TL;DR

July 1, 2026 brings a wave of new US state privacy obligations — Connecticut's CTDPA amendments (now covering neural data), Arkansas's new privacy law, and Utah's data-portability rules. Regulated industries — healthcare, finance, government — exchange structured data as XML: HL7/FHIR clinical extracts, regulatory filings, config dumps. When you attach one to a compliance audit, a DSAR (data subject access request) response, or a regulatory submission, an auditor needs to read it — and raw XML is unreadable to non-engineers. Convert: Anything to PDF turns an .xml file into a human-readable PDF entirely on your device — critical, because you literally cannot paste an HL7 file into an online converter without raising a breach question. This is general information, not legal, medical, or compliance advice.


What changes on July 1, 2026

The US privacy patchwork keeps thickening, and July 1 is a common effective date because it lines up with state fiscal years. Three moves matter for anyone handling structured records:

  • Connecticut CTDPA amendments extend the state's data-privacy act, notably to include neural data — information generated by measuring a person's nervous system — as a category of sensitive data. Neuro-tech and health-adjacent data now sit squarely under the regime.
  • Arkansas's new privacy law adds another state to the list of comprehensive consumer-privacy statutes, with its own definitions, consumer rights, and business obligations.
  • Utah's data-portability rules strengthen the requirement that businesses provide consumers with their data in a usable, portable form on request.

The through-line: more categories of sensitive data, more rights for individuals to see their data, and more moments where you have to produce a record — for an auditor, a regulator, or the data subject themselves. We keep a running overview in our guide to US state privacy laws effective in 2026 if you want the wider map. This post is about the mechanical step nobody talks about: making the structured data readable when you have to hand it over.


The scenario: XML that a human has to read

Regulated systems love XML. It's verbose, strict, and self-describing, which suits systems that need to exchange records unambiguously. So the structured data you're asked to produce in an audit or a DSAR is frequently XML:

  • HL7/FHIR clinical extracts — a patient's records exported from an EHR, structured as XML.
  • Regulatory filings — many financial and government submission formats are XML under the hood.
  • Configuration dumps — the exact state of a system, exported for a security or compliance review.

Now the problem. The auditor reviewing your DSAR response is a compliance officer or a lawyer, not an HL7 integration engineer. The data subject who requested their records is a member of the public. Handing either of them a raw .xml file — a wall of angle brackets, namespaces, and nested tags — is not "providing the data in a readable form." It's technically compliant and practically useless, and in a portability context it may not satisfy the requirement at all.

They need the same information laid out so a person can read it. That's XML-to-PDF: take the structured dump, render it into a clean, human-readable document, and attach that to the audit or the DSAR response.

The workflow

  1. Install Convert: Anything to PDF — free, no account.
  2. Have your .xml extract on disk (exported from the EHR, the filing system, the config export).
  3. Open the extension, choose Upload Files, drop in the .xml.
  4. Pick paper size and orientation. Regulated documents often go in physical or archival files, so Letter or A4 with a sensible orientation is usually right.
  5. Convert. A readable PDF downloads instantly — no watermark, no account.

Why "local" isn't a nice-to-have here — it's the whole point

This is the section that matters most, so we'll be direct.

If the XML contains PHI (protected health information) or PII, uploading it to an online converter is a data disclosure to a third party. Full stop. You cannot paste an HL7/FHIR file containing a patient's clinical record into CloudConvert, Zamzar, or any web tool without immediately raising the question: did we just cause a breach? For a HIPAA-covered entity, sending PHI to an unvetted third-party processor without a business associate agreement is exactly the kind of thing that turns into a reportable incident. The irony would be sharp — creating a breach in the act of responding to a privacy request.

Convert: Anything to PDF sidesteps the question entirely because there's nothing to ask. It converts the XML on your device, using a bundled PDF library, with zero network requests during conversion. The file is never uploaded. There's no server to breach, no third party to vet, no BAA to negotiate, because the data never left the machine.

Convert: Anything to PDF (local)Online XML converterPrinting raw XML
PHI / PII leaves your machineNeverUploaded to their serverNever
Third-party processor / BAA questionNone — nothing is sentYes — a real breach concernNone
Readable by a non-engineerYesYes (if it renders)No — raw tags
Watermark on outputNoneCommon on free tiersNone
Merge with tabular exports (CSV)Yes, one documentRarelyNo
Conversion / size capNoneCommon on free tiersN/A
CostFreeFree tier + upsellFree but unreadable

Printing the raw XML is private, but it produces an unreadable document — you've moved the wall of tags from a screen to a page. The online converter makes it readable but sends your PHI to a stranger. The local converter is the only option that's readable and keeps the data on your machine, which is the combination a regulated workflow actually requires.

The vendor-diligence angle nobody flags until it's too late

There's a second-order reason local matters, and compliance teams learn it the hard way. Every third-party tool that touches regulated data is supposed to go through vendor review — a security questionnaire, a data-processing agreement, sometimes a full assessment. The instant an analyst pastes an HL7 file into a random online converter to "just get it into PDF," they've onboarded an unvetted sub-processor without anyone signing off. That's the kind of shadow-IT gap that surfaces in an audit as a finding, months after the fact, when nobody remembers which site was used or what its retention policy said.

