[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 631 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 631
To protect the privacy of personally identifiable health and location
data, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 2, 2023
Ms. Klobuchar (for herself, Ms. Warren, and Ms. Hirono) introduced the
following bill; which was read twice and referred to the Committee on
Commerce, Science, and Transportation
_______________________________________________________________________
A BILL
To protect the privacy of personally identifiable health and location
data, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Upholding Protections for Health and
Online Location Data Privacy Act of 2023'' or the ``UPHOLD Privacy Act
of 2023''.
SEC. 2. PRIVACY OF HEALTH DATA.
(a) Prohibition on the Use of Health Data in Commercial
Advertising.--It shall be unlawful for any covered entity to use the
health data of an individual that is collected from any source
(including data volunteered by an individual, medical center-derived
data, data from a wearable fitness tracker, data from web browsing
history, or any other source determined appropriate by the Commission)
for commercial advertising.
(b) Minimization of Collecting, Retaining, Using, and Disclosing
Health Data.--A covered entity may not collect, retain, use, or
disclose health data except--
(1) with the express consent of the individual to whom such
data relates; or
(2) as is strictly necessary to provide a product or
service that the individual to whom such data relates has
requested from such covered entity.
(c) Minimization of Employee Access.--A covered entity shall
restrict access to health data by any employee or service provider of
the covered entity to only such an employee or service provider for
which access is necessary to provide a product or service that the
individual to whom such data relates has requested from the covered
entity.
(d) Privacy Policy.--
(1) Policy required.--A covered entity shall maintain a
privacy policy relating to the practices of such covered entity
regarding the collecting, retaining, using, and disclosing of
health data.
(2) Publication required.--If a covered entity has a
website, such covered entity shall prominently publish the
privacy policy described in paragraph (1) on such website.
(3) Contents.--The privacy policy described in paragraph
(1) shall be clear and conspicuous and contain, at a minimum,
the following:
(A) A description of the practices of the covered
entity regarding the collecting, retaining, using, and
disclosing of health data.
(B) A clear and concise statement of the categories
of such data collected, retained, used, or disclosed by
the covered entity.
(C) A clear and concise statement of the covered
entity's purposes for the collecting, retaining, using,
or disclosing of such data.
(D) A list of the specific third parties to which
the covered entity discloses such data, and a clear and
concise statement of the purposes for which the covered
entity discloses such data, including how the data may
be used by each such third party.
(E) A list of the specific third parties from which
the covered entity has collected such data, and a clear
and concise statement of the purposes for which the
covered entity collects such data.
(F) A clear and concise statement describing the
extent to which an individual may exercise control over
the collecting, retaining, using, and disclosing of
health data by the covered entity, and the steps an
individual must take to implement such controls.
(G) A clear and concise statement describing the
efforts of the covered entity to protect health data
from unauthorized disclosure.
SEC. 3. UNFAIR AND DECEPTIVE ACTS AND PRACTICES RELATING TO LOCATION
DATA.
(a) Prohibition on Sale From Data Brokers.--It shall be unlawful
for a data broker to sell, resell, license, trade, transfer, share, or
otherwise provide or make available location data (including data
volunteered by an individual, medical center-derived data, data from a
wearable fitness tracker, data from web browsing history, or any other
source determined appropriate by the Commission).
(b) Prohibition on Sale to Data Brokers.--It shall be unlawful for
any person to sell, resell, license, trade, transfer, share, or
otherwise provide or make available location data (including data
volunteered by an individual, medical center-derived data, data from a
wearable fitness tracker, data from web browsing history, or any other
source determined appropriate by the Commission) to a data broker.
SEC. 4. RIGHT OF ACCESS AND DELETION.
(a) Right of Access.--
(1) In general.--A covered entity shall make available a
reasonable mechanism by which an individual, upon verified
request, may access--
(A) any health data or location data relating to
such individual that is retained by such covered
entity, including--
(i) in the case of such data that the
covered entity collected from any third party,
how and from which specific third party the
covered entity collected such data; and
(ii) such data that the covered entity
inferred about the individual; and
(B) a list of the specific third parties to which
the covered entity has disclosed any health data or
location data relating to such individual.
