[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 5462 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 5462
To prohibit data brokers from selling and transferring certain
sensitive data.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 10, 2024
Ms. Warren (for herself, Mr. Sanders, Mr. Whitehouse, and Mr. Wyden)
introduced the following bill; which was read twice and referred to the
Committee on Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To prohibit data brokers from selling and transferring certain
sensitive data.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Health and Location Data Protection
Act of 2024''.
SEC. 2. UNFAIR AND DECEPTIVE ACTS AND PRACTICES RELATING TO HEALTH AND
LOCATION DATA.
(a) In General.--It shall be unlawful for a data broker to sell,
resell, license, trade, transfer, share, or otherwise provide or make
available any of the following forms of data, whether declared or
inferred, of an individual:
(1) Location data.
(2) Health data.
(3) Other categories of data identified by the Commission
that address or reveal a category of data described in
paragraphs (1) and (2).
(b) Exceptions.--
(1) Actions that are hipaa-compliant.--
(A) In general.--Nothing in this Act shall be
construed to prohibit any action taken with respect to
the health information of an individual by a data
broker, acting in its capacity as a business associate
or covered entity, that is permissible under the
Federal regulations concerning standards for privacy of
individually identifiable health information
promulgated under section 264(c) of the Health
Insurance Portability and Accountability Act of 1996
(42 U.S.C. 1320d-2 note).
(B) Application of terms.--In paragraph (1), the
terms ``business associate'', ``covered entity'', and
``health information'' shall have the meaning given
those terms in the Federal regulations specified in
such paragraph.
(2) Publication of newsworthy information of legitimate
public concern.--Nothing in this Act shall be construed to
prohibit the publication of newsworthy information of
legitimate public concern.
(3) Disclosure pursuant to valid authorization.--Nothing in
this Act shall be construed to prohibit a disclosure of the
data of an individual for which the individual provides valid
authorization. For purposes of this paragraph, the term ``valid
authorization'' has the meaning given such term in section
164.508 of title 45, Code of Federal Regulations (or a
successor regulation), subject to such adaptations as the
Commission shall deem necessary to apply such term to the
disclosure of both location data and health data.
(c) Effective Date.--The prohibition under subsection (a) shall
take effect on the earlier of--
(1) the date the Commission issues the final rule under
subsection (d); or
(2) 180 days after the date of enactment of this Act.
(d) Rulemaking.--
(1) Final rule.--Pursuant to section 553 of title 5, United
States Code, the Commission shall promulgate regulations to
carry out the provisions of this Act. The Commission shall
issue a final rule by not later than 180 days after the date of
enactment of this Act.
(2) Additional guidance.--Pursuant to section 553 of title
5, United States Code, the Commission may promulgate further
regulations to carry out the provisions of this Act, including
further guidance regarding the types of data described in
subsection (a).
SEC. 3. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2 shall be treated as a violation of a rule defining an
unfair or a deceptive act or practice under section 18(a)(1)(B)
of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
(2) Powers of commission.--
(A) In general.--Except as provided in
subparagraphs (D) and (E), the Commission shall enforce
section 2 in the same manner, by the same means, and
with the same jurisdiction, powers, and duties as
though all applicable terms and provisions of the
Federal Trade Commission Act (15 U.S.C. 41 et seq.)
were incorporated into and made a part of this Act.
(B) Privileges and immunities.--Any person who
violates section 2 shall be subject to the penalties
and entitled to the privileges and immunities provided
in the Federal Trade Commission Act (15 U.S.C. 41 et
seq.).
(C) Authority preserved.--Nothing in this Act shall
be construed to limit the authority of the Federal
Trade Commission under any other provision of law.
(D) Nonprofit organizations.--Notwithstanding
section 4 of the Federal Trade Commission Act (15
U.S.C. 44) or any jurisdictional limitation of the
Commission, the Commission shall also enforce this Act,
in the same manner provided in subparagraphs (A) and
(B), with respect to organizations not organized to
carry on business for their own profit or that of their
members.
(E) Independent litigation authority.--In any case
in which the Commission has reason to believe that a
data broker is violating or has violated section 2, the
Commission may bring a civil action in an appropriate
district court of the United States to--
(i) enjoin any further such violation by
such person;
(ii) enforce compliance with this Act,
including through deletion of the relevant
information;
(iii) obtain a permanent, temporary, or
preliminary injunction;
(iv) obtain civil penalties;
(v) obtain damages (whether actual,
punitive, or otherwise), restitution,
disgorgement of unjust enrichment, or other
compensation on behalf of aggrieved persons; or
(vi) obtain any other appropriate equitable
relief.
(b) Enforcement by States.--
(1) In general.--In any case in which the attorney general
of a State has reason to believe that an interest of the
residents of the State has been or is threatened or adversely
affected by the engagement of any data broker subject to
section 2 in a practice that violates such section, the
attorney general of the State may, as parens patriae, bring a
civil action on behalf of the residents of the State in an
appropriate district court of the United States to--
(A) enjoin any further such violation by such
person;
(B) enforce compliance with this Act, including
through deletion of the relevant information;
(C) obtain a permanent, temporary, or preliminary
injunction;
(D) obtain civil penalties;
(E) obtain damages (whether actual, punitive, or
otherwise), restitution, disgorgement of unjust
enrichment, or other compensation on behalf of
aggrieved persons; or
(F) obtain any other appropriate equitable relief.
