[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 1656 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 1656

   To protect the privacy of personal reproductive or sexual health 
                  information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 17, 2023

 Ms. Hirono (for herself, Mr. Wyden, Ms. Baldwin, Mr. Blumenthal, Mr. 
Brown, Ms. Cantwell, Ms. Duckworth, Mrs. Gillibrand, Ms. Klobuchar, Mr. 
  Merkley, Mr. Menendez, Mrs. Shaheen, and Ms. Smith) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To protect the privacy of personal reproductive or sexual health 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``My Body, My Data Act of 2023''.

SEC. 2. MINIMIZATION.

    (a) Minimization of Collecting, Retaining, Using, and Disclosing.--
A regulated entity may not collect, retain, use, or disclose personal 
reproductive or sexual health information, except as is strictly 
necessary to provide a product or service that the individual to whom 
such information relates has requested from such regulated entity.
    (b) Minimization of Employee Access.--A regulated entity shall 
restrict access to personal reproductive or sexual health information 
by the employees or service providers of such regulated entity to such 
employees or service providers for which access is necessary to provide 
a product or service that the individual to whom such information 
relates has requested from such regulated entity.

SEC. 3. RIGHT OF ACCESS, CORRECTION, AND DELETION.

    (a) Right of Access.--
            (1) In general.--A regulated entity shall make available a 
        reasonable mechanism by which an individual, upon a verified 
        request, may access--
                    (A) any personal reproductive or sexual health 
                information relating to such individual that is 
                retained by such regulated entity, including--
                            (i) in the case of such information that 
                        such regulated entity collected from third 
                        parties, how and from which specific third 
                        parties such regulated entity collected such 
                        information; and
                            (ii) such information that such regulated 
                        entity inferred about such individual; and
                    (B) a list of the specific third parties to which 
                such regulated entity has disclosed any personal 
                reproductive or sexual health information relating to 
                such individual.
            (2) Format.--A regulated entity shall make the information 
        described in paragraph (1) available in both a human-readable 
        format and a structured, interoperable, and machine-readable 
        format.
    (b) Right of Correction.--A regulated entity shall make available a 
reasonable mechanism by which an individual, upon a verified request, 
may direct the correction of any inaccurate personal reproductive or 
sexual health information relating to such individual that is retained 
by such regulated entity or the service providers of such regulated 
entity, including any such information that such regulated entity 
collected from a third party or inferred from other information 
retained by such regulated entity.
    (c) Right of Deletion.--A regulated entity shall make available a 
reasonable mechanism by which an individual, upon a verified request, 
may direct the deletion of any personal reproductive or sexual health 
information relating to such individual that is retained by such 
regulated entity and the service providers of such regulated entity, 
including any such information that such regulated entity collected 
from a third party or inferred from other information retained by such 
regulated entity.
    (d) General Provisions.--
            (1) Reasonable mechanism defined.--In this section, the 
        term ``reasonable mechanism'' means, with respect to a 
        regulated entity and a right under this section, a mechanism 
        that--
                    (A) is provided in the primary manner through which 
                such regulated entity provides the goods or services of 
                such regulated entity;
                    (B) is easy to use and prominently available; and
                    (C) includes an online means of exercising such 
                right.
            (2) Timeline for complying with requests.--A regulated 
        entity shall comply with a verified request received under this 
        section without undue delay and not later than 15 days after 
        the date on which the requesting individual submits the 
        verified request.
            (3) Fees prohibited.--A regulated entity may not charge a 
        fee to an individual for a request made under this section.
            (4) Rules of construction.--Nothing in this section shall 
        be construed to require a regulated entity to--
                    (A) take an action that would convert information 
                that is not personal information into personal 
                information;
                    (B) collect or retain personal information that 
                such regulated entity would otherwise not collect or 
                retain; or
                    (C) retain personal information longer than such 
                regulated entity would otherwise retain such 
                information.

SEC. 4. PRIVACY POLICY.

    (a) Policy Required.--A regulated entity shall maintain a privacy 
policy relating to the practices of such regulated entity regarding the 
collecting, retaining, using, and disclosing of personal reproductive 
or sexual health information.
    (b) Publication Required.--A regulated entity shall prominently 
publish the privacy policy required by subsection (a) on the website of 
such regulated entity.
    (c) Contents.--The privacy policy required by subsection (a) shall 
be clear and conspicuous and shall contain, at a minimum, the 
following:
            (1) A description of the practices of the regulated entity 
        regarding the collecting, retaining, using, and disclosing of 
        personal reproductive or sexual health information.
            (2) A concise statement of the categories of such 
        information collected, retained, used, or disclosed by the 
        regulated entity.
            (3) A concise statement, for each such category, of the 
        purposes of such regulated entity for the collecting, 
        retaining, using, or disclosing of such information.
            (4) A list of the specific third parties to which such 
        regulated entity discloses such information, and a concise 
        statement of the purposes for which such regulated entity 
        discloses such information, including how such information may 
        be used by each such third party.
            (5) A list of the specific third parties from which such 
        regulated entity has collected such information, and a concise 
        statement of the purposes for which such regulated entity 
        collects such information.
            (6) A concise statement describing the extent to which 
        individuals may exercise control over the collecting, 
        retaining, using, and disclosing of personal reproductive or 
        sexual health information by such regulated entity, the steps 
        an individual is required to take to implement such controls, 
        and direct links to such controls.
            (7) A concise statement describing the efforts of the 
        regulated entity to protect personal reproductive or sexual 
        health information from unauthorized disclosure.

SEC. 5. PROHIBITION AGAINST RETALIATION.

    A regulated entity may not retaliate against an individual because 
the individual exercises a right of the individual under this Act, 
including by--
            (1) denying goods or services to the individual;
            (2) charging the individual different prices or rates for 
        goods or services, including by using discounts or other 
        benefits or imposing penalties;
            (3) providing a different level or quality of goods or 
        services to the individual; or
            (4) suggesting that the individual will receive a different 
        price or rate for goods or services or a different level or 
        quality of goods or services.

SEC. 6. ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation of a regulation under section 
        18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
        57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
            (2) Powers of commission.--Except as provided in section 
        7(6)(A)(ii), the Commission shall enforce this Act and the 
        regulations promulgated under this Act in the same manner, by 
        the same means, and with the same jurisdiction, powers, and 
        duties as though all applicable terms and provisions of the 
        Federal Trade Commission Act (15 U.S.C. 41 et seq.) were 
        incorporated into and made a part of this Act, and any 
        regulated entity that violates this Act or a regulation 
        promulgated under this Act shall be subject to the penalties 
        and entitled to the privileges and immunities provided in the 
        Federal Trade Commission Act.
            (3) Rulemaking authority.--The Commission may promulgate 
        regulations under section 553 of title 5, United States Code, 
        to implement this Act.
    (b) Enforcement by Individuals.--
            (1) In general.--Any individual alleging a violation of 
        this Act or a regulation promulgated under this Act may bring a 
        civil action in any court of competent jurisdiction.
            (2) Relief.--In a civil action brought under paragraph (1) 
        in which the plaintiff prevails, the court may award--
                    (A) an amount not less than $100 and not greater 
                than $1,000 per violation per day, or actual damages, 
                whichever is greater;
                    (B) punitive damages;
                    (C) reasonable attorney's fees and litigation 
                costs; and
                    (D) any other relief, including equitable or 
                declaratory relief, that the court determines 
                appropriate.
            (3) Injury in fact.--A violation of this Act, or a 
        regulation promulgated under this Act, with respect to personal 
        reproductive or sexual health information constitutes a 
        concrete and particularized injury in fact to the individual to 
        whom such information relates.
            (4) Invalidity of pre-dispute arbitration agreements and 
        pre-dispute joint action waivers.--
                    (A) In general.--Notwithstanding any other 
                provision of law, no pre-dispute arbitration agreement 
                or pre-dispute joint-action waiver shall be valid or 
                enforceable with respect to a dispute arising under 
                this Act.
                    (B) Applicability.--Any determination as to whether 
                or how this paragraph applies to any dispute shall be 
                made by a court, rather than an arbitrator, without 
                regard to whether such agreement purports to delegate 
                such determination to an arbitrator.
                    (C) Definitions.--For purposes of this paragraph:
                            (i) Pre-dispute arbitration agreement.--The 
                        term ``pre-dispute arbitration agreement'' 
                        means any agreement to arbitrate a dispute that 
                        has not arisen at the time of the making of the 
                        agreement.
                            (ii) Pre-dispute joint-action waiver.--The 
                        term ``pre-dispute joint-action waiver'' means 
                        an agreement that would prohibit a party from 
                        participating in a joint, class, or collective 
                        action in a judicial, arbitral, administrative, 
                        or other forum, concerning a dispute that has 
                        not arisen at the time of the making of the 
                        agreement.

SEC. 7. DEFINITIONS.

    In this Act:
            (1) Collect.--The term ``collect'' means, with respect to 
        personal reproductive or sexual health information, for a 
        regulated entity to obtain such information in any manner.
            (2) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (3) Disclose.--The term ``disclose'' means, with respect to 
        personal reproductive or sexual health information, for a 
        regulated entity to release, transfer, sell, provide access to, 
        license, or divulge such information in any manner to a third 
        party or government entity.
            (4) Personal information.--The term ``personal 
        information'' means information that identifies, relates to, 
        describes, is reasonably capable of being associated with, or 
        could reasonably be linked, directly or indirectly, with a 
        particular individual, household, or device.
            (5) Personal reproductive or sexual health information.--
        The term ``personal reproductive or sexual health information'' 
        means personal information relating to the past, present, or 
        future reproductive or sexual health of an individual, 
        including--
                    (A) efforts to research or obtain reproductive or 
                sexual health information, services, or supplies, 
                including location information that might indicate an 
                attempt to acquire or receive such information, 
                services, or supplies;
                    (B) reproductive or sexual health conditions, 
                status, diseases, or diagnoses, including pregnancy and 
                pregnancy-related conditions, menstruation, ovulation, 
                ability to conceive a pregnancy, whether such 
                individual is sexually active, and whether such 
                individual is engaging in unprotected sex;
                    (C) reproductive- and sexual-health-related 
                surgeries or procedures, including abortion;
                    (D) use or purchase of contraceptives, medication 
                abortion, or any other drug, device, or materials 
                related to reproductive health;
                    (E) bodily functions, vital signs, measurement, or 
                symptoms related to menstruation or pregnancy, such as 
                basal temperature, cramps, bodily discharge, or hormone 
                levels;
                    (F) any information about diagnoses or diagnostic 
                testing, treatment, medications, or the purchase or use 
                of any product or service relating to the matters 
                described in subparagraphs (A) through (E); and
                    (G) any information described in subparagraphs (A) 
                through (F) that is derived or extrapolated from non-
                health information, including proxy, derivative, 
                inferred, emergent, and algorithmic data.
            (6) Regulated entity.--
                    (A) In general.--The term ``regulated entity'' 
                means any entity (to the extent such entity is engaged 
                in activities in or affecting commerce (as defined in 
                section 4 of the Federal Trade Commission Act (15 
                U.S.C. 44)) that is--
                            (i) a person, partnership, or corporation 
                        subject to the jurisdiction of the Commission 
                        under section 5(a)(2) of the Federal Trade 
                        Commission Act (15 U.S.C. 45(a)(2)); or
                            (ii) notwithstanding section 4, 5(a)(2), or 
                        6 of the Federal Trade Commission Act (15 
                        U.S.C. 44; 45(a)(2); 46) or any jurisdictional 
                        limitation of the Commission--
                                    (I) a common carrier subject to the 
                                Communications Act of 1934 (47 U.S.C. 
                                151 et seq.) and all Acts amendatory 
                                thereof and supplementary thereto; or
                                    (II) an organization not organized 
                                to carry on business for its own profit 
                                or that of its members.
                    (B) Exclusions.--The term ``regulated entity'' does 
                not include--
                            (i) an entity that is a covered entity, as 
                        defined in section 160.103 of title 45, Code of 
                        Federal Regulations (or any successor to such 
                        regulation), to the extent such entity is 
                        acting as a covered entity under the HIPAA 
                        privacy regulations (as defined in section 
                        1180(b)(3) of the Social Security Act (42 
                        U.S.C. 1320d-9(b)(3)));
                            (ii) an entity that is a business 
                        associate, as defined in section 160.103 of 
                        title 45, Code of Federal Regulations (or any 
                        successor to such regulation), to the extent 
                        such entity is acting as a business associate 
                        under the HIPAA privacy regulations (as defined 
                        in such section 1180(b)(3)); or
                            (iii) an entity that is subject to 
                        restrictions on disclosure of records under 
                        section 543 of the Public Health Service Act 
                        (42 U.S.C. 290dd-2), to the extent such entity 
                        is acting in a capacity subject to such 
                        restrictions.
            (7) Service provider.--
                    (A) In general.--The term ``service provider'' 
                means a person who--
                            (i) collects, retains, uses, or discloses 
                        personal reproductive or sexual health 
                        information for the sole purpose of, and only 
                        to the extent that such person is, conducting 
                        business activities on behalf of, for the 
                        benefit of, under instruction of, and under 
                        contractual agreement with a regulated entity 
                        and not any other individual or entity; and
                            (ii) does not divulge personal reproductive 
                        or sexual health information to any individual 
                        or entity other than such regulated entity or a 
                        contractor to such service provider bound to 
                        information processing terms no less 
                        restrictive than terms to which such service 
                        provider is bound.
                    (B) Limitation of application.--Such person shall 
                only be considered a service provider in the course of 
                activities described in subparagraph (A)(i).
                    (C) Minimization by service providers.--For 
                purposes of compliance with section 2 by a service 
                provider of a regulated entity, a request from an 
                individual to such regulated entity for a product or 
                service shall be treated as having also been provided 
                to such service provider.
            (8) Third party.--The term ``third party'' means, with 
        respect to the disclosing or collecting of personal 
        reproductive or sexual health information, any person who is 
        not--
                    (A) the regulated entity that is disclosing or 
                collecting such information;
                    (B) the individual to whom such information 
                relates; or
                    (C) a service provider.

