Text Decoration text decoration
Text Decoration text decoration
Penrod Blog

The “States” of Opt-In Requirements

Data privacy laws are top of mind, especially in healthcare. You're dealing with the most personal data, and it demands the highest level of care.

Despite their importance, did you know there isn't a federal law that requires healthcare providers to gain the consent of visitors to "opt-in" or "opt-out" of web tracking technologies? The "state" of opt-in laws often comes down to, well...the state. As of February 2025, 19 states have enacted privacy bills that seek to protect consumer data. By extension, all consumers are patients, so they also cover patient rights.

Do you agree to the use of web trackers?

The gold standard in patient privacy online? Opt-in consent. Opt-in consent is the focus of many state laws, and it ensures that visitors are not only informed about the technologies tracking their activities, but that they actively agree to being tracked. If "Opt-in" reminds you of the General Data Protection Regulation (GDPR) that swept across Europe in 2018, you're on the right track. This international regulation has inspired privacy-forward states to take a role in protecting their resident's data privacy. However, as we'll cover later, most states are still operating with "opt-out" models as a best practice.

In this blog, we'll break down:

  • Why opt-in matters for healthcare companies
  • What types of tracking patients can opt into
  • The states that mandate opt-in compliance
  • Best practices for opt-in on healthcare websites

The Role of Opt-in In Healthcare Privacy

Opt-in means that website visitors are notified of the data being collected and actively give permission for you collect it. Compare that to opt-out, where data collection happens by default unless a visitor declines. Here's a breakdown:

  • Opt-in
    Opt-in is the foundation of a transparent and visitor-first privacy policy. The website visitor actively consents to individual website trackers. Web trackers, except for maybe functional ones (depending on state law), are not activated until visitors consent.
  • Opt-out
    Opt-out is the mark of a privacy policy prioritizing reporting over patient trust. Website visitors are often unaware of the data collected until they actively seek to stop it.

Trust is essential in every industry, and even more so in healthcare. Your privacy policy isn't just about compliance with state laws. It should create trust throughout the patient lifecycle, from acquisition to care. That's why opt-in frameworks are usually the safest, even if it's not a legal necessity. However, committing to patient privacy is a competitive advantage and gives you the best chance at staying compliant with future regulations.

Types of Cookies Visitors can Opt-in To

Plenty of cookies and trackers for healthcare websites can help improve functionality, deliver tailored experiences, or improve campaign performance measurement. It's helpful to assign them into categories to simplify how users opt into the variety of trackers. Here's a breakdown of the common types.

Functional

Functional trackers are usually exempt from state-level opt-in requirements because the website cannot run without them. They're typically used for security, authentication, critical user preferences, and accessibility. If you're having trouble determining whether a cookie is functional, let's be honest...it's probably not functional, especially if it ties into marketing, reporting, or social media integrations. When in doubt, it's wiser to assume a cookie is non-functional.

Examples
Session cookies, authentication tokens, CSRF protection, language preferences

Advertising

Advertising trackers monitor user behavior and collect the information necessary to personalize digital advertisements. Think programmatic ads, retargeting, native placements, or in-stream spots. For example, if someone leaves an appointment page without booking, the clinic could use retargeting ads to nudge them back with a friendly reminder. However, there are many HIPAA concerns depending on the type of advertising...and mitigating risk starts with ensuring that visitors opt into advertising cookies in the first place.

Examples
Google Ads, StackAdapt, Trade Desk, Doubleclick, Bing, Taboola, Outbrain, Revcontent, Zemanta

Social Media

Social media trackers are similar to advertising cookies because ad placements are usually a huge part of the experience. However, they allow users to share thought leadership content directly to their feeds.

Examples
Facebook, Instagram, LinkedIn, TikTok, X

Analytics

Analytics trackers are all about using data to improve visitor experience. While functional cookies also improve visitor experience, they differ in a few areas. Analytics cookies usually collect user information, while functional cookies help a website to operate without tracking user behavior or assisting in targeted advertising. Many marketers have tried to argue that analytics are crucial to the visitor experience, and they're right. However, from a legal perspective, that still doesn't make those trackers functional or necessary.

