HIPALYTICS logo

From Washington to California: How State Privacy Laws Are Catching Up with GA4 & GTM Tracking

profile icon

Michael Neidert

clock icon
5 min read
state privacy laws are catching up with ga4 and gtm tracking

Think HIPAA compliance keeps your healthcare marketing safe? It might. But only in theory. In practice, a growing wave of state privacy laws is raising the bar on what counts as protected health information and how it must be handled.

Laws like California Privacy Rights Act (CPRA) and Washington’s My Health My Data Act are redefining PHI protection, often going beyond what HIPAA requires. They cover not only clinical data but also things like geolocation, online behavior, and even search terms related to health. 

That means your website’s tracking tools, especially default setups of Google Analytics 4 (GA4) and Google Tag Manager (GTM), could already be crossing legal lines without you realizing it, leading to hefty fines.

This blog will break down how state laws differ from HIPAA, why traditional tracking methods are falling short, and what healthcare marketers need to do to stay compliant across all 50 states.

HIPAA Isn’t the Only Rule Anymore

For years, healthcare marketers focused on one benchmark for privacy: the Health Insurance Portability and Accountability Act (HIPAA). It defined how Protected Health Information (PHI) could be collected, stored, and shared. But HIPAA was written in an era before digital ad tracking, cross-device behavior, and smart wearables. Even with updates, it doesn’t fully address how modern marketing technologies interact with health-related data.

Enter state privacy laws. They’re raising the stakes, often protecting a wide range of sensitive data. And unlike HIPAA, which applies mostly to covered entities like hospitals and insurers, state laws frequently apply to any business handling health-adjacent data, including marketing agencies and tech vendors.

Here’s how they stack up:

  • HIPAA
    • Applies only to covered entities and their business associates
    • Focuses mainly on traditional medical data like diagnoses, lab results, and insurance info
    • Requires consent only in specific, regulated situations
    • Doesn’t cover most website tracking or behavioral analytics
  • CPRA
    • Applies to many businesses, not just healthcare providers
    • Protects “sensitive personal information,” including location, browsing history, and biometrics
    • Expands consumer rights to access, delete, and limit data use
    • Requires clear consent and opt-out options for cross-context behavioral ads
  • Washington’s My Health My Data Act
    • Covers any consumer health data, even if it’s not tied to a formal diagnosis
    • Includes things like reproductive health searches, mental health self-assessments, and health-related app usage
    • Applies to companies of all sizes, not just big players
    • Demands affirmative consent for collection and sharing of health data

As these laws expand, PHI protection is no longer just about clinical records. It’s about any digital breadcrumb that can suggest something about a person’s health. That legal shift becomes very real when we look at how most healthcare websites handle user tracking today.

Where GA4 & GTM Tracking Go Wrong

Let’s say someone visits a mental health clinic’s website, clicks on a “Book an Appointment” button, and sees a thank-you page. If your tracking setup logs that behavior along with their location and device fingerprint, you may have just created a legally protected data profile under Washington’s My Health My Data Act. 

Even if no diagnosis was made, their intent reveals enough to trigger PHI-like protections.

GA4 and GTM are powerful tools. But by default, they collect more than most healthcare marketers realize: IP addresses, device IDs, referral URLs, geolocation, and user behavior across pages. That data can quickly cross into sensitive territory under state privacy laws, even if it doesn’t qualify as PHI under HIPAA.

This is where many organizations run into trouble:

  • GA4 and GTM can fire tags on sensitive pages without user consent.
  • Behavioral data and health-related URLs can combine to create user profiles that fall under state-level PHI definitions.
  • Cross-context tracking for retargeting ads often violates state requirements for consent and purpose limitation.
  • Data may be shared with third parties, including Google, by default—raising red flags under CPRA and other laws.

The problem isn’t the tools themselves. It’s the way they’re typically configured: without guardrails, without anonymization, and without regard for stricter state definitions of health data.

What passes under HIPAA might still break state privacy laws, especially when you’re tracking user actions that indirectly suggest health conditions, treatments, or concerns. That’s where the risk lives.

How to Future-Proof Your Marketing Analytics

When it comes to PHI protection, hoping your tracking setup is “probably fine” is no longer a safe strategy. As state privacy laws evolve, staying compliant means staying proactive. The good news? You can still gain marketing insights without exposing yourself to legal risk.

Here are a few practical steps to tighten your analytics before regulators tighten the screws:

  • Stop using the default GA4 and GTM setups on health-related pages. That includes appointment forms, treatment content, and condition-specific landing pages.
  • Anonymize user data before it’s collected or shared. Strip IP addresses, device fingerprints, and any parameters that could reveal health-related intent.
  • Avoid retargeting based on health behavior unless you have clear, documented consent that meets the strictest state law you operate in.
  • Segment sensitive and non-sensitive pages in your analytics strategy. Not everything needs to be tracked the same way.
  • Review Business Associate Agreements (BAAs) with third-party vendors. Just because a tool is popular doesn’t mean it’s legally covered for health data.
  • Stay updated on emerging laws in states like Nevada, Connecticut, and Oregon, which are actively shaping new privacy standards.

The best way to think about this? Don’t wait for the rules to catch up with your setup. Get your setup ahead of the rules. That way, you’ll stay clear of fines, legal exposure, and the costly process of retroactive cleanup.

Don’t Let State Laws Catch You Off Guard

Relying on HIPAA alone is like locking the front door and leaving the windows wide open. As state privacy laws multiply and diverge, healthcare organizations need more than a one-size-fits-all compliance plan.

As state privacy laws expand their reach, the definition of PHI protection is shifting very fast. Default GA4 and GTM setups simply aren’t built for this new privacy landscape. They collect too much, share too widely, and offer too little control over what data leaves your site. For multi-state healthcare organizations, that’s a growing liability.

HIPALYTICS was built for exactly this moment.

We turn GA4 and GTM into HIPAA- and state-compliant tools by scrubbing sensitive data, anonymizing key identifiers, and storing everything on secure, US-based servers. We also sign a Business Associate Agreement, so your organization is protected on every front.

If you’re serious about marketing performance and privacy compliance across all 50 states, HIPALYTICS is the safe, scalable path forward.

HIPAA-compliant tracking
Ready for your
HIPAA-compliant
tracking?
BOOK A CALL