(2) Format.--A covered entity shall make the information
described in paragraph (1) available in both a human-readable
and a structured, interoperable, and machine-readable format.
(b) Right of Deletion.--A covered entity shall make available a
reasonable mechanism by which an individual, upon verified request, may
request the deletion of any health data or location data relating to
such individual that is retained by the covered entity, including any
such information that the covered entity collected from a third party
or inferred from other information retained by the covered entity.
(c) Requirements for Access and Deletion.--
(1) Timeline for complying with requests.--A covered entity
shall comply with a verified request received under this
section without undue delay, but not later than 15 days after
the date on which the covered entity receives such verified
request.
(2) Fees prohibited.--A covered entity may not charge a fee
to an individual for a request made under this section.
(3) Rules of construction.--Nothing in this section shall
be construed to require a covered entity to--
(A) take an action that would convert information
that is not health data or location data into health
data or location data;
(B) collect or retain health data or location data
that the covered entity would not otherwise collect or
retain; or
(C) retain health data or location data longer than
the covered entity would otherwise retain such data.
(d) Reasonable Mechanism Defined.--In this section, the term
``reasonable mechanism'' means, with respect to a covered entity and a
right under this section, a mechanism that--
(1) is equivalent in availability and ease of use to that
of other mechanisms for communicating or interacting with the
covered entity; and
(2) includes an online means of exercising any such right.
SEC. 5. EXCEPTIONS.
(a) Publication of Newsworthy Information of Legitimate Public
Concern.--Nothing in this Act, or a regulation promulgated under this
Act, shall apply with respect to health data or location data that is
collected, retained, used, or disclosed by a covered entity for the
publication of newsworthy information of legitimate public concern to
the public, or to the collecting, retaining, using, or disclosing of
such data by a covered entity for that purpose, if such covered entity
has reasonable safeguards and processes that prevent the collecting,
retaining, using, or disclosing of health data or location data for
commercial purposes other than the publication of newsworthy
information of legitimate public concern.
(b) Public Health Campaigns.--The prohibition under section 2(a)
shall not apply to any public health campaign directed toward
individuals or subpopulations of individuals.
(c) Disclosure Pursuant to Valid Authorization.--
(1) In general.--Nothing in this Act shall be construed to
prohibit a disclosure of the health data or location data of an
individual for which the individual provides valid
authorization.
(2) Valid authorization defined.--For purposes of paragraph
(1), the term ``valid authorization'' has the meaning given
such term in section 164.508 of title 45, Code of Federal
Regulations (or a successor regulation), subject to any such
adaptation the Commission shall deem necessary to apply such
term to the disclosure of both health data and location data.
(d) HIPAA-Compliant Actions.--
(1) In general.--Nothing in this Act shall be construed to
prohibit any action taken with respect to the health
information of an individual by a data broker that is a
business associate or covered entity that is permissible under
the Federal regulations concerning standards for privacy of
individually identifiable health information promulgated under
section 264(c) of the Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
(2) Terms defined.--For purposes of paragraph (1), the
terms ``business associate'', ``covered entity'', and ``health
information'' shall have the meanings given those terms in the
Federal regulations specified in such section 264(c) of the
Health Insurance Portability and Accountability Act of 1996 (42
U.S.C. 1320d-2 note).
SEC. 6. EFFECTIVE DATE.
(a) In General.--The prohibitions under sections 2 and 3 shall take
effect on the earlier of--
(1) the date the Commission issues the final rule under
subsection (b); or
(2) 180 days after the date of enactment of this Act.
(b) Rulemaking.--
(1) Final rule.--Not later than 180 days after the date of
enactment of this Act, the Commission shall promulgate
regulations, pursuant to section 553 of title 5, United States
Code, to carry out the provisions of this Act.
(2) Additional guidance.--The Commission may promulgate
further regulations, pursuant to such section 553, to update
and carry out the provisions of this Act, including further
guidance regarding the types of data described in sections 2
and 3.
SEC. 7. ENFORCEMENT.
(a) Enforcement by the Federal Trade Commission.--
(1) Unfair or deceptive acts or practices.--A violation of
section 2, 3, or 4 shall be treated as a violation of a rule
defining an unfair or a deceptive act or practice under section
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)).
