What Meta's 2025 Restrictions Mean for Data and Product Leaders

Risk is what you don’t see.

In 2021, when Apple dropped iOS 14.5 along with App Tracking Transparency (ATT), the digital advertising world scrambled. Folks adapted. But Meta's latest announcement about healthcare advertising restrictions feels different. More targeted - pun intended.

I spent years at Revive (FKA Revive Health) building and measuring ad campaigns for health systems. The game was always about precision - finding the right patients, measuring conversions, optimizing spend all while preventing patient health information (PHI) exposure. We obsessed over metrics like cost-per-acquisition and return on ad spend (ROAS).

But starting January 2025, that playbook is going through another big shift.

What's Actually Happening

Two weeks ago, Meta quietly dropped some shocking news on healthcare/healthtech advertisers. Through a series of targeted emails, they announced two levels of restrictions:

• Fully restricted: Healthcare provisioning properties (think patient portals, app domains)
• Partially restricted: Healthcare marketing properties (corporate sites, lead forms)

Foxwell Digital has a good writeup focused on what advertisers need to know now and what might happen in the future

The key impact? If you're in healthcare/healthtech, you likely won’t be able optimize for conversions anymore - at least not native in Meta Business Portal. No more tracking form fills. No more measuring patient acquisition costs. No more retargeting based on specific conditions or treatments.

Note: There are a ton of unknowns for everybody and folks are trying to get straight answers so all of this may be irrelevant in a couple of weeks.

As Chris Turitzin noted in last week’s Health Tech Nerds roundtable:

”If you're not able to send low funnel events, that changes everything in the way that you run meta campaigns... trying to run non-conversion optimized meta campaigns will understand that they just don't work from a profitability stance."

Why Now?

This isn't just Meta being cautious out of the blue. As Yulie Klerman, former LiveRamp healthcare lead explained during the roundtable: "We've seen changes in the last 4 years and specifically the last on the state privacy regulation in the states. When they explicitly call out healthcare information... they're getting closer to GDPR."

The writing has been on the wall. GoodRx's FTC settlement. The HHS guidance on tracking technologies. The proliferation of state privacy laws.

Inside the War Room: Notes from Yesterday's HTN Roundtable

Sometimes the best insights come from rooms full of people trying to solve the same problem. Last Tuesday’s Health Tech Nerds roundtable felt like a war room planning session - equal parts strategy meeting and group therapy. With so much still unknown, it was a bit similar to an OpSec briefing with panelists and folks trying to get a sense of the “known knowns” and the “known unknowns”.

Four patterns emerged that tell the story:

1. The Platform Pivot

”Shift to top of funnel video," Brian advised, sharing wins from brand lift studies. "We know it works."

But it's not that simple. Moving up the funnel isn't just a tactical shift - it's reimagining what "conversion" means in a world where we can't track it.

2. The CDP Question

Brett Gailey dropped what might be the most important insight: "We're a CAPI & event obfuscation only shop. Our Meta rep communicated to us as not being directly impacted."

A glimmer of hope? Maybe. But it requires serious technical infrastructure - pay attention to the CDP players like those specific to healthcare such as Freshpaint or a newcomer - Ours Privacy as well as cross-industry players like Segment.

3. The Compliance Paradox

Yulie Klerman, who built LiveRamp's healthcare vertical, reminded us of an uncomfortable truth: Even if you find technical workarounds, you're swimming in increasingly regulated waters.

”It's not just Meta's rules," she warned. "It's state privacy regulations, HIPAA, and public perception."

4. The Size Split

Large healthcare companies will play it safe. But as Chris Turitzin noted: "Small startups... I don't think they have that same risk."

Different companies, different risk tolerances, different approaches. Startups are going to play fast and loose with these rules cause they are under a different reality than layer players. This is known risk (this has always been true) but pay attention to when these startups grow. Do they keep the same bad habits?

The Health & Wellness Gray Zone

Here's a fun riddle: When is a health company not a health company? According to Meta... it's complicated.

The definition of "health and wellness" feels like one of those Supreme Court obscenity cases - they know it when they see it. But for those of us building products and measuring campaigns, we need something more concrete.

From the roundtable discussion, here's what we know right now:

Meta defines health & wellness as properties "associated with medical conditions, specific health statuses, or provider/patient relationships." Think patient portals, wellness trackers for specific conditions, or anything tracking health outcomes.

But here's where it gets messy:

• A fitness app? Probably fine.
• A depression tracking app? Restricted.
• A vitamin company? Depends on the claims.
• A healthcare scheduling platform? Welcome to the gray zone.

As one Meta rep told a roundtable participant: "Most health supplement brands will not be affected, unless it is a prescription or for a specific disease." But another participant's supplement brand got flagged. Classic.

The secret seems to lie in condition specificity. The more condition-specific your product or marketing, the more likely you'll face restrictions. Likely more to come here but a lot of unanswered questions at the moment.

The CDP Plot Twist

Here's the fascinating thing about constraints/regulation in healthcare tech: they often create new winners.