Examples
Google Analytics, Hotjar, Piwik, Adobe Analytics, MixPanel

Preference

Preference cookies ensure that non-critical preferences like color schemes, language selection, or location deliver a personalized experience. Like functional cookies, preference cookies are typically exempt from opt-in laws unless they store PHI. However, your state or local laws may vary, and you should always verify with a legal team that your preference cookies fully comply.

Examples
Language preferences, theme selections, location preferences

Interactive

Interactive cookies power dynamic features like autonomous agents, assistive chat, and form autofill. While they enhance web experiences, they aren't crucial to running the website. As a result, legal teams don't view them as functional. It's essential to make sure that if a user doesn't opt-in to interactive cookies, they're made aware that the features which depend on them won't function correctly.

Examples
Salesforce Agentforce, Tidio, Zocdoc, Teladoc, Drift, Hotjar, Typeform, Disqus, Outgrow

The "State" of Opt-in Requirements

Take a look at this compliance map. It's a bit of a patchwork, isn't it?

Privacy Laws by State

While states with their own privacy laws are still in the minority, the numbers are growing. As more states jump on the privacy bandwagon, staying on top of these changes is essential, especially for multi-state healthcare providers.

Most states still focus on opt-out as the primary mechanism for giving consumers control over their data. Notable exceptions include California, Colorado, Delaware, and Virginia, where opt-in requirements regulate how companies collect data from minors.

As of February 2025, here is the "state" of state privacy laws in the United States.

California

California was the first to create its own privacy laws, inspiring other states. It started with the California Consumer Privacy Act (CCPA) in 2020 and the California Privacy Rights Act (CPRA) one year later in 2023. Together, these laws grant Californians the right to prevent their information from being sold and control the use of their personal information. It's one of the strictest privacy laws in the United States, with specific provisions for opt-in consent.

Colorado

In 2023, Colorado introduced the Colorado Privacy Act. It gives consumers the right to stop targeted ads and prevent the sale of personal data. Beyond opt-out, it gives consumers the right to correct, access, and transfer their data.

Connecticut

The Connecticut Data Privacy Act (CTDPA) started on July 1, 2023. It gives residents of the state the option to opt out of data processing for targeted ads or having their data sold. It also allows consumers to correct, delete, or access their personal information.

Delaware

The Delaware Online Privacy and Protection Act (DOPPA), which came into effect on January 1, 2025, focuses on regulating how websites collect personal information from minors. DOPPA mainly focuses on opt-out processes for the sale of personal data.

Indiana

The Indiana Consumer Data Protection Act (CDPA) is set to take effect on July 1, 2026. It has similar requirements to CTDPA in Connecticut, helping consumers to correct, access, or delete their data.

Iowa

The Iowa Consumer Data Protection Act (CDPA) officially came into effect in early 2025. It gives consumers the ability to opt out of data collection for sales or advertising purposes. Additionally, it will enable consumers to delete, access, or correct their personal information.

Kentucky

The Kentucky Consumer Data Privacy Act is set to take effect on January 1, 2026. It allows consumers to opt out of the collection of their data for sales or advertising purposes. Additionally, it will give consumers the right to delete and access their data.

Maryland

The Maryland Online Privacy Protection Act, enacted in 2023, mandates that companies provide consumers with the ability to opt out of the sale of their personal data.

Minnesota

The Minnesota Consumer Data Privacy Act, set to take effect on July 31, 2025, empowers consumers with greater control over their personal data. It allows individuals to opt out of data sales and provides them with more authority over how marketers utilize their information for targeted advertising.

Montana

The Montana Consumer Protection Privacy Act, effective October 2024, helps residents control their personal data. The act allows consumers to opt out of both the sale of their information and targeted advertising.