(2) Powers of the commission.--
(A) In general.--Except as provided in
subparagraphs (D) and (E), the Commission shall enforce
this Act and any regulation promulgated thereunder in
the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all
applicable terms and provisions of the Federal Trade
Commission Act (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act.
(B) Privileges and immunities.--Subject to
subparagraph (F), any covered entity or data broker who
violates this Act or any regulation promulgated
thereunder shall be subject to the penalties and
entitled to the privileges and immunities provided in
the Federal Trade Commission Act (15 U.S.C. 41 et
seq.).
(C) Authority preserved.--Nothing in this Act shall
be construed to limit the authority of the Federal
Trade Commission under any other provision of law.
(D) Scope of jurisdiction.--Notwithstanding section
4, 5(a)(2), or 6 of the Federal Trade Commission Act
(15 U.S.C. 44, 45(a)(2), 46), or any jurisdictional
limitation of the Commission, the Commission shall also
enforce this Act and the regulations promulgated under
this Act, in the same manner provided in subparagraph
(A), with respect to--
(i) common carriers subject to the
Communications Act of 1934 (47 U.S.C. 151 et
seq.) and Acts amendatory thereof and
supplementary thereto; and
(ii) organizations that are not organized
to carry on business for their own profit or
that of their members.
(E) Independent litigation authority.--In any case
in which the Commission has reason to believe that a
covered entity or data broker is violating or has
violated section 2, 3, or 4, the Commission may bring a
civil action, subject to subsection (c), to--
(i) enjoin any further such violation by
such covered entity or data broker;
(ii) enforce compliance with this Act,
including through deletion of the relevant
information;
(iii) obtain a permanent, temporary, or
preliminary injunction;
(iv) obtain civil penalties;
(v) obtain damages (whether actual,
punitive, or otherwise), restitution,
disgorgement of unjust enrichment, or other
compensation on behalf of aggrieved persons; or
(vi) obtain any other appropriate equitable
relief.
(F) Civil penalties.--In addition to any other
penalties as may be prescribed by law, a violation of
this Act shall carry a civil penalty not to exceed 15
percent of the revenues earned during the preceding 12-
month period by the ultimate parent entity of the
covered entity or data broker that committed such
violation.
(b) Private Right of Action.--
(1) In general.--Any individual alleging a violation of
this Act or a regulation promulgated thereunder may bring a
civil action, subject to subsection (c).
(2) Relief.--In a civil action brought under paragraph (1)
in which the plaintiff prevails, the court may award--
(A) damages in an amount equal to the greater of--
(i) actual damages; or
(ii) an amount equal to not less than $100
and not more than $1,000 per violation, per
day;
(B) punitive damages;
(C) restitution or other compensation;
(D) reasonable attorney's fees, including
litigation expenses, and costs; and
(E) any other relief determined appropriate by the
court, including equitable or declaratory relief.
(3) Injury in fact.--A violation of this Act or a
regulation promulgated thereunder with respect to health data
or location data constitutes a concrete and particularized
injury in fact to the individual to whom such data relates.
(4) Invalidity of pre-dispute arbitration agreements and
pre-dispute joint-action waivers.--
(A) In general.--Notwithstanding any other
provision of law, no pre-dispute arbitration agreement
or pre-dispute joint-action waiver shall be valid or
enforceable with respect to a dispute arising under
this Act.
(B) Applicability.--Any determination as to whether
or how this paragraph applies to any dispute shall be
made by a court, rather than an arbitrator, without
regard to whether such agreement purports to delegate
such determination to an arbitrator.
(C) Definitions.--For purposes of this paragraph:
(i) Pre-dispute arbitration agreement.--The
term ``pre-dispute arbitration agreement''
means any agreement to arbitrate a dispute that
has not arisen at the time of the making of the
agreement.
(ii) Pre-dispute joint-action waiver.--The
term ``pre-dispute joint-action waiver'' means
an agreement that would prohibit a party from
participating in a joint, class, or collective
action in a judicial, arbitral, administrative,
or other forum, concerning a dispute that has
not yet arisen at the time of the making of the
agreement.
