[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 4434 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 4434

   To protect the privacy of personal reproductive or sexual health 
                  information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 16, 2022

  Ms. Hirono (for herself, Mr. Wyden, Mrs. Gillibrand, Ms. Smith, Mr. 
Whitehouse, Mr. Blumenthal, Ms. Baldwin, Mr. Brown, Ms. Duckworth, Ms. 
  Klobuchar, and Mr. Booker) introduced the following bill; which was 
  read twice and referred to the Committee on Commerce, Science, and 
                             Transportation

_______________________________________________________________________

                                 A BILL


 
   To protect the privacy of personal reproductive or sexual health 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``My Body, My Data Act of 2022''.

SEC. 2. MINIMIZATION.

    (a) Minimization of Collecting, Retaining, Using, and Disclosing.--
A regulated entity may not collect, retain, use, or disclose personal 
reproductive or sexual health information except--
            (1) with the express consent of the individual to whom such 
        information relates; or
            (2) as is strictly necessary to provide a product or 
        service that the individual to whom such information relates 
        has requested from such regulated entity.
    (b) Minimization of Employee Access.--A regulated entity shall 
restrict access to personal reproductive or sexual health information 
by the employees or service providers of such regulated entity to such 
employees or service providers for which access is necessary to provide 
a product or service that the individual to whom such information 
relates has requested from such regulated entity.

SEC. 3. RIGHT OF ACCESS AND DELETION.

    (a) Right of Access.--
            (1) In general.--A regulated entity shall make available a 
        reasonable mechanism by which an individual, upon a verified 
        request, may access--
                    (A) any personal reproductive or sexual health 
                information relating to such individual that is 
                retained by such regulated entity, including--
                            (i) in the case of such information that 
                        such regulated entity collected from third 
                        parties, how and from which specific third 
                        parties such regulated entity collected such 
                        information; and
                            (ii) such information that such regulated 
                        entity inferred about such individual; and
                    (B) a list of the specific third parties to which 
                such regulated entity has disclosed any personal 
                reproductive or sexual health information relating to 
                such individual.
            (2) Format.--A regulated entity shall make the information 
        described in paragraph (1) available in both a human-readable 
        format and a structured, interoperable, and machine-readable 
        format.
    (b) Right of Deletion.--A regulated entity shall make available a 
reasonable mechanism by which an individual, upon a verified request, 
may request the deletion of any personal reproductive or sexual health 
information relating to such individual that is retained by such 
regulated entity, including any such information that such regulated 
entity collected from a third party or inferred from other information 
retained by such regulated entity.
    (c) General Provisions.--
            (1) Reasonable mechanism defined.--In this section, the 
        term ``reasonable mechanism'' means, with respect to a 
        regulated entity and a right under this section, a mechanism 
        that--
                    (A) is equivalent in availability and ease of use 
                to that of other mechanisms for communicating or 
                interacting with such regulated entity; and
                    (B) includes an online means of exercising such 
                right.
            (2) Timeline for complying with requests.--A regulated 
        entity shall comply with a verified request received under this 
        section without undue delay but not later than 15 days after 
        the date on which such regulated entity receives such verified 
        request.
            (3) Fees prohibited.--A regulated entity may not charge a 
        fee to an individual for a request made under this section.
            (4) Rules of construction.--Nothing in this section shall 
        be construed to require a regulated entity to--
                    (A) take an action that would convert information 
                that is not personal information into personal 
                information;
                    (B) collect or retain personal information that 
                such regulated entity would otherwise not collect or 
                retain; or
                    (C) retain personal information longer than such 
                regulated entity would otherwise retain such 
                information.

SEC. 4. PRIVACY POLICY.

    (a) Policy Required.--A regulated entity shall maintain a privacy 
policy relating to the practices of such regulated entity regarding the 
collecting, retaining, using, and disclosing of personal reproductive 
or sexual health information.
    (b) Publication Required.--If a regulated entity has a website, 
such regulated entity shall prominently publish the privacy policy 
required by subsection (a) on such website.
    (c) Contents.--The privacy policy required by subsection (a) shall 
be clear and conspicuous and shall contain, at a minimum, the 
following:
            (1) A description of the practices of the regulated entity 
        regarding the collecting, retaining, using, and disclosing of 
        personal reproductive or sexual health information.
            (2) A clear and concise statement of the categories of such 
        information collected, retained, used, or disclosed by the 
        regulated entity.
            (3) A clear and concise statement of the purposes of the 
        regulated entity for the collecting, retaining, using, or 
        disclosing of such information.
            (4) A list of the specific third parties to which the 
        regulated entity discloses such information, and a clear and 
        concise statement of the purposes for which the regulated 
        entity discloses such information, including how the 
        information may be used by each such third party.
            (5) A list of the specific third parties from which the 
        regulated entity has collected such information, and a clear 
        and concise statement of the purposes for which the regulated 
        entity collects such information.
            (6) A clear and concise statement describing the extent to 
        which individuals may exercise control over the collecting, 
        retaining, using, and disclosing of personal reproductive or 
        sexual health information by the regulated entity, and the 
        steps an individual must take to implement such controls.
            (7) A clear and concise statement describing the efforts of 
        the regulated entity to protect personal reproductive or sexual 
        health information from unauthorized disclosure.

SEC. 5. ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--Except as provided in section 
        6(7)(A)(ii), the Commission shall enforce this Act and the 
        regulations promulgated under this Act in the same manner, by 
        the same means, and with the same jurisdiction, powers, and 
        duties as though all applicable terms and provisions of the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
        incorporated into and made a part of this Act, and any 
        regulated entity that violates this Act or a regulation 
        promulgated under this Act shall be subject to the penalties 
        and entitled to the privileges and immunities provided in the 
        Federal Trade Commission Act.
            (3) Rulemaking authority.--The Commission may promulgate 
        regulations under section 553 of title 5, United States Code, 
        to implement this Act.
    (b) Enforcement by Individuals.--
            (1) In general.--Any individual alleging a violation of 
        this Act or a regulation promulgated under this Act may bring a 
        civil action in any court of competent jurisdiction.
            (2) Relief.--In a civil action brought under paragraph (1) 
        in which the plaintiff prevails, the court may award--
                    (A) an amount not less than $100 and not greater 
                than $1,000 per violation per day, or actual damages, 
                whichever is greater;
                    (B) punitive damages;
                    (C) reasonable attorney's fees and litigation 
                costs; and
                    (D) any other relief, including equitable or 
                declaratory relief, that the court determines 
                appropriate.
            (3) Injury in fact.--A violation of this Act, or a 
        regulation promulgated under this Act, with respect to personal 
        reproductive or sexual health information constitutes a 
        concrete and particularized injury in fact to the individual to 
        whom such information relates.
            (4) Invalidity of pre-dispute arbitration agreements and 
        pre-dispute joint action waivers.--
                    (A) In general.--Notwithstanding any other 
                provision of law, no pre-dispute arbitration agreement 
                or pre-dispute joint-action waiver shall be valid or 
                enforceable with respect to a dispute arising under 
                this Act.
                    (B) Applicability.--Any determination as to whether 
                or how this paragraph applies to any dispute shall be 
                made by a court, rather than an arbitrator, without 
                regard to whether such agreement purports to delegate 
                such determination to an arbitrator.
                    (C) Definitions.--For purposes of this paragraph:
                            (i) Pre-dispute arbitration agreement.--The 
                        term ``pre-dispute arbitration agreement'' 
                        means any agreement to arbitrate a dispute that 
                        has not arisen at the time of the making of the 
                        agreement.
                            (ii) Pre-dispute joint-action waiver.--The 
                        term ``pre-dispute joint-action waiver'' means 
                        an agreement that would prohibit a party from 
                        participating in a joint, class, or collective 
                        action in a judicial, arbitral, administrative, 
                        or other forum, concerning a dispute that has 
                        not yet arisen at the time of the making of the 
                        agreement.

SEC. 6. DEFINITIONS.

    In this Act:
            (1) Collect.--The term ``collect'' means, with respect to 
        personal reproductive or sexual health information, for a 
        regulated entity to obtain such information in any manner.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Disclose.--The term ``disclose'' means, with respect to 
        personal reproductive or sexual health information, for a 
        regulated entity to release, transfer, sell, provide access to, 
        license, or divulge such information in any manner to a third 
        party or government entity.
            (4) Express consent.--
                    (A) In general.--The term ``express consent'' 
                means, with respect to the collecting, retaining, 
                using, or disclosing of personal reproductive or sexual 
                health information, informed, opt-in, voluntary, 
                specific, and unambiguous written consent (which may 
                include written consent provided by electronic means) 
                to such collecting, retaining, using, or disclosing of 
                such information.
                    (B) Exclusions.--The term ``express consent'' does 
                not include any of the following:
                            (i) Consent secured without first providing 
                        to the individual a clear and conspicuous 
                        disclosure, apart from any privacy policy, 
                        terms of service, terms of use, general 
                        release, user agreement, or other similar 
                        document, of all information material to the 
                        provision of consent.
                            (ii) Hovering over, muting, pausing, or 
                        closing a given piece of content.
                            (iii) Agreement obtained through the use of 
                        a user interface designed or manipulated with 
                        the substantial effect of subverting or 
                        impairing user autonomy, decision making, or 
                        choice.
            (5) Personal information.--The term ``personal 
        information'' means information that identifies, relates to, 
        describes, is reasonably capable of being associated with, or 
        could reasonably be linked, directly or indirectly, with a 
        particular individual.
            (6) Personal reproductive or sexual health information.--
        The term ``personal reproductive or sexual health information'' 
        means personal information relating to the past, present, or 
        future reproductive or sexual health of an individual, 
        including--
                    (A) efforts to research or obtain reproductive or 
                sexual information services or supplies, including 
                location information that might indicate an attempt to 
                acquire or receive such information services or 
                supplies;
                    (B) reproductive or sexual health conditions, 
                status, diseases, or diagnoses, including pregnancy, 
                menstruation, ovulation, ability to conceive a 
                pregnancy, whether such individual is sexually active, 
                and whether such individual is engaging in unprotected 
                sex;
                    (C) reproductive- and sexual-health-related 
                surgeries or procedures, such as termination of a 
                pregnancy;
                    (D) use or purchase of contraceptives, birth 
                control, or any medication related to reproductive 
                health, including abortifacients;
                    (E) bodily functions, vital signs, measurement, or 
                symptoms related to menstruation or pregnancy, such as 
                basal temperature, cramps, bodily discharge, or hormone 
                levels;
                    (F) any information about diagnoses or diagnostic 
                testing, treatment, medications, or the use of any 
                product or service relating to the matters described in 
                subparagraphs (A) through (E); and
                    (G) any information described in subparagraphs (A) 
                through (F) that is derived or extrapolated from non-
                health information (such as proxy, derivative, 
                inferred, emergent, or algorithmic data).
            (7) Regulated entity.--
                    (A) In general.--The term ``regulated entity'' 
                means any entity (to the extent such entity is engaged 
                in activities in or affecting commerce (as defined in 
                section 4 of the Federal Trade Commission Act (15 
                U.S.C. 44))) that is--
                            (i) a person, partnership, or corporation 
                        subject to the jurisdiction of the Commission 
                        under section 5(a)(2) of the Federal Trade 
                        Commission Act (15 U.S.C. 45(a)(2)); or
                            (ii) notwithstanding section 4, 5(a)(2), or 
                        6 of the Federal Trade Commission Act (15 
                        U.S.C. 44; 45(a)(2); 46) or any jurisdictional 
                        limitation of the Commission--
                                    (I) a common carrier subject to the 
                                Communications Act of 1934 (47 U.S.C. 
                                151 et seq.) and all Acts amendatory 
                                thereof and supplementary thereto; or
                                    (II) an organization not organized 
                                to carry on business for its own profit 
                                or that of its members.
                    (B) Exclusions.--The term ``regulated entity'' does 
                not include--
                            (i) an entity that is a covered entity, as 
                        defined in section 160.103 of title 45, Code of 
                        Federal Regulations (or any successor to such 
                        regulation), to the extent such entity is 
                        acting as a covered entity under the HIPAA 
                        privacy regulations (as defined in section 
                        1180(b)(3) of the Social Security Act (42 
                        U.S.C. 1320d-9(b)(3)));
                            (ii) an entity that is a business 
                        associate, as defined in section 160.103 of 
                        title 45, Code of Federal Regulations (or any 
                        successor to such regulation), to the extent 
                        such entity is acting as a business associate 
                        under the HIPAA privacy regulations (as defined 
                        in such section 1180(b)(3)); or
                            (iii) an entity that is subject to 
                        restrictions on disclosure of records under 
                        section 543 of the Public Health Service Act 
                        (42 U.S.C. 290dd-2), to the extent such entity 
                        is acting in a capacity subject to such 
                        restrictions.
            (8) Service provider.--
                    (A) In general.--The term ``service provider'' 
                means a person who--
                            (i) collects, retains, uses, or discloses 
                        personal reproductive or sexual health 
                        information for the sole purpose of, and only 
                        to the extent that such person is, conducting 
                        business activities on behalf of, for the 
                        benefit of, under instruction of, and under 
                        contractual agreement with a regulated entity 
                        and not any other individual or entity; and
                            (ii) does not divulge personal reproductive 
                        or sexual health information to any individual 
                        or entity other than such regulated entity or a 
                        contractor to such service provider bound to 
                        information processing terms no less 
                        restrictive than terms to which such service 
                        provider is bound.
                    (B) Limitation of application.--Such person shall 
                only be considered a service provider in the course of 
                activities described in subparagraph (A)(i).
                    (C) Minimization by service providers.--For 
                purposes of compliance with section 2 by a service 
                provider of a regulated entity, a request from an 
                individual to such regulated entity for a product or 
                service, and an express consent from such individual to 
                such regulated entity, shall be treated as having also 
                been provided to such service provider.
            (9) Third party.--The term ``third party'' means, with 
        respect to the disclosing or collecting of personal 
        reproductive or sexual health information, any person who is 
        not--
                    (A) the regulated entity that is disclosing or 
                collecting such information;
                    (B) the individual to whom such information 
                relates; or
                    (C) a service provider.

SEC. 7. EXCEPTION FOR THE PUBLICATION OF NEWSWORTHY INFORMATION.

    Nothing in this Act, or a regulation promulgated under this Act, 
shall apply with respect to personal reproductive or sexual health 
information that is collected, retained, used, or disclosed by a 
regulated entity for the publication of newsworthy information of 
legitimate public concern to the public, or to the collecting, 
retaining, using, or disclosing of such information by a regulated 
entity for that purpose, if such regulated entity has reasonable 
safeguards and processes that prevent the collecting, retaining, using, 
or disclosing of personal reproductive or sexual health information for 
commercial purposes other than the publication of newsworthy 
information of legitimate public concern.

SEC. 8. RELATIONSHIP TO FEDERAL AND STATE LAWS.

    (a) Federal Law Preservation.--Nothing in this Act, or a regulation 
promulgated under this Act, shall be construed to limit any other 
provision of Federal law, except as specifically provided in this Act.
    (b) State Law Preservation.--
            (1) In general.--Nothing in this Act, or a regulation 
        promulgated under this Act, shall be construed to preempt, 
        displace, or supplant any State law, except to the extent that 
        a provision of State law conflicts with a provision of this 
        Act, or a regulation promulgated under this Act, and then only 
        to the extent of the conflict.
            (2) Greater protection under state law.--For purposes of 
        this subsection, a provision of State law does not conflict 
        with a provision of this Act, or a regulation promulgated under 
        this Act, if such provision of State law provides greater 
        privacy protection than the privacy protection provided by such 
        provision of this Act or such regulation.

SEC. 9. SAVINGS CLAUSE.

    Nothing in this Act shall be construed to limit the authority of 
the Commission under any other provision of law. Nothing in this Act, 
or a regulation promulgated under this Act, shall be construed to 
prohibit a regulated entity from disclosing personal reproductive or 
sexual health information to the Commission as required by law, in 
compliance with a court order, or in compliance with a civil 
investigative demand or similar process authorized under law.

SEC. 10. SEVERABILITY CLAUSE.

    If any provision of this Act, or the application thereof to any 
person or circumstance, is held invalid, the remainder of this Act, and 
the application of such provision to other persons not similarly 
situated or to other circumstances, shall not be affected by the 
invalidation.
                                 <all>