SMARTWATCH Data Act

Federal

SMARTWATCH Data Act

Source: Congress.gov · 1,808 words in original text

Plain English summary not yet available

The full original text is available below. Check back soon as we process this bill.

II 117TH CONGRESS 1ST SESSION S. 500 To prohibit the transfer or sale of certain consumer health information, and for other purposes. IN THE SENATE OF THE UNITED STATES MARCH 1, 2021 Mr. CASSIDY (for himself and Ms. ROSEN) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions A BILL To prohibit the transfer or sale of certain consumer health information, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE. 3 This Act may be cited as the ‘‘Stop Marketing And 4 Revealing The Wearables And Trackers Consumer Health 5 Data Act’’ or the ‘‘SMARTWATCH Data Act’’. 6 SEC. 2. DEFINITIONS. 7 In this Act: 8 (1) AGGREGATED.—The term ‘‘aggregated’’, 9 with respect to consumer health information— 10 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 2 •S 500 IS (A) means the removal of individual con- 1 sumer identities, so that the information is not 2 linked or reasonably linkable to any consumer, 3 including a personal consumer device; and 4 (B) does not include one or more indi- 5 vidual consumer records that have not been 6 deidentified. 7 (2) BIOMETRIC INFORMATION.—The term ‘‘bio- 8 metric information’’— 9 (A) means the physiological, biological, or 10 behavioral characteristics of an individual, and 11 the recorded, copied, captured, converted, 12 stored derivatives of any such characteristics, 13 that can be used, singly or in combination with 14 each other or with other identifying data, to es- 15 tablish the identity of an individual; and 16 (B) includes deoxyribonucleic acid, imagery 17 of the iris, retina, fingerprint, face, hand, palm, 18 vein patterns, and voice recordings, from which 19 an identifier template, such as a faceprint, a 20 minutiae template, or a voiceprint, can be ex- 21 tracted. 22 (3) BUSINESS ASSOCIATE; COVERED ENTITY; 23 PROTECTED HEALTH INFORMATION.—The terms 24 ‘‘business associate’’, ‘‘covered entity’’, and ‘‘pro- 25 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 3 •S 500 IS tected health information’’ have the meanings given 1 such terms in section 160.103 of title 45, Code of 2 Federal Regulations (or any successor regulations). 3 (4) COMMERCIAL PURPOSES.—The term ‘‘com- 4 mercial purposes’’— 5 (A) means an action intended— 6 (i) to advance the commercial or eco- 7 nomic interests of a person, such as by in- 8 ducing another person to buy, rent, lease, 9 join, subscribe to, provide, or exchange 10 products, goods, property, information, or 11 services; or 12 (ii) to enable or affect, directly or in- 13 directly, a commercial transaction; and 14 (B) does not include engaging in speech 15 that State or Federal courts have recognized as 16 noncommercial speech, including political 17 speech and journalism. 18 (5) CONSUMER DEVICE.—The term ‘‘consumer 19 device’’— 20 (A) means a commercially produced piece 21 of equipment, application software, or mecha- 22 nism that has the primary function or capa- 23 bility to collect, store, or transmit consumer 24 health information; and 25 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 4 •S 500 IS (B) may include a device, as defined in 1 section 201(h) of the Federal Food, Drug, and 2 Cosmetic Act (21 U.S.C. 321(h)). 3 (6) CONSUMER HEALTH INFORMATION.—The 4 term ‘‘consumer health information’’ means any in- 5 formation about the health status, personal biomet- 6 ric information, or personal kinesthetic information 7 about a specific individual that is created or col- 8 lected by a personal consumer device, whether de- 9 tected from sensors or input manually. 10 (7) DEIDENTIFIED.—The term ‘‘deidentified’’ 11 means information that cannot reasonably identify, 12 relate to, describe, be capable of being associated 13 with, or be linked, directly or indirectly, to a par- 14 ticular consumer, computer, or other device. 15 (8) INFORMATION BROKER.—The term ‘‘infor- 16 mation broker’’ means any entity that collects con- 17 sumers’ personal information and resells or shares 18 that information with another person. 19 (9) KINESTHETIC INFORMATION.—The term 20 ‘‘kinesthetic information’’ means keystroke patterns 21 or rhythms, gait patterns or rhythms, sleep informa- 22 tion, and other data that relates to the personal 23 health of an individual. 24 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 5 •S 500 IS SEC. 3. PROHIBITIONS. 1 (a) IN GENERAL.—Subject to subsection (b), no enti- 2 ty that collects consumer health information may— 3 (1) transfer, sell, share, or allow access to any 4 consumer health information (unless aggregated or 5 anonymized) or any other individually identifiable 6 consumer health information collected, recorded, or 7 derived from personal consumer devices to any do- 8 mestic information broker or other domestic entity 9 if— 10 (A) the primary business function of such 11 domestic information broker or other domestic 12 entity is collecting or analyzing consumer infor- 13 mation for profit; or 14 (B) the purpose for transferring, selling, 15 sharing, or allowing access to such information 16 is to otherwise add value to the entity that col- 17 lects consumer health information, for commer- 18 cial purposes; or 19 (2) transfer, sell, or allow access to any con- 20 sumer health information collected, stored, recorded, 21 or derived from personal consumer devices to any in- 22 formation broker or any entity outside of the juris- 23 diction of the United States. 