Text: S.2885 — 116th Congress (2019-2020)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (11/18/2019)


116th CONGRESS
1st Session
S. 2885


To prohibit the transfer or sale of certain consumer health information, and for other purposes.


IN THE SENATE OF THE UNITED STATES

November 18, 2019

Mr. Cassidy (for himself and Ms. Rosen) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions


A BILL

To prohibit the transfer or sale of certain consumer health information, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Stop Marketing And Revealing The Wearables And Trackers Consumer Health Data Act” or the “SMARTWATCH Data Act”.

SEC. 2. Definitions.

In this Act:

(1) AGGREGATED.—The term “aggregated”, with respect to consumer health information—

(A) means the removal of individual consumer identities, so that the information is not linked or reasonably linkable to any consumer, including a personal consumer device; and

(B) does not include one or more individual consumer records that have not been de­i­den­ti­fied.

(2) BIOMETRIC INFORMATION.—The term “biometric information”—

(A) means the physiological, biological, or behavioral characteristics of an individual, and the recorded, copied, captured, converted, stored derivatives of any such characteristics, that can be used, singly or in combination with each other or with other identifying data, to establish the identity of an individual; and

(B) includes deoxyribonucleic acid, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted.

(3) BUSINESS ASSOCIATE; COVERED ENTITY; PROTECTED HEALTH INFORMATION.—The terms “business associate”, “covered entity”, and “protected health information” have the meanings given such terms in section 160.103 of title 45, Code of Federal Regulations (or any successor regulations).

(4) COMMERCIAL PURPOSES.—The term “commercial purposes”—

(A) means an action intended—

(i) to advance the commercial or economic interests of a person, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services; or

(ii) to enable or affect, directly or indirectly, a commercial transaction; and

(B) does not include engaging in speech that State or Federal courts have recognized as noncommercial speech, including political speech and journalism.

(5) CONSUMER DEVICE.—The term “consumer device”—

(A) means a commercially produced piece of equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information; and

(B) may include a device, as defined in section 201(h) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 321(h)).

(6) CONSUMER HEALTH INFORMATION.—The term “consumer health information” means any information about the health status, personal biometric information, or personal kinesthetic information about a specific individual that is created or collected by a personal consumer device, whether detected from sensors or input manually.

(7) DEIDENTIFIED.—The term “deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, computer, or other device.

(8) INFORMATION BROKER.—The term “information broker” means any entity that collects consumers’ personal information and resells or shares that information with another person.

(9) KINESTHETIC INFORMATION.—The term “kinesthetic information” means keystroke patterns or rhythms, gait patterns or rhythms, sleep information, and other data that relates to the personal health of an individual.

SEC. 3. Prohibitions.

(a) In general.—Subject to subsection (b), no entity that collects consumer health information may—

(1) transfer, sell, share, or allow access to any consumer health information (unless aggregated or anonymized) or any other individually identifiable consumer health information collected, recorded, or derived from personal consumer devices to any domestic information broker or other domestic entity if—

(A) the primary business function of such domestic information broker or other domestic entity is collecting or analyzing consumer information for profit; or

(B) the purpose for transferring, selling, sharing, or allowing access to such information is to otherwise add value to the entity that collects consumer health information, for commercial purposes; or

(2) transfer, sell, or allow access to any consumer health information collected, stored, recorded, or derived from personal consumer devices to any information broker or any entity outside of the jurisdiction of the United States.

(b) Exceptions.—

(1) IN GENERAL.—Subject to paragraph (3), the prohibition under subsection (a)(1) shall not apply if—

(A) the entity obtains the informed consent of the consumer;

(B) the information is provided to a covered entity, as defined in section 160.103 of title 45, Code of Federal Regulations (or any successor regulations);

(C) such information is provided to a government organization or agency, including law enforcement or regulators, to comply with applicable laws, regulations, or rules, or requests of law enforcement, regulatory, or other governmental agencies or in response to a legal process in connection with a subpoena, warrant, discovery order, or other request or order from a law enforcement agency;

(D) such information is provided to the entity's affiliates or other trusted businesses or persons to process the information as part of the entity's external processing procedures, based on the entity's instructions and in compliance with privacy protections and any other appropriate confidentiality and security measures;

(E) such information is provided in connection with a substantial corporate transaction of the entity, such as the transfer of ownership, a merger, consolidation, asset sale, or bankruptcy or insolvency; or

(F) such information is provided to academic, medical, research institutions, or other nonprofit organizations acting in the public interest for the purpose of detecting or responding to security incidents; preventing fraud; conducting scientific, historical, or statistical research; or preserving the security and safety of people or property.

(2) TRANSFERS TO FOREIGN ENTITIES.—Subject to paragraph (3), the prohibition under subsection (a)(2) shall not apply if—

(A) the transfer is made only for limited and specific purposes consistent with the consent provided by the individual and with assurances that the recipient will notify the entity providing the data if such recipient makes a determination that it can no longer use the data consistent with such consent;

(B) the entity transferring the information determines that the recipient of the information will provide the same level of privacy protection as is required by the entity transferring the information;

(C) the entity transferring the information takes reasonable and appropriate steps to ensure that the third party effectively processes the personal information transferred in a manner consistent with the third party’s obligations under the second party’s privacy principles; and

(D) the entity transferring the information agrees to take reasonable steps to stop and remediate unauthorized processing of information by the entity to whom such information is transferred.

(3) LIMITATION.—None of the exceptions under paragraphs (1) and (2) shall supersede any contrary rule promulgated by the Federal Trade Commission that is in effect on the date of enactment of this Act.

(c) Treatment of consumer health information as protected health information.—If a covered entity or business associate, acting in its capacity as a business associate, receives consumer health information generated by a personal consumer device at any time for any reason, such consumer health information is considered protected health information and is subject to the same protections and restrictions under parts 162 and 164 of title 45, Code of Federal Regulations (or any successor regulations), as any other protected health information.

SEC. 4. Enforcement.

The Secretary of Health and Human Services shall enforce the requirements of section 3 against an entity that collects or receives consumer health information in the same manner and to the same extent, as such secretary enforces the privacy regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191; 110 Stat. 2033) against a covered entity.


Share This