Article

Who Knows? Informed Consent and the Limits of Modern Health Data Privacy Law

---

Abstract

The concept of informed consent is central to health data privacy law, yet its continued viability depends on assumptions about public knowledge that no longer reflect contemporary data practices. As medical and health-adjacent data is increasingly collected, shared, and repurposed across clinical, wellness, and consumer platforms, individuals often lack awareness of how their information is used. Despite this, consent remains the primary mechanism by which such practices are moderated. In both ethical theory and legislation, informed consent presumes that a reasonable patient possesses sufficient understanding of the nature, scope, and consequences of an activity. However, the general legal architecture governing health data places governance across overlapping and incomplete frameworks, undermining the assumptions inherent to informed consent. Significant categories of health and wellness data fall outside traditional healthcare regulation and are instead subject to narrower genetic privacy protections, consumer-protection enforcement, or various state privacy laws, none of which restore transparency or patient control in a way that is meaningful. The resulting legal system preserves formal consent while making it increasingly difficult for a patient to consent in a fully informed manner to any medical activity. In this context, informed consent operates less as a mechanism to allow patients to maintain autonomy than as a formal requirement that nurtures increasingly opaque data practices, revealing the limits of modern health data privacy law.

Keywords: informed consent, modern health, privacy law, data