(c) Exclusive Jurisdiction.--
(1) District courts.--For any action brought under this
Act, the following district courts shall have exclusive
jurisdiction:
(A) Commission.--For actions brought by the
Commission, the United States District Court for the
District of Columbia.
(B) Private actions.--For private actions brought
by individuals, in the court of the plaintiff's choice
between--
(i) the United States District Court for
the District of Columbia; or
(ii) the district court of the United
States for the judicial district in which the
violation took place or in which any defendant
resides or does business.
(2) Court of appeals.--The United States Court of Appeals
for the District of Columbia Circuit shall have exclusive
jurisdiction of appeals from any decision under paragraph (1).
(d) Statute of Limitations.--An action for a violation of this Act
may be commenced not later than 6 years after the date upon which the
plaintiff obtains actual knowledge of the facts giving rise to such
violation.
SEC. 8. DEFINITIONS.
(a) In General.--In this Act:
(1) Collect.--The term ``collect'' means, with respect to
health data or location data, to obtain such data in any
manner.
(2) Commercial advertising.--The term ``commercial
advertising'' means communications that promote the sale of or
interest in goods or services, including goods or services that
are published digitally, via video or audio, or in print.
(3) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(4) Covered entity.--
(A) In general.--The term ``covered entity'' means
any entity that--
(i) is engaged in activities in or
affecting commerce (as defined in section 4 of
the Federal Trade Commission Act (15 U.S.C.
44)); and
(ii) is--
(I) a person, partnership, or
corporation subject to the jurisdiction
of the Commission under section 5(a)(2)
of the Federal Trade Commission Act (15
U.S.C. 45(a)(2)); or
(II) notwithstanding section 4,
5(a)(2), or 6 of the Federal Trade
Commission Act (15 U.S.C. 44, 45(a)(2),
46) or any jurisdictional limitation of
the Commission--
(aa) a common carrier
subject to the Communications
Act of 1934 (47 U.S.C. 151 et
seq.) and all Acts amendatory
thereof and supplementary
thereto; or
(bb) an organization not
organized to carry on business
for its own profit or that of
its members.
(B) Exclusions.--The term ``covered entity'' does
not include an entity that is--
(i) a covered entity, as defined in section
160.103 of title 45, Code of Federal
Regulations (or a successor regulation), to the
extent such entity is acting as a covered
entity under the HIPAA privacy regulations (as
defined in section 1180(b)(3) of the Social
Security Act (42 U.S.C. 1320d-9(b)(3)));
(ii) an entity that is a business
associate, as defined in section 160.103 of
title 45, Code of Federal Regulations (or a
successor regulation), to the extent such
entity is acting as a business associate under
the HIPAA privacy regulations (as defined in
such section 1180(b)(3)); or
(iii) an entity that is subject to
restrictions on disclosure of records under
section 543 of the Public Health Service Act
(42 U.S.C. 290dd-2), to the extent such entity
is acting in a capacity subject to such
restrictions.
(5) Data broker.--The term ``data broker'' means an
individual or entity that--
(A) collects, buys, licenses, or infers data about
an individual; and
(B) sells, licenses, or trades such data.
(6) Disclose.--The term ``disclose'' means, with respect to
health data or location data, for a covered entity to release,
transfer, sell, provide access to, license, or divulge such
data in any manner to a third party or government entity.
(7) Express consent.--
(A) In general.--The term ``express consent''
means, with respect to the collecting, retaining,
using, or disclosing of health data or location data,
the informed, opted-in, voluntary, specific, and
unambiguous written consent of an individual (which may
include written consent provided by electronic means)
to such collecting, retaining, using, or disclosing of
such data.
(B) Exclusions.--The term ``express consent'' does
not include any of the following:
(i) Consent secured without first providing
to the individual a clear and conspicuous
disclosure, apart from any privacy policy,
terms of service, terms of use, general
release, user agreement, or other similar
document, of all information material to the
provision of consent.
(ii) Hovering over, muting, pausing, or
exiting a given piece of content.
(iii) Agreement obtained through the use of
a user interface designed or manipulated with
the substantial effect of subverting or
impairing user autonomy, decision making, or
choice.
