II
118th CONGRESS
1st Session
S. 631
IN THE SENATE OF THE UNITED STATES
March 2, 2023
Ms. Klobuchar (for herself, Ms. Warren, and Ms. Hirono) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
A BILL
To protect the privacy of personally identifiable health and location data, and for other purposes.
Short title
This Act may be cited as the Upholding Protections for Health and Online Location Data Privacy Act of 2023
or the UPHOLD Privacy Act of 2023
.
Privacy of health data
Prohibition on the use of health data in commercial advertising
It shall be unlawful for any covered entity to use the health data of an individual that is collected from any source (including data volunteered by an individual, medical center-derived data, data from a wearable fitness tracker, data from web browsing history, or any other source determined appropriate by the Commission) for commercial advertising.
Minimization of collecting, retaining, using, and disclosing health data
A covered entity may not collect, retain, use, or disclose health data except—
with the express consent of the individual to whom such data relates; or
as is strictly necessary to provide a product or service that the individual to whom such data relates has requested from such covered entity.
Minimization of employee access
A covered entity shall restrict access to health data by any employee or service provider of the covered entity to only such an employee or service provider for which access is necessary to provide a product or service that the individual to whom such data relates has requested from the covered entity.
Privacy policy
Policy required
A covered entity shall maintain a privacy policy relating to the practices of such covered entity regarding the collecting, retaining, using, and disclosing of health data.
Publication required
If a covered entity has a website, such covered entity shall prominently publish the privacy policy described in paragraph (1) on such website.
Contents
The privacy policy described in paragraph (1) shall be clear and conspicuous and contain, at a minimum, the following:
A description of the practices of the covered entity regarding the collecting, retaining, using, and disclosing of health data.
A clear and concise statement of the categories of such data collected, retained, used, or disclosed by the covered entity.
A clear and concise statement of the covered entity's purposes for the collecting, retaining, using, or disclosing of such data.
A list of the specific third parties to which the covered entity discloses such data, and a clear and concise statement of the purposes for which the covered entity discloses such data, including how the data may be used by each such third party.
A list of the specific third parties from which the covered entity has collected such data, and a clear and concise statement of the purposes for which the covered entity collects such data.
A clear and concise statement describing the extent to which an individual may exercise control over the collecting, retaining, using, and disclosing of health data by the covered entity, and the steps an individual must take to implement such controls.
A clear and concise statement describing the efforts of the covered entity to protect health data from unauthorized disclosure.
Unfair and deceptive acts and practices relating to location data
Prohibition on sale from data brokers
It shall be unlawful for a data broker to sell, resell, license, trade, transfer, share, or otherwise provide or make available location data (including data volunteered by an individual, medical center-derived data, data from a wearable fitness tracker, data from web browsing history, or any other source determined appropriate by the Commission).
Prohibition on sale to data brokers
It shall be unlawful for any person to sell, resell, license, trade, transfer, share, or otherwise provide or make available location data (including data volunteered by an individual, medical center-derived data, data from a wearable fitness tracker, data from web browsing history, or any other source determined appropriate by the Commission) to a data broker.
Right of access and deletion
Right of access
In general
A covered entity shall make available a reasonable mechanism by which an individual, upon verified request, may access—
any health data or location data relating to such individual that is retained by such covered entity, including—
in the case of such data that the covered entity collected from any third party, how and from which specific third party the covered entity collected such data; and
such data that the covered entity inferred about the individual; and
a list of the specific third parties to which the covered entity has disclosed any health data or location data relating to such individual.
Format
A covered entity shall make the information described in paragraph (1) available in both a human-readable and a structured, interoperable, and machine-readable format.
Right of deletion
A covered entity shall make available a reasonable mechanism by which an individual, upon verified request, may request the deletion of any health data or location data relating to such individual that is retained by the covered entity, including any such information that the covered entity collected from a third party or inferred from other information retained by the covered entity.
Requirements for access and deletion
Timeline for complying with requests
A covered entity shall comply with a verified request received under this section without undue delay, but not later than 15 days after the date on which the covered entity receives such verified request.
Fees prohibited
A covered entity may not charge a fee to an individual for a request made under this section.
