[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4408 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 4408

    To prohibit data brokers from selling and transferring certain 
                            sensitive data.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 15, 2022

 Ms. Warren (for herself, Mr. Wyden, Mrs. Murray, Mr. Whitehouse, and 
 Mr. Sanders) introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
    To prohibit data brokers from selling and transferring certain 
                            sensitive data.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Health and Location Data Protection 
Act of 2022''.

SEC. 2. UNFAIR AND DECEPTIVE ACTS AND PRACTICES RELATING TO HEALTH AND 
              LOCATION DATA.

    (a) In General.--It shall be unlawful for a data broker to sell, 
resell, license, trade, transfer, share, or otherwise provide or make 
available any of the following forms of data, whether declared or 
inferred, of an individual:
            (1) Location data.
            (2) Health data.
            (3) Other categories of data identified by the Commission 
        that address or reveal a category of data described in 
        paragraphs (1) and (2).
    (b) Exceptions.--
            (1) Actions that are hipaa-compliant.--
                    (A) In general.--Nothing in this Act shall be 
                construed to prohibit any action taken with respect to 
                the health information of an individual by a data 
                broker that is a business associate or covered entity 
                that is permissible under the Federal regulations 
                concerning standards for privacy of individually 
                identifiable health information promulgated under 
                section 264(c) of the Health Insurance Portability and 
                Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
                    (B) Application of terms.--In paragraph (1), the 
                terms ``business associate'', ``covered entity'', and 
                ``health information'' shall have the meaning given 
                those terms in the Federal regulations specified in 
                such paragraph.
            (2) Publication of newsworthy information of legitimate 
        public concern.--Nothing in this Act shall be construed to 
        prohibit the publication of newsworthy information of 
        legitimate public concern.
            (3) Disclosure pursuant to valid authorization.--Nothing in 
        this Act shall be construed to prohibit a disclosure of the 
        data of an individual for which the individual provides valid 
        authorization. For purposes of this paragraph, the term ``valid 
        authorization'' has the meaning given such term in section 
        164.508 of title 45, Code of Federal Regulations (or a 
        successor regulation), subject to such adaptations as the 
        Commission shall deem necessary to apply such term to the 
        disclosure of both location data and health data.
    (c) Effective Date.--The prohibition under subsection (a) shall 
take effect on the earlier of--
            (1) the date the Commission issues the final rule under 
        subsection (d); or
            (2) 180 days after the date of enactment of this Act.
    (d) Rulemaking.--
            (1) Final rule.--Pursuant to section 553 of title 5, United 
        States Code, the Commission shall promulgate regulations to 
        carry out the provisions of this Act. The Commission shall 
        issue a final rule by not later than 180 days after the date of 
        enactment of this Act.
            (2) Additional guidance.--Pursuant to section 553 of title 
        5, United States Code, the Commission may promulgate further 
        regulations to carry out the provisions of this Act, including 
        further guidance regarding the types of data described in 
        subsection (a).

SEC. 3. ENFORCEMENT.