(8) Health data.--The term ``health data'' means data that
identifies, relates to, describes, or reveals--
(A) the search for, attempt to obtain, or receipt
of any health services;
(B) any past, present, or future disability,
physical health condition, mental health condition, or
health condition of an individual, including efforts to
research or obtain health services or supplies
(including location data that might indicate an attempt
to acquire or receive such information services or
supplies);
(C) any treatment or diagnosis of a disability or
condition described in subparagraph (B); or
(D) any information described in subparagraph (A)
through subparagraph (C) that is derived or
extrapolated from non-health information (such as
proxy, derivative, inferred, emergent, or algorithmic
data).
(9) Location data.--
(A) In general.--The term ``location data'' means
data derived from a device or technology that reveals
the past or present physical location of an individual
or device with sufficient precision to identify street-
level location information of the individual or device
within 1,850 feet or less.
(B) Exclusion.--The term ``location data'' does not
include geolocation information identifiable or derived
solely from the visual content of a legally obtained
image, including the location of the device that
captured such image.
(10) Service provider.--
(A) In general.--The term ``service provider''
means an individual or entity that--
(i) collects, retains, uses, or discloses
health data for the sole purpose of, and only
to the extent that such individual or entity
is, conducting business activities on behalf
of, for the benefit of, under instruction of,
or under contractual agreement with a covered
entity and not any other individual or entity;
and
(ii) does not divulge health data to any
individual or entity other than such covered
entity or a contractor to such service provider
bound to information processing terms no less
restrictive than terms to which such service
provider is bound.
(B) Limitation of application.--Such individual or
entity shall only be considered a service provider in
the course of activities described in subparagraph
(A)(i).
(C) Minimization by service providers.--For
purposes of section 2, a request from an individual to
a covered entity for a product or service, and an
express consent from the individual to the covered
entity, shall be treated as having also been provided
to the service provider of the covered entity.
(11) State.--The term ``State'' means each of the several
States, the District of Columbia, each commonwealth, territory,
or possession of the United States, and each Federally
recognized Indian Tribe.
(12) Third party.--The term ``third party'' means, with
respect to the disclosing or collecting of health data, any
individual or entity that is not--
(A) the covered entity that is disclosing or
collecting such information;
(B) the individual to whom such information
relates; or
(C) a service provider.
(13) Ultimate parent entity.--The term ``ultimate parent
entity'' has the meaning given the term in section 801.1 of
title 16, Code of Federal Regulations (or a successor
regulation).
(b) Rulemaking.--
(1) In general.--Not later than 180 days after the date of
enactment of this Act, the Commission shall conduct a
rulemaking pursuant to section 553 of title 5, United States
Code, to define the terms ``public health campaign'' and
``data'' for purposes of implementing and enforcing this Act.
(2) Requirement.--For purposes of the rulemaking required
under paragraph (1), the term ``data'' shall include
information that is linked, or reasonably linkable, to--
(A) specific individuals; or
(B) specific groups of individuals who share the
same place of residence or internet protocol address.
SEC. 9. RELATIONSHIP TO FEDERAL AND STATE LAWS.
(a) Federal Law Preservation.--Nothing in this Act, or a regulation
promulgated under this Act, shall be construed to limit any other
provision of Federal law, except as specifically provided in this Act.
(b) State Law Preservation.--
(1) In general.--Nothing in this Act, or a regulation
promulgated under this Act, shall be construed to preempt,
displace, or supplant any State law, except to the extent that
a provision of State law conflicts with a provision of this
Act, or a regulation promulgated under this Act, and then only
to the extent of the conflict.
(2) Greater protection under state law.--For purposes of
this subsection, a provision of State law does not conflict
with a provision of this Act, or a regulation promulgated under
this Act, if such provision of State law provides greater
privacy protection than the privacy protection provided by such
provision of this Act or such regulation.
SEC. 10. SEVERABILITY CLAUSE.
If any provision of this Act, or the application thereof to any
individual, entity, or circumstance, is held invalid, the remainder of
this Act, and the application of such provision to other persons not
similarly situated or to other circumstances, shall not be affected by
the invalidation.
<all>