Headspace maintains a separate privacy policy specifically for health data collected outside of HIPAA-covered clinical services, reflecting that some mental health and wellness data may be regulated under newer state consumer health data laws.
This analysis describes what Headspace's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The existence of a separate Consumer Health Data Privacy Policy signals that Headspace collects health-related data in contexts not fully protected by HIPAA, such as mood tracking or meditation usage, and that additional state-level rights may apply to this data depending on your location.
Interpretive note: The specific scope of data covered by the Consumer Health Data Privacy Policy and the full list of applicable state laws is not detailed in the main policy text; the Consumer Health Data Privacy Policy must be reviewed separately to assess complete protections and obligations.
Headspace now explicitly references a separate Consumer Health Data Privacy Policy for state-regulated consumer health data, creating a dual-track governance framework distinct from HIPAA coverage.
View full change record →Mental wellness data collected through non-clinical Headspace features may be subject to state consumer health data laws rather than HIPAA, meaning the applicable protections, rights, and sharing restrictions depend on which feature generated the data and which state you reside in; users in Washington State, for example, may have specific consent rights under the My Health MY Data Act for this category of data.
How other platforms handle this
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
With your permission, we may also receive data from your mobile device's health app (like Apple HealthKit or Google Health Connect), including hours of sleep and sleep goals. However, we do not infer any health-related characteristics from this information and only process it consistent with the pur...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Headspace has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Our Services are delivered by our Care Providers... Depending on how you interact with us, the following may also apply to you... Please refer to our Consumer Health Data Privacy Policy for more information about how we handle consumer health data regulated under applicable state consumer health data laws.— Excerpt from Headspace's Headspace Privacy Policy
REGULATORY LANDSCAPE: This provision engages Washington State's My Health MY Data Act, Connecticut's An Act Concerning Personal Data Privacy and Online Monitoring, Nevada's consumer health data law, and potentially other state frameworks that extend privacy protections to consumer health data beyond HIPAA's scope. The FTC may also have jurisdiction over unfair or deceptive practices related to health data handling. Enforcement authorities vary by state. GOVERNANCE EXPOSURE: High. The bifurcation of health data governance between HIPAA-covered clinical data and state-law-governed consumer health data creates significant data mapping and consent architecture complexity. If mental wellness data (mood, sleep, meditation behavior) is shared with advertising or analytics partners, that sharing may require affirmative consent under applicable state consumer health data laws, and failure to obtain such consent could constitute a violation. JURISDICTION FLAGS: Washington State creates the highest exposure given the My Health MY Data Act's broad definition of consumer health data and its private right of action. Nevada, Connecticut, and other states with consumer health data laws also create elevated compliance obligations. EU users whose wellness data qualifies as health data under GDPR Article 9 are subject to the explicit consent requirement for processing special category data. CONTRACT AND VENDOR IMPLICATIONS: Advertising and analytics vendors receiving consumer health data may need to execute data processing agreements that comply with applicable state consumer health data laws, including restrictions on secondary use. Procurement teams should assess whether current vendor agreements are adequate for this data category. COMPLIANCE CONSIDERATIONS: Legal teams should review the Consumer Health Data Privacy Policy for consistency with the main policy and evaluate whether consent mechanisms for non-clinical health data meet the affirmative authorization standards required by applicable state laws. A data inventory distinguishing HIPAA PHI from consumer health data from general behavioral data is a priority review item.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The existence of a separate Consumer Health Data Privacy Policy signals that Headspace collects health-related data in contexts not fully protected by HIPAA, such as mood tracking or meditation usage, and that additional state-level rights may apply to this data depending on your location.
Mental wellness data collected through non-clinical Headspace features may be subject to state consumer health data laws rather than HIPAA, meaning the applicable protections, rights, and sharing restrictions depend on which feature generated the data and which state you reside in; users in Washington State, for example, may have specific consent rights under the My Health MY Data Act for …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Headspace.