(2) Notice.--Before filing an action under paragraph (1),
the attorney general, official, or agency of the State involved
shall provide to the Commission a written notice of such action
and a copy of the complaint for such action. If the attorney
general, official, or agency determines that it is not feasible
to provide the notice described in this paragraph before the
filing of the action, the attorney general, official, or agency
shall provide written notice of the action and a copy of the
complaint to the Commission immediately upon the filing of the
action.
(3) Limitation on state action while federal action is
pending.--If the Commission has instituted a civil action for a
violation of section 2, no State attorney general, or official
or agency of a State, may bring an action under this paragraph
during the pendency of that action against any defendant named
in the complaint of the Commission for any violation of section
2 alleged in the complaint.
(4) Relationship with state-law claims.--If the attorney
general of a State has authority to bring an action under State
law directed at acts or practices that also violate section 2,
the attorney general may assert the State-law claim and a claim
under section 2 in the same civil action.
(5) Investigatory powers.--Nothing in this subsection may
be construed to prevent the attorney general of a State from
exercising the powers conferred on the attorney general by the
laws of the State to conduct investigations, to administer
oaths or affirmations, or to compel the attendance of witnesses
or the production of documentary or other evidence.
(c) Private Enforcement.--Any person whose interest has been or is
threatened or adversely affected by the engagement of any data broker
subject to section 2 in a practice that violates such section may bring
a civil action in an appropriate district court of the United States
to--
(1) enjoin any further such violation by such person;
(2) enforce compliance with this Act, including through
deletion of the relevant information;
(3) obtain a permanent, temporary, or preliminary
injunction;
(4) obtain damages (whether actual, punitive, or
otherwise), restitution, or other compensation;
(5) obtain reasonable attorney's fees, including litigation
expenses, and costs; or
(6) obtain any other appropriate equitable relief.
(d) Civil Penalties.--In addition to any other penalties as may be
prescribed by law, a violation of this Act shall carry a civil penalty
not to exceed 15 percent of the revenues earned by the person's
ultimate parent entity during the preceding 12-month period.
(e) Exclusive Jurisdiction.--
(1) District courts.--For any action brought under this
Act, the following district courts shall have exclusive
jurisdiction:
(A) For actions brought by the Commission, the
United States District Court for the District of
Columbia.
(B) For actions brought by a State attorney
general, the district court of the United States for
the judicial district in which the capital of the State
is located.
(C) For private actions brought by persons--
(i) the United States District Court for
the District of Columbia; or
(ii) the district court of the United
States for the judicial district in which the
violation took place or in which any defendant
resides or does business.
(2) Court of appeals.--The United States Court of Appeals
for the District of Columbia Circuit shall have exclusive
jurisdiction of appeals from all decisions under paragraph (1).
(f) Statute of Limitations.--A proceeding for a violation of this
Act may be commenced not later than 6 years after the date upon which
the plaintiff obtains actual knowledge of the facts giving rise to such
violation.
(g) Preemption.--The provisions of this Act preempt only the
provisions of State or local law that require disclosure prohibited by
this Act.
SEC. 4. DEFINITIONS.
In this Act:
(1) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(2) Data.--
(A) In general.--Not later than 180 days after the
date of enactment of this Act, the Commission shall
adopt rules in accordance with section 553 of title 5,
United States Code, to define the term ``data'' for the
purpose of implementing and enforcing this Act.
(B) Requirement.--The term ``data'' shall include
information that is linked, or reasonably linkable,
to--
(i) specific individuals; or
(ii) specific groups of individuals who
share the same place of residence or internet
protocol address.
(3) Data broker.--The term ``data broker'' means a person
that collects, buys, licenses, or infers data about individuals
and then sells, licenses, or trades that data.
(4) Health data.--The term ``health data'' means data that
reveal or describe--
(A) the search for, attempt to obtain, or receipt
of any health services;
(B) any past, present, or future disability,
physical health condition, mental health condition, or
health condition of an individual, including, but not
limited to, pregnancy and miscarriage; or
(C) any treatment or diagnosis of a disability or
condition described in subparagraph (B).
(5) Location data.--The term ``location data'' means data
capable of determining the past or present physical location of
an individual or an individual's device.
(6) State.--The term ``State'' means each of the several
States, the District of Columbia, each commonwealth, territory,
or possession of the United States, and each federally
recognized Indian Tribe.
(7) Ultimate parent entity.--The term ``ultimate parent
entity'' has the meaning given the term in section 801.1 of
title 16, Code of Federal Regulations (or any successor
regulation).
SEC. 5. FUNDING.
In addition to amounts otherwise available, there is appropriated
to the Commission for fiscal year 2025, out of any money in the
Treasury not otherwise appropriated, $1,000,000,000, to remain
available until September 30, 2034, for carrying out the work of the
Commission.
<all>