When Apple killed mobile tracking, Mobile Measurement Partners (MMPs) became essential overnight. When GDPR hit, consent management platforms had their moment.

Now? It might be the CDP's (Customer Data Platform) time to really shine. Being a middleman and a way for advertisers to offload liability could be a goldrush for the best positioned players.

But not just any CDP. Healthcare needs something different than most other industries. As I learned at Revive tracking multi-touch attribution across health systems - you need infrastructure that understands both technical compliance and healthcare's unique dynamics.

What Makes Healthcare CDPs Different

Think about your typical CDP. It's built for e-commerce, B2B SaaS, maybe fintech. But healthcare? That's a different beast entirely:

Event Hygiene

• Regular CDP: "Track everything, figure it out later"
• Healthcare CDP: "Track precisely what matters, with clear governance"

Identity Resolution

• Regular CDP: "More data = better matching"
• Healthcare CDP: "Clean data = compliant matching"

Activation Workflows

• Regular CDP: "Push to all channels"
• Healthcare CDP: "Push with purpose and protection - likely with a confirmation step“

The New Technical Stack

Based on the roundtable discussion, here's what the winning stack might look like:

Foundation Layer

1. HIPAA-compliant CDP (like Ours Privacy or Freshpaint)
2. Event obfuscation engine
3. URL redaction system

Processing Layer

1. Custom conversion definitions
2. Privacy-safe identity resolution
3. Compliant activation rules

Activation Layer

1. Meta CAPI integration
2. Cross-channel orchestration
3. Compliance monitoring

As Brett Gailey noted in the roundtable, teams using this kind of setup might be insulated from Meta's changes. But - and this is crucial - only if implemented thoughtfully. More importantly - no one really knows yet and its unclear if Meta is even sure.

The Data Product Manager's Dilemma

If you're a data product manager in healthtech, you're probably asking:

• "Do we build this in-house?"
• "Which CDP vendors truly understand healthcare?"
• "How do we maintain performance while increasing privacy?"

The answer? It depends on your scale. But here's what I learned measuring campaigns at Revive: sometimes the most elegant solution is the most boring one. It’s ok if its complex (that’s reality) but don’t settle for complicated.

Start simple:

• Map your conversion events
• Document your privacy requirements
• Build clean activation workflows
• Test and iterate with compliance in mind

The Path Forward for Data and Product Leaders

If you're leading data, analytics, or product at a healthcare company, here's your playbook:

Rethink Measurement

• Build proxy metrics that don't rely on direct conversion tracking
• Get creative with engagement signals
• Focus on top-of-funnel indicators that correlate with intent

The reality is you never truly had ROAS down - don’t kid yourself.

As John Wanamaker famously said:

Half the money I spend on advertising is wasted; the trouble is I don't know which half

Every function (even accounting + finance) deals in assumptions and abfuscations - marketing and product simply have more unknowns. Accept it and figure out how to move forward.

Strengthen First-Party Data

• Double down on owned channels
• Build better internal attribution models
• Create measurement frameworks that don't depend on platform data

Use this as an impetus to shift from the buy side over to the build side. Get a better handle on your own data and tooling while investing in owned channels. Don’t over-rotate but don’t be completely dependent on a company like Meta - they don’t care about you or your patients.

Explore Alternative Channels

• Test channels where healthcare isn't as restricted (but be careful!)
• Build cross-channel attribution models
• Focus on content engagement metrics

When I helped instrument campaigns at Revive, we discovered something counterintuitive: restrictions often revealed better channels we'd ignored. Some thoughts:

• Reddit: Shockingly good for healthcare discussions. Their ad platform is like Meta circa 2015 - less sophisticated but more permissive. Just watch the compliance as it’s easy to get in trouble here.
• Programmatic Healthcare Networks: Yes, they're expensive. Yes, they're old school. But they understand healthcare compliance better than any social platform.
• TikTok: Before you roll your eyes - their healthcare policies are still evolving. This is both an opportunity and a risk.
• Point-of-Care Networks: Remember these? They're having a renaissance moment.
• LinkedIn: Especially for B2B healthcare. They're the tortoise in this race - slow, steady, and surprisingly stable on privacy.

The secret? Build your measurement framework first, then pick your channels. Not the other way around.

The Bigger Picture

This feels like a tipping point. But maybe that's good.

Healthcare data has always lived in a world of constraints. HIPAA wasn't the end of healthcare marketing. Neither was the HITECH Act. Or state privacy laws.

Each time, we adapted. We got better and hopefully did better by our patients. We built smarter systems and maybe this pushes folks to go back to the basics - build a product or service that produces value for patients and a business that supports it sustainably.

What Happens Next

For data and product leaders, the next few months are crucial. The situation is going to change and hopefully, Meta will give folks more clarity ( to say nothing of the uncertainty on what brands

Ask yourself:

• How can we measure success without relying on platform data?
• What does "good" attribution look like in a privacy-first world?
• How do we balance growth with increasing privacy demands?

The answers might surprise you. They usually do.

Because sometimes the best innovations come from constraints.

And healthcare data products? We've been innovating around constraints since day one.