Rules of construction
Nothing in this section shall be construed to require a covered entity to—
take an action that would convert information that is not health data or location data into health data or location data;
collect or retain health data or location data that the covered entity would not otherwise collect or retain; or
retain health data or location data longer than the covered entity would otherwise retain such data.
Reasonable mechanism defined
In this section, the term reasonable mechanism means, with respect to a covered entity and a right under this section, a mechanism that—
is equivalent in availability and ease of use to that of other mechanisms for communicating or interacting with the covered entity; and
includes an online means of exercising any such right.
Exceptions
Publication of newsworthy information of legitimate public concern
Nothing in this Act, or a regulation promulgated under this Act, shall apply with respect to health data or location data that is collected, retained, used, or disclosed by a covered entity for the publication of newsworthy information of legitimate public concern to the public, or to the collecting, retaining, using, or disclosing of such data by a covered entity for that purpose, if such covered entity has reasonable safeguards and processes that prevent the collecting, retaining, using, or disclosing of health data or location data for commercial purposes other than the publication of newsworthy information of legitimate public concern.
Public health campaigns
The prohibition under section 2(a) shall not apply to any public health campaign directed toward individuals or subpopulations of individuals.
Disclosure pursuant to valid authorization
In general
Nothing in this Act shall be construed to prohibit a disclosure of the health data or location data of an individual for which the individual provides valid authorization.
Valid authorization defined
For purposes of paragraph (1), the term valid authorization has the meaning given such term in section 164.508 of title 45, Code of Federal Regulations (or a successor regulation), subject to any such adaptation the Commission shall deem necessary to apply such term to the disclosure of both health data and location data.
HIPAA-Compliant actions
In general
Nothing in this Act shall be construed to prohibit any action taken with respect to the health information of an individual by a data broker that is a business associate or covered entity that is permissible under the Federal regulations concerning standards for privacy of individually identifiable health information promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).
Terms defined
For purposes of paragraph (1), the terms business associate, covered entity, and health information shall have the meanings given those terms in the Federal regulations specified in such section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).
Effective date
In general
The prohibitions under sections 2 and 3 shall take effect on the earlier of—
the date the Commission issues the final rule under subsection (b); or
180 days after the date of enactment of this Act.
Rulemaking
Final rule
Not later than 180 days after the date of enactment of this Act, the Commission shall promulgate regulations, pursuant to section 553 of title 5, United States Code, to carry out the provisions of this Act.
Additional guidance
The Commission may promulgate further regulations, pursuant to such section 553, to update and carry out the provisions of this Act, including further guidance regarding the types of data described in sections 2 and 3.
Enforcement
Enforcement by the Federal Trade Commission
Unfair or deceptive acts or practices
A violation of section 2, 3, or 4 shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Powers of the Commission
In general
Except as provided in subparagraphs (D) and (E), the Commission shall enforce this Act and any regulation promulgated thereunder in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
Privileges and immunities
Subject to subparagraph (F), any covered entity or data broker who violates this Act or any regulation promulgated thereunder shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Authority preserved
Nothing in this Act shall be construed to limit the authority of the Federal Trade Commission under any other provision of law.
Scope of jurisdiction
Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46), or any jurisdictional limitation of the Commission, the Commission shall also enforce this Act and the regulations promulgated under this Act, in the same manner provided in subparagraph (A), with respect to—
common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and Acts amendatory thereof and supplementary thereto; and
organizations that are not organized to carry on business for their own profit or that of their members.
Independent litigation authority
In any case in which the Commission has reason to believe that a covered entity or data broker is violating or has violated section 2, 3, or 4, the Commission may bring a civil action, subject to subsection (c), to—
enjoin any further such violation by such covered entity or data broker;
enforce compliance with this Act, including through deletion of the relevant information;
obtain a permanent, temporary, or preliminary injunction;
obtain civil penalties;
obtain damages (whether actual, punitive, or otherwise), restitution, disgorgement of unjust enrichment, or other compensation on behalf of aggrieved persons; or
obtain any other appropriate equitable relief.
