GDPR Compliance for Healthcare Websites
Health data is the most sensitive category under GDPR. Here's what medical and wellness sites must do.
Healthcare websites face the strictest GDPR requirements of any industry. Health information is classified as 'special category data' under Article 9, subject to even more stringent protection. Any website that processes health-related data — or even tracks visits to health-related pages — must apply enhanced safeguards.
Common Cookies & Tools Used in Healthcare
Common Cookies
_ga (Google Analytics)_fbp (Facebook Pixel)_gcl_au (Google Ads)hubspotutk (HubSpot)__cf_bm (Cloudflare)
Common Tools
- Google Analytics (with careful configuration)
- Patient portal authentication
- Appointment booking systems
- Cloudflare (security)
Key GDPR Challenges for Healthcare Websites
Health data inferred from page visits
If your analytics tool records that a user visited a page about 'depression treatment' or 'HIV symptoms', that URL can infer health information — making it special category data. Standard analytics consent may not be sufficient.
Advertising to patients
Using Facebook Pixel or Google Ads retargeting on a healthcare site creates serious risks. If a user sees an ad for a condition-specific treatment, it implies they have that condition — a health data breach.
Telehealth and patient portals
Any system that processes patient data must have appropriate technical and organisational measures. Logging into a patient portal establishes a clearly identified user — GDPR obligations around data subject rights apply fully.
Third-party booking systems
Appointment scheduling tools (Calendly, Doctolib, etc.) often set their own cookies. Each one needs to be disclosed and, where non-essential, gated behind consent.
Compliance Checklist for Healthcare Websites
- Privacy impact assessment (DPIA) conducted for any health data processing
- Advertising pixels (Meta, Google Ads) not used on symptom or condition-specific pages
- Analytics URL tracking configured to redact or hash sensitive path segments
- Patient portal data encrypted in transit and at rest
- Data Processing Agreements signed with all third parties handling health data
- Legitimate interest basis NOT used for health data — explicit consent required
- Data retention policies defined and enforced for patient records
- Staff trained on GDPR requirements specific to health data
Frequently Asked Questions
Can I use Google Analytics on a healthcare website?
With significant care. Configure Consent Mode v2, disable Google Signals, set retention to the minimum, and consider whether the URLs you're tracking could reveal health information. For patient portals, analytics should not be used at all without specific DPA agreements.
What is 'special category data' and does it apply to us?
Special category data includes health data, genetic data, biometric data, and data revealing religious or political beliefs. If your website processes any of this — directly or through inferred information — you face heightened GDPR obligations and need explicit consent (not legitimate interest).
Check your healthcare website for free
Scan your website to get a full GDPR compliance report — every cookie, whether consent is working, and a step-by-step fix list.
Scan your website free →