SEC. 8. RULE OF CONSTRUCTION.

    Nothing in this Act shall be construed to limit or diminish First 
Amendment freedoms guaranteed under the Constitution.

SEC. 9. RELATIONSHIP TO FEDERAL AND STATE LAWS.

    (a) Federal Law Preservation.--Nothing in this Act, or a regulation 
promulgated under this Act, shall be construed to limit any other 
provision of Federal law, except as specifically provided in this Act.
    (b) State Law Preservation.--
            (1) In general.--Nothing in this Act, or a regulation 
        promulgated under this Act, shall be construed to preempt, 
        displace, or supplant any State law, except to the extent that 
        a provision of State law conflicts with a provision of this 
        Act, or a regulation promulgated under this Act, and then only 
        to the extent of the conflict.
            (2) Greater protection under state law.--For purposes of 
        this subsection, a provision of State law does not conflict 
        with a provision of this Act, or a regulation promulgated under 
        this Act, if such provision of State law provides greater 
        privacy protection than the privacy protection provided by such 
        provision of this Act or such regulation.

SEC. 10. SAVINGS CLAUSE.

    Nothing in this Act shall be construed to limit the authority of 
the Commission under any other provision of law. Nothing in this Act, 
or a regulation promulgated under this Act, shall be construed to 
prohibit a regulated entity from disclosing personal reproductive or 
sexual health information to the Commission as required by law, in 
compliance with a court order, or in compliance with a civil 
investigative demand or similar process authorized under law.

SEC. 11. SEVERABILITY CLAUSE.

    If any provision of this Act, or the application thereof to any 
person or circumstance, is held invalid, the remainder of this Act, and 
the application of such provision to other persons not similarly 
situated or to other circumstances, shall not be affected by the 
invalidation.
                                 <all>