24 (b) EXCEPTIONS.— 25 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 6 •S 500 IS (1) IN GENERAL.—Subject to paragraph (3), 1 the prohibition under subsection (a)(1) shall not 2 apply if— 3 (A) the entity obtains the informed consent 4 of the consumer; 5 (B) the information is provided to a cov- 6 ered entity, as defined in section 160.103 of 7 title 45, Code of Federal Regulations (or any 8 successor regulations); 9 (C) such information is provided to a gov- 10 ernment organization or agency, including law 11 enforcement or regulators, to comply with appli- 12 cable laws, regulations, or rules, or requests of 13 law enforcement, regulatory, or other govern- 14 mental agencies or in response to a legal proc- 15 ess in connection with a subpoena, warrant, dis- 16 covery order, or other request or order from a 17 law enforcement agency; 18 (D) such information is provided to the en- 19 tity’s affiliates or other trusted businesses or 20 persons to process the information as part of 21 the entity’s external processing procedures, 22 based on the entity’s instructions and in compli- 23 ance with privacy protections and any other ap- 24 propriate confidentiality and security measures; 25 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 7 •S 500 IS (E) such information is provided in con- 1 nection with a substantial corporate transaction 2 of the entity, such as the transfer of ownership, 3 a merger, consolidation, asset sale, or bank- 4 ruptcy or insolvency; or 5 (F) such information is provided to aca- 6 demic, medical, research institutions, or other 7 nonprofit organizations acting in the public in- 8 terest for the purpose of detecting or respond- 9 ing to security incidents; preventing fraud; con- 10 ducting scientific, historical, or statistical re- 11 search; or preserving the security and safety of 12 people or property. 13 (2) TRANSFERS TO FOREIGN ENTITIES.—Sub- 14 ject to paragraph (3), the prohibition under sub- 15 section (a)(2) shall not apply if— 16 (A) the transfer is made only for limited 17 and specific purposes consistent with the con- 18 sent provided by the individual and with assur- 19 ances that the recipient will notify the entity 20 providing the data if such recipient makes a de- 21 termination that it can no longer use the data 22 consistent with such consent; 23 (B) the entity transferring the information 24 determines that the recipient of the information 25 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 8 •S 500 IS will provide the same level of privacy protection 1 as is required by the entity transferring the in- 2 formation; 3 (C) the entity transferring the information 4 takes reasonable and appropriate steps to en- 5 sure that the third party effectively processes 6 the personal information transferred in a man- 7 ner consistent with the third party’s obligations 8 under the second party’s privacy principles; and 9 (D) the entity transferring the information 10 agrees to take reasonable steps to stop and re- 11 mediate unauthorized processing of information 12 by the entity to whom such information is 13 transferred. 14 (3) LIMITATION.—None of the exceptions under 15 paragraphs (1) and (2) shall supersede any contrary 16 rule promulgated by the Federal Trade Commission 17 that is in effect on the date of enactment of this 18 Act. 19 (c) TREATMENT OF CONSUMER HEALTH INFORMA- 20 TION AS PROTECTED HEALTH INFORMATION.—If a cov- 21 ered entity or business associate, acting in its capacity as 22 a business associate, receives consumer health information 23 generated by a personal consumer device at any time for 24 any reason, such consumer health information is consid- 25 VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS 9 •S 500 IS ered protected health information and is subject to the 1 same protections and restrictions under parts 162 and 164 2 of title 45, Code of Federal Regulations (or any successor 3 regulations), as any other protected health information. 4 SEC. 4. ENFORCEMENT. 5 The Secretary of Health and Human Services shall 6 enforce the requirements of section 3 against an entity 7 that collects or receives consumer health information in 8 the same manner and to the same extent, as such sec- 9 retary enforces the privacy regulations promulgated under 10 section 264(c) of the Health Insurance Portability and Ac- 11 countability Act of 1996 (Public Law 104–191; 110 Stat. 12 2033) against a covered entity. 13 Æ VerDate Sep 11 2014 00:16 Mar 31, 2021 Jkt 019200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6301 E:\BILLS\S500.IS S500 pbinns on DSKJLVW7X2PROD with BILLS

Important: This plain English summary was generated by AI and is provided for informational purposes only. It is not legal advice. Always consult the official bill text on Congress.gov or a qualified attorney for legal matters.