    (a) Enforcement by the Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 2 shall be treated as a violation of a rule defining an 
        unfair or a deceptive act or practice under section 18(a)(1)(B) 
        of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
            (2) Powers of commission.--
                    (A) In general.--Except as provided in 
                subparagraphs (D) and (E), the Commission shall enforce 
                section 2 in the same manner, by the same means, and 
                with the same jurisdiction, powers, and duties as 
                though all applicable terms and provisions of the 
                Federal Trade Commission Act (15 U.S.C. 41 et seq.) 
                were incorporated into and made a part of this Act.
                    (B) Privileges and immunities.--Any person who 
                violates section 2 shall be subject to the penalties 
                and entitled to the privileges and immunities provided 
                in the Federal Trade Commission Act (15 U.S.C. 41 et 
                seq.).
                    (C) Authority preserved.--Nothing in this Act shall 
                be construed to limit the authority of the Federal 
                Trade Commission under any other provision of law.
                    (D) Nonprofit organizations.--Notwithstanding 
                section 4 of the Federal Trade Commission Act (15 
                U.S.C. 44) or any jurisdictional limitation of the 
                Commission, the Commission shall also enforce this Act, 
                in the same manner provided in subparagraphs (A) and 
                (B), with respect to organizations not organized to 
                carry on business for their own profit or that of their 
                members.
                    (E) Independent litigation authority.--In any case 
                in which the Commission has reason to believe that a 
                data broker is violating or has violated section 2, the 
                Commission may bring a civil action in an appropriate 
                district court of the United States to--
                            (i) enjoin any further such violation by 
                        such person;
                            (ii) enforce compliance with this Act, 
                        including through deletion of the relevant 
                        information;
                            (iii) obtain a permanent, temporary, or 
                        preliminary injunction;
                            (iv) obtain civil penalties;
                            (v) obtain damages (whether actual, 
                        punitive, or otherwise), restitution, 
                        disgorgement of unjust enrichment, or other 
                        compensation on behalf of aggrieved persons; or
                            (vi) obtain any other appropriate equitable 
                        relief.
    (b) Enforcement by States.--
            (1) In general.--In any case in which the attorney general 
        of a State has reason to believe that an interest of the 
        residents of the State has been or is threatened or adversely 
        affected by the engagement of any data broker subject to 
        section 2 in a practice that violates such section, the 
        attorney general of the State may, as parens patriae, bring a 
        civil action on behalf of the residents of the State in an 
        appropriate district court of the United States to--
                    (A) enjoin any further such violation by such 
                person;
                    (B) enforce compliance with this Act, including 
                through deletion of the relevant information;
                    (C) obtain a permanent, temporary, or preliminary 
                injunction;
                    (D) obtain civil penalties;
                    (E) obtain damages (whether actual, punitive, or 
                otherwise), restitution, disgorgement of unjust 
                enrichment, or other compensation on behalf of 
                aggrieved persons; or
                    (F) obtain any other appropriate equitable relief.
            (2) Notice.--Before filing an action under paragraph (1), 
        the attorney general, official, or agency of the State involved 
        shall provide to the Commission a written notice of such action 
        and a copy of the complaint for such action. If the attorney 
        general, official, or agency determines that it is not feasible 
        to provide the notice described in this paragraph before the 
        filing of the action, the attorney general, official, or agency 
        shall provide written notice of the action and a copy of the 
        complaint to the Commission immediately upon the filing of the 
        action.
            (3) Limitation on state action while federal action is 
        pending.--If the Commission has instituted a civil action for a 
        violation of section 2, no State attorney general, or official 
        or agency of a State, may bring an action under this paragraph 
        during the pendency of that action against any defendant named 
        in the complaint of the Commission for any violation of section 
        2 alleged in the complaint.
            (4) Relationship with state-law claims.--If the attorney 
        general of a State has authority to bring an action under State 
        law directed at acts or practices that also violate section 2, 
        the attorney general may assert the State-law claim and a claim 
        under section 2 in the same civil action.
            (5) Investigatory powers.--Nothing in this subsection may 
        be construed to prevent the attorney general of a State from 
        exercising the powers conferred on the attorney general by the 
        laws of the State to conduct investigations, to administer 
        oaths or affirmations, or to compel the attendance of witnesses 
        or the production of documentary or other evidence.
    (c) Private Enforcement.--Any person whose interest has been or is 
threatened or adversely affected by the engagement of any data broker 
subject to section 2 in a practice that violates such section may bring 
a civil action in an appropriate district court of the United States 
to--
            (1) enjoin any further such violation by such person;
            (2) enforce compliance with this Act, including through 
        deletion of the relevant information;
            (3) obtain a permanent, temporary, or preliminary 
        injunction;
            (4) obtain damages (whether actual, punitive, or 
        otherwise), restitution, or other compensation;
            (5) obtain reasonable attorney's fees, including litigation 
        expenses, and costs; or
            (6) obtain any other appropriate equitable relief.
    (d) Civil Penalties.--In addition to any other penalties as may be 
prescribed by law, a violation of this Act shall carry a civil penalty 
not to exceed 15 percent of the revenues earned by the person's 
ultimate parent entity during the preceding 12-month period.
    (e) Exclusive Jurisdiction.--
            (1) District courts.--For any action brought under this 
        Act, the following district courts shall have exclusive 
        jurisdiction:
                    (A) For actions brought by the Commission, the 
                United States District Court for the District of 
                Columbia.
                    (B) For actions brought by a State attorney 
                general, the district court of the United States for 
                the judicial district in which the capital of the State 
                is located.
                    (C) For private actions brought by persons--
                            (i) the United States District Court for 
                        the District of Columbia; or
                            (ii) the district court of the United 
                        States for the judicial district in which the 
                        violation took place or in which any defendant 
                        resides or does business.
            (2) Court of appeals.--The United States Court of Appeals 
        for the District of Columbia Circuit shall have exclusive 
        jurisdiction of appeals from all decisions under paragraph (1).
    (f) Statute of Limitations.--A proceeding for a violation of this 
Act may be commenced not later than 6 years after the date upon which 
the plaintiff obtains actual knowledge of the facts giving rise to such 
violation.
    (g) Preemption.--The provisions of this Act preempt only the 
provisions of State or local law that require disclosure prohibited by 
this Act.

SEC. 4. DEFINITIONS.

    In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Data.--
                    (A) In general.--Not later than 180 days after the 
                date of enactment of this Act, the Commission shall 
                adopt rules in accordance with section 553 of title 5, 
                United States Code, to define the term ``data'' for the 
                purpose of implementing and enforcing this Act.
                    (B) Requirement.--The term ``data'' shall include 
                information that is linked, or reasonably linkable, 
                to--
                            (i) specific individuals; or
                            (ii) specific groups of individuals who 
                        share the same place of residence or internet 
                        protocol address.
            (3) Data broker.--The term ``data broker'' means a person 
        that collects, buys, licenses, or infers data about individuals 
        and then sells, licenses, or trades that data.
            (4) Health data.--The term ``health data'' means data that 
        reveal or describe--
                    (A) the search for, attempt to obtain, or receipt 
                of any health services;
                    (B) any past, present, or future disability, 
                physical health condition, mental health condition, or 
                health condition of an individual, including, but not 
                limited to, pregnancy and miscarriage; or
                    (C) any treatment or diagnosis of a disability or 
                condition described in subparagraph (B).
            (5) Location data.--The term ``location data'' means data 
        capable of determining the past or present physical location of 
        an individual or an individual's device.
            (6) State.--The term ``State'' means each of the several 
        States, the District of Columbia, each commonwealth, territory, 
        or possession of the United States, and each federally 
        recognized Indian Tribe.
            (7) Ultimate parent entity.--The term ``ultimate parent 
        entity'' has the meaning given the term in section 801.1 of 
        title 16, Code of Federal Regulations (or any successor 
        regulation).

SEC. 5. FUNDING.

    In addition to amounts otherwise available, there is appropriated 
to the Commission for fiscal year 2023, out of any money in the 
Treasury not otherwise appropriated, $1,000,000,000, to remain 
available until September 30, 2032, for carrying out the work of the 
Commission.
                                 <all>