Nebraska

The Nebraska Data Privacy Act officially took effect on January 1, 2025, giving Nebraska residents the right to opt out of the sale of their data. Furthermore, it gives them the right to access, correct, or delete their data.

New Hampshire

The New Hampshire Consumer Protection Privacy Act officially took effect in January 2025. It allows residents to opt out of companies selling their personal data and targeted ads.

New Jersey

The New Jersey Consumer Privacy Act officially took effect on January 15, 2025. It allows residents to opt out of targeted ads and companies selling personal data. Additionally, it provides provisions that require companies to allow consumers to access or delete their personal information.

Oregon

The Oregon Consumer Privacy Act (OCPA) officially started on July 1, 2024. It allows Oregon residents to stop the sale of data and targeted ads. Like other laws, consumers can access, correct, or delete their data.

Rhode Island

The Rhode Island Consumer Protection Privacy Act will go into effect on January 1, 2026. Like other state laws, it gives consumers the right to opt out of advertising and their personal data from being sold.

Tennessee

The Tennessee Information Protection Act (TIPA) is set to start on July 1, 2025. It gives residents the right to opt out of targeted ads and companies selling their data. Like Oregon's law, consumers are also granted the right to gain access to, delete, or correct their data.

Texas

The Texas Data Privacy Protection Act was put into effect on July 1, 2024. It mandates that companies give consumers the ability to opt out of targeted ads and prohibits the sale of their personal data.

Utah

The Utah Consumer Privacy Act (UCPA) took effect on December 31, 2023, introducing new rights and protections for consumers. Under the UCPA, companies are required to provide options for consumers to opt out of targeted ads and the selling of their data. Furthermore, consumers now have the right to access, delete, or correct their personal information, ensuring greater control over their data.

Virginia

The Virginia Consumer Data Protection Act (VCDPA) officially started on January 1, 2023. It grants Virginia residents the right to opt out of personal information sales and targeted ads. They also have the right to access, correct, transfer, or delete their data.

Best Practices for Implementing Opt-In

1. Make Consent Banners Clear

Don't confuse your users. Cookie banners should be simple and concise and include examples of how you'll use their data.

2. Format Your Privacy Policies for Humans

Keep them detailed but digestible with the use of headings, anchor links, and bullets. Your patients don't want to wade through a dense policy. Use collapsible sections or FAQs to break things down.

3. Conduct Regular Audits

Consistent audits are vital for keeping up with evolving regulations, especially locally. Website audits ensure your opt-in, opt-out, and data access mechanisms comply with current state laws.

4. Prioritize User Experience (UX)

Offer users flexibility to control preferences for specific cookies/types of data. Bonus points if you embed visual toggles!

5. Use Consent Management Platforms (CMPs)

Platforms like OneTrust make compliance more manageable, especially for mult-state healthcare providers who must comply with multiple laws.

Conclusion

Implementing opt-in or opt-out frameworks goes beyond compliance. At the heart of it, it's really about building trust with patients.

As more states take inspiration from California, Colorado, and New Jersey, privacy laws will become more common. By understanding the different types of trackers and frameworks and using consent management platforms, healthcare providers can stay compliant and increase trust.

Related Articles

Blog

AI in Healthcare Needs Good Data

Discover how clean data fuels AI in healthcare and learn about data types, quality pillars, and tips for AI readiness.

Read More →
Blog

AI in Healthcare: Breaking Down Barriers of Risk

Discover how hospital CFOs can leverage AI safely and effectively and the risk-reward strategies for cutting costs and improving operations.

Read More →
Blog

How Does AI Reduce Costs in Healthcare?

Learn 5 ways hospitals can start using artificial intelligence today to reduce healthcare costs and improve operating margins.

Read More →
Blog

The “States” of Opt-In Requirements

Learn about the types of tracking patients can opt into, what states are requiring, and best practices for opt-in.

Read More →