[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 2885 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                S. 2885

      To prohibit the transfer or sale of certain consumer health 
                  information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           November 18, 2019

Mr. Cassidy (for himself and Ms. Rosen) introduced the following bill; 
     which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
      To prohibit the transfer or sale of certain consumer health 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Stop Marketing And Revealing The 
Wearables And Trackers Consumer Health Data Act'' or the ``SMARTWATCH 
Data Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Aggregated.--The term ``aggregated'', with respect to 
        consumer health information--
                    (A) means the removal of individual consumer 
                identities, so that the information is not linked or 
                reasonably linkable to any consumer, including a 
                personal consumer device; and
                    (B) does not include one or more individual 
                consumer records that have not been deidentified.
            (2) Biometric information.--The term ``biometric 
        information''--
                    (A) means the physiological, biological, or 
                behavioral characteristics of an individual, and the 
                recorded, copied, captured, converted, stored 
                derivatives of any such characteristics, that can be 
                used, singly or in combination with each other or with 
                other identifying data, to establish the identity of an 
                individual; and
                    (B) includes deoxyribonucleic acid, imagery of the 
                iris, retina, fingerprint, face, hand, palm, vein 
                patterns, and voice recordings, from which an 
                identifier template, such as a faceprint, a minutiae 
                template, or a voiceprint, can be extracted.
            (3) Business associate; covered entity; protected health 
        information.--The terms ``business associate'', ``covered 
        entity'', and ``protected health information'' have the 
        meanings given such terms in section 160.103 of title 45, Code 
        of Federal Regulations (or any successor regulations).
            (4) Commercial purposes.--The term ``commercial 
        purposes''--
                    (A) means an action intended--
                            (i) to advance the commercial or economic 
                        interests of a person, such as by inducing 
                        another person to buy, rent, lease, join, 
                        subscribe to, provide, or exchange products, 
                        goods, property, information, or services; or
                            (ii) to enable or affect, directly or 
                        indirectly, a commercial transaction; and
                    (B) does not include engaging in speech that State 
                or Federal courts have recognized as noncommercial 
                speech, including political speech and journalism.
            (5) Consumer device.--The term ``consumer device''--
                    (A) means a commercially produced piece of 
                equipment, application software, or mechanism that has 
                the primary function or capability to collect, store, 
                or transmit consumer health information; and
                    (B) may include a device, as defined in section 
                201(h) of the Federal Food, Drug, and Cosmetic Act (21 
                U.S.C. 321(h)).
            (6) Consumer health information.--The term ``consumer 
        health information'' means any information about the health 
        status, personal biometric information, or personal kinesthetic 
        information about a specific individual that is created or 
        collected by a personal consumer device, whether detected from 
        sensors or input manually.
            (7) Deidentified.--The term ``deidentified'' means 
        information that cannot reasonably identify, relate to, 
        describe, be capable of being associated with, or be linked, 
        directly or indirectly, to a particular consumer, computer, or 
        other device.
            (8) Information broker.--The term ``information broker'' 
        means any entity that collects consumers' personal information 
        and resells or shares that information with another person.
            (9) Kinesthetic information.--The term ``kinesthetic 
        information'' means keystroke patterns or rhythms, gait 
        patterns or rhythms, sleep information, and other data that 
        relates to the personal health of an individual.

SEC. 3. PROHIBITIONS.

    (a) In General.--Subject to subsection (b), no entity that collects 
consumer health information may--
            (1) transfer, sell, share, or allow access to any consumer 
        health information (unless aggregated or anonymized) or any 
        other individually identifiable consumer health information 
        collected, recorded, or derived from personal consumer devices 
        to any domestic information broker or other domestic entity 
        if--
                    (A) the primary business function of such domestic 
                information broker or other domestic entity is 
                collecting or analyzing consumer information for 
                profit; or
                    (B) the purpose for transferring, selling, sharing, 
                or allowing access to such information is to otherwise 
                add value to the entity that collects consumer health 
                information, for commercial purposes; or
            (2) transfer, sell, or allow access to any consumer health 
        information collected, stored, recorded, or derived from 
        personal consumer devices to any information broker or any 
        entity outside of the jurisdiction of the United States.
    (b) Exceptions.--
            (1) In general.--Subject to paragraph (3), the prohibition 
        under subsection (a)(1) shall not apply if--
                    (A) the entity obtains the informed consent of the 
                consumer;
                    (B) the information is provided to a covered 
                entity, as defined in section 160.103 of title 45, Code 
                of Federal Regulations (or any successor regulations);
                    (C) such information is provided to a government 
                organization or agency, including law enforcement or 
                regulators, to comply with applicable laws, 
                regulations, or rules, or requests of law enforcement, 
                regulatory, or other governmental agencies or in 
                response to a legal process in connection with a 
                subpoena, warrant, discovery order, or other request or 
                order from a law enforcement agency;
                    (D) such information is provided to the entity's 
                affiliates or other trusted businesses or persons to 
                process the information as part of the entity's 
                external processing procedures, based on the entity's 
                instructions and in compliance with privacy protections 
                and any other appropriate confidentiality and security 
                measures;
                    (E) such information is provided in connection with 
                a substantial corporate transaction of the entity, such 
                as the transfer of ownership, a merger, consolidation, 
                asset sale, or bankruptcy or insolvency; or
                    (F) such information is provided to academic, 
                medical, research institutions, or other nonprofit 
                organizations acting in the public interest for the 
                purpose of detecting or responding to security 
                incidents; preventing fraud; conducting scientific, 
                historical, or statistical research; or preserving the 
                security and safety of people or property.
            (2) Transfers to foreign entities.--Subject to paragraph 
        (3), the prohibition under subsection (a)(2) shall not apply 
        if--
                    (A) the transfer is made only for limited and 
                specific purposes consistent with the consent provided 
                by the individual and with assurances that the 
                recipient will notify the entity providing the data if 
                such recipient makes a determination that it can no 
                longer use the data consistent with such consent;
                    (B) the entity transferring the information 
                determines that the recipient of the information will 
                provide the same level of privacy protection as is 
                required by the entity transferring the information;
                    (C) the entity transferring the information takes 
                reasonable and appropriate steps to ensure that the 
                third party effectively processes the personal 
                information transferred in a manner consistent with the 
                third party's obligations under the second party's 
                privacy principles; and
                    (D) the entity transferring the information agrees 
                to take reasonable steps to stop and remediate 
                unauthorized processing of information by the entity to 
                whom such information is transferred.
            (3) Limitation.--None of the exceptions under paragraphs 
        (1) and (2) shall supersede any contrary rule promulgated by 
        the Federal Trade Commission that is in effect on the date of 
        enactment of this Act.
    (c) Treatment of Consumer Health Information as Protected Health 
Information.--If a covered entity or business associate, acting in its 
capacity as a business associate, receives consumer health information 
generated by a personal consumer device at any time for any reason, 
such consumer health information is considered protected health 
information and is subject to the same protections and restrictions 
under parts 162 and 164 of title 45, Code of Federal Regulations (or 
any successor regulations), as any other protected health information.

SEC. 4. ENFORCEMENT.

    The Secretary of Health and Human Services shall enforce the 
requirements of section 3 against an entity that collects or receives 
consumer health information in the same manner and to the same extent, 
as such secretary enforces the privacy regulations promulgated under 
section 264(c) of the Health Insurance Portability and Accountability 
Act of 1996 (Public Law 104-191; 110 Stat. 2033) against a covered 
entity.
                                 <all>