“To protect the privacy of personal reproductive or sexual health information, and for other purposes.”
No CRS summary available for this bill.
This section prohibits regulated entities from collecting, retaining, using, or disclosing personal reproductive or sexual health information except as strictly necessary to provide a product or service requested by the individual to whom the information relates. The section further requires regulated entities to restrict access to such information by their employees or service providers to only those for whom access is necessary to provide the requested product or service.
This section establishes rights for individuals to access, correct, and delete their personal reproductive or sexual health information retained by regulated entities and their service providers, upon verified request through a reasonable mechanism (i.e., easy to use, prominently available online via the entity's primary goods or services channel). Specifically, it requires regulated entities to (1) provide access to such information—including collection sources from third parties, inferences about the individual, and disclosures to specific third parties—in both human-readable and structured machine-readable formats; (2) correct inaccurate such information, including that collected from third parties or inferred; and (3) delete such information. Regulated entities must comply without undue delay and within 15 days, without charging fees, and without being required to convert non-personal information to personal information, collect or retain additional information, or retain it longer than otherwise planned.
This section requires a regulated entity to maintain and prominently publish on its website a clear and conspicuous privacy policy regarding its practices for collecting, retaining, using, and disclosing personal reproductive or sexual health information. The policy must include, at a minimum, (1) a description of such practices; (2) categories of such information collected, retained, used, or disclosed; (3) purposes for each category; (4) specific third parties to which the entity discloses such information, purposes of disclosure, and how third parties may use it; (5) specific third parties from which the entity collects such information and purposes of collection; (6) the extent of individual controls over such information, steps to implement controls, and direct links to those controls; and (7) the entity's efforts to protect such information from unauthorized disclosure.
This section prohibits a regulated entity from retaliating against an individual for exercising a right under the Act, including by (1) denying goods or services to the individual; (2) charging the individual different prices or rates for goods or services, including through discounts, benefits, or penalties; (3) providing a different level or quality of goods or services to the individual; or (4) suggesting that the individual will receive a different price, rate, level, or quality of goods or services.
This section provides Federal Trade Commission (FTC) enforcement of the Act by (1) treating violations of the Act or its regulations as unfair or deceptive acts under section 18(a)(1)(B) of the FTC Act (15 U.S.C. 57a(a)(1)(B)); (2) granting the FTC the same enforcement powers, jurisdiction, duties, penalties, privileges, and immunities as under the FTC Act (15 U.S.C. 41 et seq.), except as provided in section 7(6)(A)(ii); and (3) authorizing the FTC to promulgate implementing regulations under informal rulemaking procedures (5 U.S.C. 553). This section further establishes a private right of action allowing individuals to sue for violations, with courts awarding prevailing plaintiffs the greater of $100-$1,000 per violation per day or actual damages, plus punitive damages, reasonable attorney’s fees and litigation costs, and other appropriate relief (including equitable or declaratory relief); deems a violation involving personal reproductive or sexual health information a concrete and particularized injury in fact; and invalidates pre-dispute arbitration agreements and pre-dispute joint-action waivers for disputes under the Act (with courts, rather than arbitrators, determining applicability).
This section defines terms used in the Act, including (1) "collect," meaning for a regulated entity to obtain personal reproductive or sexual health information in any manner; (2) "disclose," meaning for a regulated entity to release, transfer, sell, provide access to, license, or divulge such information to a third party or government entity; (3) "personal information," meaning information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular individual, household, or device; (4) "personal reproductive or sexual health information," meaning personal information relating to an individual's past, present, or future reproductive or sexual health (e.g., efforts to obtain related services or supplies; conditions such as pregnancy or sexually transmitted diseases; surgeries or procedures including abortion; use of contraceptives or medication abortion; bodily functions related to menstruation or pregnancy; related diagnoses, treatments, or products; and any derived, inferred, or algorithmic data concerning such matters); (5) "regulated entity," meaning any entity engaged in or affecting commerce (as defined in 15 U.S.C. 44) that is subject to FTC jurisdiction under 15 U.S.C. 45(a)(2)—or, notwithstanding certain jurisdictional limits, a common carrier subject to the Communications Act of 1934 or a nonprofit organization—excluding HIPAA covered entities or business associates acting under HIPAA privacy regulations and entities subject to disclosure restrictions under 42 U.S.C. 290dd-2; (6) "service provider," meaning a person who collects, retains, uses, or discloses such information solely on behalf of and under contract with a regulated entity, without divulging it to others except bound contractors; and (7) "third party," meaning any person other than the regulated entity, the affected individual, or a service provider.
This section preserves other provisions of federal law from limitation by this Act or its regulations, except as specifically provided in the Act. The section further preserves state laws from preemption, displacement, or supplanting by this Act or its regulations, except to the extent of any conflict, with state laws providing greater privacy protections deemed not to conflict.
This section preserves the Commission's authority under other provisions of law and clarifies that neither this Act nor regulations promulgated thereunder prohibit a regulated entity from disclosing personal reproductive or sexual health information to the Commission as required by law, in compliance with a court order, or in compliance with a civil investigative demand or similar process authorized under law.
This section establishes a severability clause, providing that the invalidation of any provision of the Act or its application to any person or circumstance does not affect the remainder of the Act or the application of that provision to other persons or circumstances.