Headspace maintains a separate privacy policy specifically for health data collected outside of HIPAA-covered clinical services, reflecting that some mental health and wellness data may be regulated under newer state consumer health data laws.
This analysis describes what Headspace's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The existence of a separate Consumer Health Data Privacy Policy signals that Headspace collects health-related data in contexts not fully protected by HIPAA, such as mood tracking or meditation usage, and that additional state-level rights may apply to this data depending on your location.
Interpretive note: The specific scope of data covered by the Consumer Health Data Privacy Policy and the full list of applicable state laws is not detailed in the main policy text; the Consumer Health Data Privacy Policy must be reviewed separately to assess complete protections and obligations.
Mental wellness data collected through non-clinical Headspace features may be subject to state consumer health data laws rather than HIPAA, meaning the applicable protections, rights, and sharing restrictions depend on which feature generated the data and which state you reside in; users in Washington State, for example, may have specific consent rights under the My Health MY Data Act for this category of data.
How other platforms handle this
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
Depending on where you live, you may have certain rights with respect to your personal information. These rights may include: The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which we collected i...
Depending on where you live, you may have certain rights regarding your personal information. These rights may include the right to know what personal information we have collected about you, the right to delete your personal information, the right to correct inaccurate personal information, the rig...
Monitoring
Headspace has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our Services are delivered by our Care Providers... Depending on how you interact with us, the following may also apply to you... Please refer to our Consumer Health Data Privacy Policy for more information about how we handle consumer health data regulated under applicable state consumer health data laws.— Excerpt from Headspace's Headspace Privacy Policy
REGULATORY LANDSCAPE: This provision engages Washington State's My Health MY Data Act, Connecticut's An Act Concerning Personal Data Privacy and Online Monitoring, Nevada's consumer health data law, and potentially other state frameworks that extend privacy protections to consumer health data beyond HIPAA's scope. The FTC may also have jurisdiction over unfair or deceptive practices related to health data handling. Enforcement authorities vary by state. GOVERNANCE EXPOSURE: High. The bifurcation of health data governance between HIPAA-covered clinical data and state-law-governed consumer health data creates significant data mapping and consent architecture complexity. If mental wellness data (mood, sleep, meditation behavior) is shared with advertising or analytics partners, that sharing may require affirmative consent under applicable state consumer health data laws, and failure to obtain such consent could constitute a violation. JURISDICTION FLAGS: Washington State creates the highest exposure given the My Health MY Data Act's broad definition of consumer health data and its private right of action. Nevada, Connecticut, and other states with consumer health data laws also create elevated compliance obligations. EU users whose wellness data qualifies as health data under GDPR Article 9 are subject to the explicit consent requirement for processing special category data. CONTRACT AND VENDOR IMPLICATIONS: Advertising and analytics vendors receiving consumer health data may need to execute data processing agreements that comply with applicable state consumer health data laws, including restrictions on secondary use. Procurement teams should assess whether current vendor agreements are adequate for this data category. COMPLIANCE CONSIDERATIONS: Legal teams should review the Consumer Health Data Privacy Policy for consistency with the main policy and evaluate whether consent mechanisms for non-clinical health data meet the affirmative authorization standards required by applicable state laws. A data inventory distinguishing HIPAA PHI from consumer health data from general behavioral data is a priority review item.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The existence of a separate Consumer Health Data Privacy Policy signals that Headspace collects health-related data in contexts not fully protected by HIPAA, such as mood tracking or meditation usage, and that additional state-level rights may apply to this data depending on your location.
Mental wellness data collected through non-clinical Headspace features may be subject to state consumer health data laws rather than HIPAA, meaning the applicable protections, rights, and sharing restrictions depend on which feature generated the data and which state you reside in; users in Washington State, for example, may have specific consent rights under the My Health MY Data Act for …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Headspace.