How Privacy Laws Shape Online Therapy: CCPA, HIPAA & GDPR

Three layers of privacy laws affecting an online therapy practice

Table of Contents

Three layers of privacy law can touch a US online therapy practice: HIPAA for client health information, state consumer privacy laws like the CCPA for what your website collects about visitors, and GDPR only in the unusual case that you serve clients located in the EU or UK. Most therapists worry hardest about the first layer and not at all about the second. That order is backwards, and this guide explains why.

(Practicing in the UK? Different rulebook entirely: our UK GDPR guide for therapy websites covers it start to finish.)

The Three Layers of Privacy Law That Touch Your Practice

Privacy laws shape online therapy at three levels. HIPAA governs protected health information once someone becomes a client. State consumer privacy laws (CCPA, CPRA and statutes in more than a dozen other states) govern what your website collects from visitors. GDPR applies only when a practice serves people located in the EU or UK.

Why does the middle layer matter most? Because your website talks to strangers. Client records sit inside systems you already treat carefully. Visitor data flows through analytics tools and ad pixels by default: who read your anxiety page, who started the contact form at 1am and closed the tab. And browsing data about mental health is precisely what US regulators have moved on since 2023.

So the useful question isn’t “am I compliant?” It’s narrower: what does my site collect, and who else sees it?

Where HIPAA Ends and Your Website Begins

A marketing website that collects no health information generally isn’t governed by HIPAA at all. Your homepage, your fees page, your blog: none of that is protected health information. The sensitive seam is intake: contact forms, booking widgets, client portals, anywhere a visitor starts becoming a client.

That seam is why we build with HIPAA-aware design practices rather than promising a “HIPAA-compliant website” (a phrase that should make you skeptical of any designer using it). Forms backed by BAA-compliant providers, guided integrations for booking and EHR tools, and nothing sensitive stored on the web server itself. Every custom site in 7 days we deliver treats intake that way by default.

We’ve written up the full picture (what HIPAA actually requires, what it doesn’t, and where the money gets wasted) in HIPAA Compliant Websites for Therapists: The Real Rules. This post stays on the laws that get far less attention.

CCPA and CPRA: Does California’s Law Even Apply to You?

Probably not directly, and that surprises people. The CCPA (as amended by the CPRA) binds for-profit businesses operating in California that meet at least one threshold: over $25 million in annual gross revenue, personal information of 100,000+ consumers or households, or half their revenue from selling or sharing personal data. A solo practice clears none of those.

There’s a second wrinkle the summaries skip: medical information already governed by HIPAA or California’s CMIA is exempt from the CCPA. So your client records live under one regime. But your website’s visitor data isn’t medical information, which means the exemption never wrapped your whole practice the way many therapists assume.

Our advice is to act as if the CCPA applies anyway, for three reasons. Your clients increasingly expect its rights whether or not the statute binds you. Your vendors (form tools, schedulers, email platforms) operate at CCPA scale and behave accordingly. And when you collect little to begin with, honoring these rights costs almost nothing:

  • Right to know what personal information you collect and why
  • Right to delete it on request
  • Right to opt out of it being sold or shared
  • Right to correct inaccurate information, and to limit use of sensitive data (both added by the CPRA)

The California Attorney General keeps a plain-English summary at oag.ca.gov/privacy/ccpa.

Beyond California: Washington, a Dozen States and the FTC

California started it, but by 2026 more than a dozen states (Virginia, Colorado, Connecticut, Texas and Oregon among them) have consumer privacy laws, most sharing the CCPA’s basic shape. If your telehealth practice spans states, the pattern matters more than any single statute.

One law is worth knowing by name: Washington’s My Health My Data Act. It targets “consumer health data” specifically, applies to businesses of nearly any size, and treats even the inference that someone sought mental health services (say, from their visits to your specialty pages) as protected. It’s the clearest signal yet of where state law is heading.

Regulators haven’t waited for new statutes either. In 2023 the FTC ordered BetterHelp to pay $7.8 million over sharing users’ health information with advertising platforms. No panic required; a solo practice is not BetterHelp. But the lesson is plain: mental-health visitor data plus advertising tools is the combination enforcement watches.

When GDPR Applies to a US Practice (and When It Doesn’t)

GDPR follows a person’s location, not their citizenship or yours. It reaches a US practice that offers services to people in the EU or UK — a therapist marketing sessions to Americans abroad, pricing in euros, or carrying ongoing clients based in London. A one-off inquiry from Berlin, or an existing client spending two weeks in France, doesn’t drag your practice under European law.

If serving EU or UK clients is genuinely part of your plan, two notes. First, privacy is the second hurdle; telehealth licensure across borders comes before it, so start with your board. Second, don’t piece the requirements together from summaries — the UK guide linked at the top of this article walks through the full framework (consent, privacy policies, data rights) as it applies to therapy websites.

For everyone else: GDPR is the layer you can mostly set aside. Spend the attention on your own state’s law instead. US states with consumer privacy laws relevant to therapists

What This Means for How Your Site Gets Built

Here’s the honest trade-off in taking visitor privacy seriously: you give up some marketing convenience. Retargeting pixels, analytics on default settings, chatty third-party widgets — the tools that make marketing easy are the same ones that share visitor data. Our stance after 500+ therapist and coach sites: skip ad pixels on therapy websites entirely. A handful of retargeted referrals isn’t worth explaining to a client why a social network knew they were reading your trauma page.

What a well-built site does instead is quieter. Minimal contact forms that travel encrypted. Analytics configured to collect less, or swapped for privacy-focused tools like Plausible or Fathom. A privacy policy that describes what actually happens, in plain language. Guided, compliant integrations for scheduling and client communication rather than whatever widget embeds fastest.

Transparency also reads as care. The same instinct that makes a strong therapist About page work — showing people who you are before they ask — is what a clear privacy policy does for the cautious visitor comparing three therapists at midnight.

FAQ: Privacy Laws and Your Online Practice

Is my therapy website covered by HIPAA?
Mostly no. HIPAA governs protected health information, and a marketing site that collects none isn’t itself regulated by it. The rules attach where visitors submit health-related details (forms, booking, portals), which is why those pieces need BAA-backed tools even when the rest of the site doesn’t.
Does the CCPA apply to a solo therapy practice?
Almost never directly; the thresholds ($25M+ revenue, 100,000+ consumers’ data, or half of revenue from selling data) are built for larger businesses. Honoring its rights anyway costs little and matches what clients now expect from anyone holding their information.
Can I use Google Analytics on my therapy website?
You can, carefully: turn off ad personalization and data sharing, avoid passing anything identifying, and disclose it in your privacy policy. Many practices are happier switching to privacy-focused analytics such as Plausible or Fathom — fewer settings to get wrong.
What happens if a client moves to the EU?
One client relocating doesn’t convert your practice into a European business overnight. Knowingly continuing long-term work with someone based in the EU edges toward offering services there and raises licensure questions that come before privacy law. Check with your board first.

Privacy laws shape online therapy less through any single statute than through their sum: collect little, track less, disclose honestly. Practices that build those three habits find every layer easier to satisfy: HIPAA’s edge, the state patchwork, even GDPR. This is business guidance, not legal advice; confirm the specifics with your licensing board, professional association or an attorney.

And if you’d rather hand off the website layer, get a custom quote through the Website Inquiry Form. We’ll start by auditing what your current site actually collects. Most owners are surprised.

Share this post:

For Therapist Counselor Life Coaches

Get Your Free Therapy Website & SEO Strategy

Small practice or established clinic, We’ll show you exactly how to grow online.

Recent Articles: