Article by: Lonnie Rosenwald and Carla Pareja Paris

Artificial intelligence has become central to the longevity industry. Companies increasingly rely on machine-learning models to analyze biomarkers, genomic data, wearable device outputs, and other health-related inputs to predict disease risk, biological age, or therapeutic response. Many tools, such as the new ChatGPT Health product, invite consumers to upload their electronic health records (HER’s) for purposes of providing analysis and recommendations. OpenAI, the creator of ChatGPT, says it launched the product because 230 million people seek health information through its generative AI portal every week. It and similar services state that they are not a tool for diagnosis or treatment and are not cleared as a medical device; they claim to support patients seeking care and to help them understand information, not to replace clinicians or make clinical decisions. While these tools offer commercial and clinical promise, they raise significant data-privacy and regulatory concerns under existing U.S. and international law.

Health Data Classification and Regulatory Scope

A threshold legal issue is whether longevity data qualifies as “health information” subject to sector-specific regulation. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) applies only to “covered entities” such as healthcare providers, health plans, and their business associates, and only to “protected health information” (PHI) transmitted or maintained in regulated contexts. Many longevity startups operate outside traditional healthcare delivery models and therefore fall outside HIPAA’s direct scope, even when processing highly sensitive biometric or genetic data. This regulatory gap does not eliminate risk, however, as other privacy regimes may apply.

State Privacy Laws and Consumer Health Data

State privacy laws increasingly regulate health-adjacent data regardless of HIPAA coverage. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), treats health and biometric data as “sensitive personal information” and grants consumers enhanced rights to limit its use and disclosure. Covered businesses must provide clear disclosures, honor access and deletion requests, and implement reasonable security safeguards when using AI to process longevity-related data.

Other states have adopted similar frameworks, and several have enacted laws specifically targeting consumer health data collected outside traditional healthcare settings. Washington State’s My Health My Data Act (RCW 19.373) regulates consumer health data held by most businesses and nonprofits, especially digital and non‑HIPAA entities, and requires consent, detailed privacy notices, data rights (access, deletion), and restricts the sale of health data. Other state statutes impose consent, minimization, and purpose-limitation requirements that directly affect AI-driven longevity platforms.

European Union Considerations and AI Processing

For companies operating internationally, the General Data Protection Regulation (GDPR) imposes strict obligations on the processing of health and genetic data. Under the GDPR, such data is considered a “special category” and generally may not be processed without explicit consent or another narrowly defined legal basis. Automated decision-making that produces legal or similarly significant effects may also trigger additional transparency and human-oversight obligations. Longevity companies training AI models on European data must also address cross-border transfer restrictions, data-subject rights, and documentation requirements related to algorithmic processing.

Emerging Legal Risk Areas

Beyond core privacy statutes, longevity companies face growing scrutiny around data accuracy, bias, and explainability. Predictive biomarkers derived from AI models may influence clinical decisions, insurance eligibility, or consumer behavior, raising potential exposure under unfair competition, consumer protection, and product-liability theories if outputs are misleading or inadequately validated. As regulators continue to evaluate AI-specific governance frameworks, longevity companies should assume that existing privacy and consumer-protection laws will be the primary enforcement tools in the near term.

Practical Takeaways

Longevity companies deploying AI should focus on data-mapping, consent management, vendor oversight, and governance frameworks that align with both health-privacy and general consumer-privacy regimes. Early legal review of data sources, model outputs, and disclosures can reduce regulatory risk and support long-term scalability.