Breaking down data rules from around the globe

Privacy laws

My Health My Data Act

MHMDA and Website Tracking: What Health-Related Businesses Should Know About Cookies, Pixels, and Consent

Under Washington’s My Health My Data Act, cookies, pixels, analytics tags, ad tools, forms, and other scripts may need closer review if they collect, share, or help infer consumer health data.

This article focuses on the website tracking layer of MHMDA risk. It is for general information only and is not legal advice.

What Is the MHMDA?

The My Health My Data Act, or MHMDA, is a Washington State privacy law for consumer health data. It passed the Washington State Legislature on April 17, 2023, and was signed into law on April 27, 2023. Some parts started applying in 2023, while many key obligations took effect in 2024.

The law is important because it can cover health-related data that does not fall under traditional HIPAA rules. In other words, a business does not have to be a hospital, doctor’s office, or health insurer to be affected.

MHMDA may apply to businesses that provide products or services to Washington consumers and collect, process, share, or sell consumer health data. That can include more than obvious medical information.

Consumer health data generally means Personal Information linked, or reasonably linkable, to a person that identifies their past, present, or future physical or mental health status.

Some of that data is given directly, for example through a form or booking request. Some of it may be inferred from what a person does on a website. A visit to a mental health page, a fertility article, a symptom checker, or a supplement product page may say something about a person’s health interests, even if they never type in a diagnosis.

That is where many non-medical businesses can get caught off guard. A wellness brand, fitness app, supplement store, symptom tool, or health content site may still need to check what data it collects, which tools receive it, and how that data is used.

Why Website Tracking Can Matter Under MHMDA

A health-related website does not need a long medical form to create privacy risk. Sometimes the signal is much smaller.

A person may read an article about anxiety, open a fertility service page, compare sleep supplements, check symptoms, or look at a booking page for a specific treatment. None of that means the business knows their medical history. But it may still point to a health interest, concern, or possible condition.

That is where tracking tools need attention. If those pages load third-party pixels, analytics tags, ad tags, or Third-Party Cookies, data about the visit can be passed to outside tools. That data might include the page URL, device identifiers, referral source, campaign details, clicks, events, or other tracking signals.

Booking flows and symptom tools need a careful look too. A button click like “Check symptoms” or “Book consultation” may be more sensitive on a health website than on a normal ecommerce page. A chat widget can also collect health-related questions before the visitor becomes a customer.

Location can add more context. An IP address, clinic finder, store locator, or device signal may suggest interest in a local clinic, treatment, service, or health-related location.

The risk is not the same for every website or every tracker. It depends on the page, the data collected, the vendor, the purpose, and how the information is used. Still, under MHMDA, health-related businesses should look beyond forms and ask a simple question: could our tracking reveal or help infer something about a person’s health?

Consent Under MHMDA Is Not Just a Cookie Notice

Under MHMDA, consent should not be treated like a small banner that says, “By using this site, you agree.” Passive notice is not the same as a clear opt-in choice.

Where consent is required, it should be specific, informed, voluntary, and unambiguous. The visitor should understand what type of consumer health data is being collected, why it is being collected, who it may be shared with, and how they can withdraw consent later.

This is where vague cookie messages become risky. A broad “we use cookies to improve your experience” notice does not explain much. Bundled consent is also a problem if the visitor cannot separate necessary site functions from analytics, advertising, retargeting, or other optional tracking.

Design matters too. Hiding the reject option, making one choice much easier than another, or using confusing wording can weaken the consent experience.

Consent still depends on the situation. Some collection or sharing may be necessary to provide a product or service the consumer requested. For example, a booking tool needed to schedule an appointment is different from an ad pixel used for retargeting.

What Health-Related Websites Should Audit First

Start with the parts of the website where health meaning is clearest. The first review should usually include:

  • Health-related landing pages — treatment pages, condition pages, appointment pages, symptom tools, quiz funnels, supplement product pages, and ad landing pages.
  • Third-Party Cookies and trackers — ad pixels, analytics tools, heatmaps, chat widgets, embedded forms, booking tools, video embeds, social media tags, and other tools loaded on health-related pages.
  • Tags firing before consent — check whether ad pixels, analytics events, third-party cookies, or other non-essential trackers run before the visitor makes a choice.
  • Forms and booking widgets — review what fields are collected, where the data is sent, and whether the provider can use the data for its own purposes.
  • Chat tools — check whether visitors can type health-related questions and whether those messages are stored, analyzed, or shared with a third-party provider.
  • Vendor data sharing — identify which companies receive tracking data from health-related pages, including page URLs, identifiers, events, referral data, booking details, or ad-related signals.
  • Sale or sharing of consumer health data — check whether any consumer health data is sold or shared in a way that may need consent, a separate authorization, or stricter review under MHMDA.
  • Health-related inferences — ask whether page visits, clicks, URLs, events, or tool usage could reveal or help infer a visitor’s health interest.
  • Washington consumer handling — review how Washington consumers are treated, and whether consent choices are clear before non-essential tracking starts.

 

How CookieScript Can Help With the Website Tracking Layer

CookieScript can help with the website tracking part of MHMDA work: finding trackers, controlling when they load, giving visitors clearer choices, and keeping records of those choices.

Useful CookieScript features for this review include:

  • Cookie Scanner — helps identify cookies, pixels, analytics tools, ad tags, third-party scripts, and other trackers active on health-related pages. It helps with visibility, but it does not decide whether a tracker creates consumer health data risk.
  • Automatic monthly cookie scans — helps catch changes when a plugin is added, a marketing tag is updated, a booking widget changes, or a new third-party tool appears.
  • Automatic script blocking — helps stop non-essential scripts from firing before the visitor gives consent.
  • Third-party cookie blocking — helps limit third-party tracking before a valid choice is made, when configured correctly.
  • Cookie Banner with Granular choice — helps separate strictly necessary cookies from performance, functionality, targeting/marketing, and other cookie categories instead of relying only on one broad “Accept cookies” message..
  • geo targeting — can help show Washington-specific or US-state-specific consent experiences. It is useful for banner setup, but it does not solve MHMDA scope or compliance by itself.
  • User consents recording — helps keep a record of what the visitor selected, when they selected it, and under which banner setup.
  • Advanced reporting — helps review consent behavior, including accept, reject, and ignore patterns.
  • Cookie Policy and Privacy Policy Generator — can support cookie and tracker disclosures. MHMDA’s Consumer Health Data Privacy Policy may need to be separate, distinct, and legally reviewed.
  • Google Consent Mode v2 — useful where Google tags are involved. It can help adjust Google tag behavior based on consent choices, but it should not be treated as an MHMDA compliance solution on its own.

The limit is important. CookieScript can be very useful for scanning, blocking, consent control, consent records, and tracker disclosures. But it does not decide whether a tracker collects consumer health data, and it does not replace legal review.

MHMDA compliance also depends on data use, vendor contracts, consumer rights handling, deletion workflows, sale authorization, security practices, and geofencing review.

CookieScript CMP is trusted by business owners worldwide. In 2025, it received its fourth consecutive Leader badge on G2, a peer review site, and remained recognized as one of the best CMP solutions on the market throughout the year.

 

 

 

What a CMP Does Not Solve Under MHMDA

A CMP is only one part of MHMDA work. It helps with the website tracking layer: cookies, pixels, consent choices, script blocking, third-party cookies, and tracker disclosures. MHMDA goes further than that.

A business may also need a Consumer Health Data Privacy Policy that explains what consumer health data is collected, why it is collected, where it comes from, who it is shared with, and how consumers can use their rights. This should be treated as a separate MHMDA requirement, not just another Cookie Policy page.

There are also internal processes to check. These may include consumer rights requests, deletion workflows, vendor and processor contracts, data security practices, and decisions about whether data is being shared or sold.

Sale needs special care. If consumer health data is sold, MHMDA requires a separate valid authorization. A standard Cookie Banner should not be treated as a shortcut for that.

Geofencing also sits outside normal CMP work, especially around health care facilities.

So the practical view is simple: use a CMP for tracking visibility and consent control, but review the wider MHMDA obligations separately.

Practical Checklist for MHMDA Website Tracking Review

Use this as a quick final check:

  1. Scan health-related pages, forms, booking flows, symptom tools, chat widgets, analytics events, and pixels.
  2. Remove old campaign tags, unused ad pixels, and unnecessary third-party tools.
  3. Check whether non-essential scripts or third-party cookies fire before consent.
  4. Use clear opt-in choices where consent is required.
  5. Avoid bundled consent for necessary tools, analytics, advertising, and retargeting.
  6. Review vendors that receive URLs, identifiers, events, form data, booking data, or location signals.
  7. Check whether any consumer health data is sold or shared in a way that needs stricter review.
  8. Keep records of consent choices and banner versions.
  9. Review how Washington consumers are handled.
  10. Update cookie and tracker disclosures when tools, tags, or vendors change.

Conclusion

MHMDA website tracking risk is not only about medical records or information typed into a form. It is also about what a health-related website collects quietly in the background, which trackers run, what vendors receive, and what a page visit, click, URL, booking step, or analytics event may reveal about a person’s health interests.

That does not mean every tracker is automatically a violation. It means the tracking setup needs a closer look, especially where consumer health data may be involved and clear consent is required.

CookieScript can help businesses scan, block, disclose, and record consent for website trackers. But MHMDA compliance still needs a broader legal, vendor, and operational review.

Frequently Asked Questions

Does MHMDA apply only to healthcare providers?

No. MHMDA is not limited to hospitals, clinics, doctors, or health insurers. It can also apply to businesses outside HIPAA if they provide products or services to Washington consumers and collect, process, share, or sell consumer health data. That is why wellness brands, fitness apps, supplement stores, symptom tools, booking platforms, and health content websites should pay attention.

Can cookies or pixels collect consumer health data?

They can contribute to that risk, depending on the context. A cookie or pixel may collect page URLs, identifiers, events, ad signals, or referral data. On a normal product page, that may not say much. On a page about fertility, mental health, symptoms, addiction support, or treatment options, the same tracking data may reveal or help infer a health interest.

Is a cookie banner enough for MHMDA compliance?

No. A cookie banner can help with consent choices and tracker control, but MHMDA has broader requirements. A business may also need a Consumer Health Data Privacy Policy, consumer rights workflows, deletion processes, vendor review, security controls, and separate authorization if consumer health data is sold.

When might health-related websites need opt-in consent for tracking?

Opt-in consent may be needed when website tracking collects or shares consumer health data and the activity is not necessary to provide the product or service the consumer requested. For example, a booking tool needed to schedule an appointment is different from an ad pixel used for retargeting.

Can website analytics create MHMDA risk?

Yes, in some cases. Analytics tools may collect page URLs, click events, device identifiers, location signals, or campaign data. The risk depends on what the page is about, what the analytics tool receives, how the data is used, and whether it can reveal or help infer health interests.

Can Consent Management Platforms help with MHMDA website tracking risk?

Yes, but only for part of the work. A CMP can help scan for trackers, block non-essential scripts, show clearer consent choices, and record visitor selections. CookieScript can support this website tracking layer, but it does not decide whether a tracker creates consumer health data risk. That still needs legal, vendor, and data-flow review.

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.