A tool that does the conversion on-device short-circuits that entire chain. There's no data leaving the boundary, so there's no sub-processor to review, no DPA to chase, no retention policy to interrogate. From a governance standpoint, "the file never left the endpoint" is a far cleaner story to tell an auditor than "we used a third-party converter but we're pretty sure it was fine." The absence of a data flow is itself the control.


Pairing XML-to-PDF with CSV-to-PDF for a complete audit package

Real audit and DSAR packages aren't a single file. You typically produce a structured extract and tabular records — an access log, a list of processing activities, a retention schedule. Those tables are usually CSV.

The extension handles both, and it merges them. Drop your .xml extract and your .csv tables into one conversion and they combine into a single PDF in the order you arrange. Wide CSVs (6 or more columns) switch to landscape automatically so an access log or a processing-activities table stays legible. The result is one dated document — structured extract plus tables — that you can file, print, or hand to the auditor, all built without a byte leaving your machine.

The full format list — images, TXT, HTML, Markdown, JSON, XML, CSV, and the active browser tab — is on the Convert: Anything to PDF tool page.


XML today, JSON tomorrow — the same evidence instinct

XML is the regulated-and-legacy dialect of structured data; JSON is the modern-API dialect. The audit logic is identical: capture the exact structured payload, render it into a readable, dated PDF, and keep it local because it's sensitive. If your structured data comes from APIs, webhooks, or AI-agent logs rather than an EHR or a filing system, the sibling workflow is JSON to PDF for agentic-commerce audit logs — same on-device conversion, same freeze-the-record-as-evidence goal, different source format.

One honest note that applies to both: the extension renders structured data as formatted text in the PDF, not as an interactive, collapsible tree. For an audit or DSAR document that's exactly what you want — a static, readable, printable record — but if you need to interactively explore a giant extract, do that in a dedicated viewer first, then convert the version you're submitting.


A concrete example: a DSAR response with an EHR extract

Say a patient files a data subject access request. Your obligation is to provide their records in a readable, portable form.

  1. Export the patient's clinical records from the EHR as an HL7/FHIR .xml extract.
  2. Do not upload it anywhere — it's PHI.
  3. Drop the .xml into Convert: Anything to PDF and convert it locally into a readable PDF.
  4. Export the associated access log (who viewed the record, when) as a CSV and add it to the same conversion — it merges in as a landscape table.
  5. You now have one dated PDF: the readable clinical extract plus the access log. File it as your DSAR response record. Nothing touched an external server.

That's a defensible package: readable by the requester, complete, dated, and produced without creating a disclosure event.

When the compliance sprint finally lets up, CineMan AI puts IMDb and Rotten Tomatoes scores directly on your Netflix and Prime tiles, so the evening off doesn't turn into a long scroll.

This article is general information about a file-conversion workflow. It is not legal, medical, or compliance advice. Consult your own counsel and compliance team about your specific obligations under CTDPA, HIPAA, or any applicable law.


Frequently asked questions

How do I turn an HL7/FHIR or regulatory XML file into a readable PDF for an audit?

Drop the .xml file into Convert: Anything to PDF and click Convert. It renders the structured data as readable, formatted text and downloads a PDF an auditor or data subject can actually read. Conversion runs on your device, so the file is never uploaded.

Is it safe to convert XML containing PHI or PII this way?

Yes — because nothing is sent anywhere. The conversion happens entirely on your machine with zero network requests during conversion, so PHI and PII never leave your device. That avoids the breach and business-associate-agreement questions that come with pasting a clinical file into an online converter.

Why can't I just use an online XML-to-PDF converter for a clinical extract?

Because uploading PHI to a third-party web tool is a disclosure to that third party, which for a covered entity can be a reportable breach. A local converter removes the question entirely — there's no server involved, so there's nothing to disclose.

Can I combine an XML extract with CSV tables in one audit document?

Yes. Drop the .xml extract and your .csv tables into a single conversion and they merge into one dated PDF, in order. Wide CSVs switch to landscape automatically, so access logs and processing-activity tables stay readable.

Does the PDF show the XML as an interactive tree?

No. It renders as static, formatted text — which is exactly what an audit or DSAR record should be. For interactive exploration of a large extract, use a dedicated viewer first, then convert the version you're submitting.

Which browsers does the extension support?

Any Chromium browser — Chrome, Edge, Brave, Arc, Opera, or Vivaldi. It does not run on Firefox or Safari.

Bottom line

July 1, 2026 adds neural data, new state laws, and stronger portability rights to an already-thick privacy landscape — which means more moments where you must hand regulated structured data to someone who has to read it. Raw XML doesn't clear that bar, and uploading PHI to a web converter creates the exact problem you're trying to document. Convert: Anything to PDF turns .xml (and .csv) into a readable, dated PDF entirely on your device — no upload, no watermark, no cap. Keep the PHI on your machine, and hand the auditor something they can actually read.