Civil penalties
In addition to any other penalties as may be prescribed by law, a violation of this Act shall carry a civil penalty not to exceed 15 percent of the revenues earned during the preceding 12-month period by the ultimate parent entity of the covered entity or data broker that committed such violation.
Private right of action
In general
Any individual alleging a violation of this Act or a regulation promulgated thereunder may bring a civil action, subject to subsection (c).
Relief
In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award—
damages in an amount equal to the greater of—
actual damages; or
an amount equal to not less than $100 and not more than $1,000 per violation, per day;
punitive damages;
restitution or other compensation;
reasonable attorney’s fees, including litigation expenses, and costs; and
any other relief determined appropriate by the court, including equitable or declaratory relief.
Injury in fact
A violation of this Act or a regulation promulgated thereunder with respect to health data or location data constitutes a concrete and particularized injury in fact to the individual to whom such data relates.
Invalidity of pre-dispute arbitration agreements and pre-dispute joint-action waivers
In general
Notwithstanding any other provision of law, no pre-dispute arbitration agreement or pre-dispute joint-action waiver shall be valid or enforceable with respect to a dispute arising under this Act.
Applicability
Any determination as to whether or how this paragraph applies to any dispute shall be made by a court, rather than an arbitrator, without regard to whether such agreement purports to delegate such determination to an arbitrator.
Definitions
For purposes of this paragraph:
Pre-dispute arbitration agreement
The term pre-dispute arbitration agreement means any agreement to arbitrate a dispute that has not arisen at the time of the making of the agreement.
Pre-dispute joint-action waiver
The term pre-dispute joint-action waiver means an agreement that would prohibit a party from participating in a joint, class, or collective action in a judicial, arbitral, administrative, or other forum, concerning a dispute that has not yet arisen at the time of the making of the agreement.
Exclusive jurisdiction
District courts
For any action brought under this Act, the following district courts shall have exclusive jurisdiction:
Commission
For actions brought by the Commission, the United States District Court for the District of Columbia.
Private actions
For private actions brought by individuals, in the court of the plaintiff's choice between—
the United States District Court for the District of Columbia; or
the district court of the United States for the judicial district in which the violation took place or in which any defendant resides or does business.
Court of appeals
The United States Court of Appeals for the District of Columbia Circuit shall have exclusive jurisdiction of appeals from any decision under paragraph (1).
Statute of limitations
An action for a violation of this Act may be commenced not later than 6 years after the date upon which the plaintiff obtains actual knowledge of the facts giving rise to such violation.
Definitions
In general
In this Act:
Collect
The term collect means, with respect to health data or location data, to obtain such data in any manner.
Commercial advertising
The term commercial advertising means communications that promote the sale of or interest in goods or services, including goods or services that are published digitally, via video or audio, or in print.
Commission
The term Commission means the Federal Trade Commission.
Covered entity
In general
The term covered entity means any entity that—
is engaged in activities in or affecting commerce (as defined in section 4 of the Federal Trade Commission Act (15 U.S.C. 44)); and
is—
a person, partnership, or corporation subject to the jurisdiction of the Commission under section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); or
notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44, 45(a)(2), 46) or any jurisdictional limitation of the Commission—
a common carrier subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and all Acts amendatory thereof and supplementary thereto; or
an organization not organized to carry on business for its own profit or that of its members.
Exclusions
The term covered entity does not include an entity that is—
a covered entity, as defined in section 160.103 of title 45, Code of Federal Regulations (or a successor regulation), to the extent such entity is acting as a covered entity under the HIPAA privacy regulations (as defined in section 1180(b)(3) of the Social Security Act (42 U.S.C. 1320d–9(b)(3)));
an entity that is a business associate, as defined in section 160.103 of title 45, Code of Federal Regulations (or a successor regulation), to the extent such entity is acting as a business associate under the HIPAA privacy regulations (as defined in such section 1180(b)(3)); or
an entity that is subject to restrictions on disclosure of records under section 543 of the Public Health Service Act (42 U.S.C. 290dd–2), to the extent such entity is acting in a capacity subject to such restrictions.
Data broker
The term data broker means an individual or entity that—
collects, buys, licenses, or infers data about an individual; and
sells, licenses, or trades such data.
