that might correspond to people who might have this condition.

T: Privacy frameworks have evolved significantly in the last 10 years.  From your perspective, have these regulatory changes led to changes in products and the ways that clients use them?

A: The way certain products operate has changed, but the core of what people are doing has stayed the same. For example, over a decade ago, there was the idea of a data cooperative where different companies or participants in an ecosystem would share data. That sort of collaboration is still happening, but through clean room technology that assures all the data is fully permissioned, and the sources are tracked so applicable consumer rights can be honored.

Nowadays, a straight-up data cooperative is unlikely, but people are getting at that primitive data through collaboration and efforts like that.

Y: We’re seeing more data minimization and more transparency. These different practices that are embedded in privacy principles that started from GDPR and a little before that were embedded into US privacy laws as well.

And the one net benefit is that there’s a lot less fraudulent activity. A few examples of fraudulent, misleading, and unfair activity I’ve seen in the past include data collection with no notice, no information, and completely unexpected data uses. People are becoming a lot more mindful of consumer expectations, the use of third parties, and how to communicate that – whether through privacy policy or cookie banners – and providing optionality around data use.

Data is getting more valuable because it’s more useful. These requirements mean that people have to be much more intentional about data use, which drives a lot of net benefits to the ecosystem.

T: What privacy trends will we see in 2025? 

A: I think there’ll be much more limited enforcement at the federal level. We won’t see the CFPB or agencies overreaching their scope, and this will leave a void for state attorney generals, particularly in blue states, to step in and enforce some of these state privacy laws.

Different states have different priorities when it comes to privacy law enforcement. Some states focus on the process of collecting data (i.e., consent and permission), while others focus on the outcomes of data usage (i.e., refusing insurance coverage to certain individuals, or other social harms). 

A prominent law firm predicted that there’s going to be an increase in benefits to companies that show strong compliance efforts. Whereas in the previous administration, the general trend of the enforcement mechanisms was that companies received a monetary penalty after committing a crime. 

T: What recommendations would you give to healthcare advertisers who are wanting to stay privacy safe while still using targeted advertising?

A: HIPAA is a decades-old privacy law with really robust compliance regimes around it. A large portion of advertising activity is subject to a robust law with mature protections to ensure patient privacy.

Y: We need to look at frameworks that are tried and true including de-identification, especially in the HIPAA realm. With targeting, we can’t just use de-identified information. It can be a really strong baseline for insights and for driving audience building.

At the targeting stage, make sure you’re working with a good vendor. You have to do the due diligence, even if it’s not your space of expertise working with these advertising technology companies or other technology companies in this space. It’s worth it to spend that extra time to do some screening. 

There are even some vendors out there now that help you with vendor management. I know IAB Safeguard is one – we work with them and they have a massive questionnaire asking all about all the different data privacy practices the company has in place. So you can get the same standard across the board and see if your vendors meet those baselines.

There are many tools now in place for that as well, but I think it’s worth that investment because as we’ve seen in the past with the FTC, you can be held accountable for bad due diligence. This is a vendor that you’re potentially sourcing sensitive information from. So due diligence is highly recommended.

Need More Information?

Questions? Ready for a demo or free trial of our HealthNexus™ platform? Contact us to get started.