On June 15, 2022, Senator Elizabeth Warren introduced Senate Bill S.4408, Health and Location Data Privacy Act of 2022 (the “Bill”). The Bill, co-sponsored with Senators Ron Wyden, Patty Murray, Sheldon Whitehouse, and Bernie Sanders, prohibits data brokers from transferring and selling certain sensitive data, specifically health and location data. Senator Warren also introduced a one-pager providing a high-level background for the Bill (“One-Pager”). The Bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
If enacted, the Bill would impose substantial limits on the ability of “data brokers” to sell, trade, or license location or health data. The Bill would have far-reaching implications because it defines “data broker” broadly as “a person that collects, buys, licenses, or infers data about individuals and then sells, licenses, or trades that data.” Further, the Bill empowers the Federal Trade Commission (the “Commission”), state attorneys general, and private litigants to enforce the provisions of the Bill, allowing for a broad range of remedies including damages and injunctions to stop illegal practices.
Senator Warren proposed the Bill soon after the House Committee on Energy and Commerce held a hearing on the American Data Privacy and Protection Act (ADPPA), a bipartisan data privacy proposal that is also being considered by Congress. The timing of both of these bills indicates that privacy issues are gaining traction in Congress, though it is unclear if either will pass into law. Notably, the two pieces of legislation regulate separate issues (i.e., ADPPA does not have specific provisions aimed at data brokers), which means that, if both were signed into law, entities regulated as data brokers under the Bill would have to comply with both laws. This is on top of the obligations that they would have under state law because the Bill’s current preemption provision likely does not apply to the data broker laws in effect in California and Vermont.
Below are selected highlights from the Bill:
Subjects of the Bill. Data brokers amass personal and sensitive information from a variety of sources, with or without consent, at times selling such data. The Commission, referenced in Senator Warren’s One-Pager, provides that most data brokers collect information about consumers from three main sources: (1) government sources; (2) other publicly available sources; and (3) commercial sources. While each data broker source may provide only a few data points about a consumer’s activities, data brokers have the ability to aggregate data elements to form a detailed composite of a consumer’s life.1 The Bill applies to such data brokers and prohibits data brokers that collect, buy, license or infer health and location data about individuals from then selling, licensing, or trading such data.
Enforcement. The Bill charges the Commission with carrying out the provisions of the Bill. More broadly than that however, state attorney generals may also enforce the provisions of the Bill. Further, the Bill contains a private right of action for plaintiffs whose health and location data has been transferred or sold.
Cause of Action. The Bill provides that the Commission may bring a civil action against data brokers violating the provisions of the Bill, in an appropriate district to:
- Enjoin any further violation;
- Enforce compliance through the deletion of the sensitive information;
- Obtain permanent, temporary, or preliminary injunction(s);
- Obtain civil penalties; or
- Obtain damages including actual, punitive or otherwise, restitution, disgorgement of unjust enrichment or any other appropriate equitable relief.
Statute of limitations. Under the Bill, plaintiffs may bring suit up to six (6) years after the date upon which the plaintiff obtains actual knowledge of the violation.
Non-profits: Notably, and seemingly a trend to other proposals for federal privacy legislation such as the ADPPA, the Bill does not exempt non-profit organizations from privacy obligations. Non-profits and organizations for profit alike, are subject to health or location privacy protections under the Bill.
Funding. The Bill proposes funding the Commission to carry out its enforcement efforts with $1 billion which would remain available until September 30, 2032.
Preemption. The provisions of the Bill only preempt the previsions of state or local law that require disclosures that are prohibited by the Bill. This means that the data broker laws in California and Vermont will likely remain intact if the Bill were passed into law.
Exceptions. Finally, the Bill makes exceptions and does not prohibit any action with respect to (i) the Health Insurance Portability and Accountability Act of 1996; (ii) protected First Amendment rights for the publication of newsworthy information of public concern; and (iii) validly authorized disclosures.