Disclose
The term disclose means, with respect to health data or location data, for a covered entity to release, transfer, sell, provide access to, license, or divulge such data in any manner to a third party or government entity.
Express consent
In general
The term express consent means, with respect to the collecting, retaining, using, or disclosing of health data or location data, the informed, opted-in, voluntary, specific, and unambiguous written consent of an individual (which may include written consent provided by electronic means) to such collecting, retaining, using, or disclosing of such data.
Exclusions
The term express consent does not include any of the following:
Consent secured without first providing to the individual a clear and conspicuous disclosure, apart from any privacy policy, terms of service, terms of use, general release, user agreement, or other similar document, of all information material to the provision of consent.
Hovering over, muting, pausing, or exiting a given piece of content.
Agreement obtained through the use of a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.
Health data
The term health data means data that identifies, relates to, describes, or reveals—
the search for, attempt to obtain, or receipt of any health services;
any past, present, or future disability, physical health condition, mental health condition, or health condition of an individual, including efforts to research or obtain health services or supplies (including location data that might indicate an attempt to acquire or receive such information services or supplies);
any treatment or diagnosis of a disability or condition described in subparagraph (B); or
any information described in subparagraph (A) through subparagraph (C) that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, emergent, or algorithmic data).
Location data
In general
The term location data means data derived from a device or technology that reveals the past or present physical location of an individual or device with sufficient precision to identify street-level location information of the individual or device within 1,850 feet or less.
Exclusion
The term location data does not include geolocation information identifiable or derived solely from the visual content of a legally obtained image, including the location of the device that captured such image.
Service provider
In general
The term service provider means an individual or entity that—
collects, retains, uses, or discloses health data for the sole purpose of, and only to the extent that such individual or entity is, conducting business activities on behalf of, for the benefit of, under instruction of, or under contractual agreement with a covered entity and not any other individual or entity; and
does not divulge health data to any individual or entity other than such covered entity or a contractor to such service provider bound to information processing terms no less restrictive than terms to which such service provider is bound.
Limitation of application
Such individual or entity shall only be considered a service provider in the course of activities described in subparagraph (A)(i).
Minimization by service providers
For purposes of section 2, a request from an individual to a covered entity for a product or service, and an express consent from the individual to the covered entity, shall be treated as having also been provided to the service provider of the covered entity.
State
The term State means each of the several States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each Federally recognized Indian Tribe.
Third party
The term third party means, with respect to the disclosing or collecting of health data, any individual or entity that is not—
the covered entity that is disclosing or collecting such information;
the individual to whom such information relates; or
a service provider.
Ultimate parent entity
The term ultimate parent entity has the meaning given the term in section 801.1 of title 16, Code of Federal Regulations (or a successor regulation).
Rulemaking
In general
Not later than 180 days after the date of enactment of this Act, the Commission shall conduct a rulemaking pursuant to section 553 of title 5, United States Code, to define the terms public health campaign and data for purposes of implementing and enforcing this Act.
Requirement
For purposes of the rulemaking required under paragraph (1), the term data shall include information that is linked, or reasonably linkable, to—
specific individuals; or
specific groups of individuals who share the same place of residence or internet protocol address.
Relationship to Federal and State laws
Federal law preservation
Nothing in this Act, or a regulation promulgated under this Act, shall be construed to limit any other provision of Federal law, except as specifically provided in this Act.
State law preservation
In general
Nothing in this Act, or a regulation promulgated under this Act, shall be construed to preempt, displace, or supplant any State law, except to the extent that a provision of State law conflicts with a provision of this Act, or a regulation promulgated under this Act, and then only to the extent of the conflict.
Greater protection under State law
For purposes of this subsection, a provision of State law does not conflict with a provision of this Act, or a regulation promulgated under this Act, if such provision of State law provides greater privacy protection than the privacy protection provided by such provision of this Act or such regulation.
Severability clause
If any provision of this Act, or the application thereof to any individual, entity, or circumstance, is held invalid, the remainder of this Act, and the application of such provision to other persons not similarly situated or to other circumstances, shall not be affected by the invalidation.
