“A bill to protect the privacy of personal reproductive or sexual health information, and for other purposes.”
No CRS summary available for this bill.
This section establishes data minimization requirements for regulated entities with respect to personal reproductive or sexual health information. Specifically, it (1) prohibits such entities from collecting, retaining, using, or disclosing the information except as strictly necessary to provide a product or service requested by the individual; and (2) requires restricting access to the information by the entity's employees or service providers to only those for whom such access is necessary to provide the requested product or service.
This section requires regulated entities to provide individuals, upon verified request, with a reasonable mechanism (i.e., easy to use, prominently available online through the entity's primary service channel) to (1) access their personal reproductive or sexual health information—including data collected from or inferred about them and disclosures to specific third parties—in both human-readable and machine-readable formats; (2) correct inaccurate such information retained by the entity or its service providers; and (3) direct deletion of such information retained by the entity or its service providers. Regulated entities must comply with such requests without undue delay and no later than 15 days after receipt and may not charge fees for them. The section specifies that these requirements do not compel entities to convert non-personal information into personal information, collect or retain additional information, or retain it longer than otherwise planned.
This section requires each regulated entity to maintain a privacy policy regarding its practices for collecting, retaining, using, and disclosing personal reproductive or sexual health information and to prominently publish the policy on its website. The policy must be clear and conspicuous and include, at a minimum: (1) a description of those practices; (2) categories of such information collected, retained, used, or disclosed; (3) for each category, the entity's purposes for those activities; (4) specific third parties to which the entity discloses such information, and the purposes of disclosure including third-party uses; (5) specific third parties from which the entity collects such information, and the purposes of collection; (6) the extent of individual control over such activities, steps to implement controls, and direct links to those controls; and (7) the entity's efforts to protect such information from unauthorized disclosure.
This section prohibits a regulated entity from retaliating against an individual for exercising a right under the Act, including by (1) denying goods or services to the individual; (2) charging the individual different prices or rates for goods or services, including through discounts, benefits, or penalties; (3) providing the individual a different level or quality of goods or services; or (4) suggesting the individual will receive a different price, rate, level, or quality of goods or services.
This section establishes Federal Trade Commission (FTC) enforcement of the Act by treating violations as unfair or deceptive acts or practices under FTC rulemaking authority (15 U.S.C. 57a(a)(1)(B)) and incorporating applicable Federal Trade Commission Act (15 U.S.C. 41 et seq.) powers, privileges, immunities, penalties, and duties (with rulemaking under 5 U.S.C. 553). It further provides a private right of action, authorizing courts to award prevailing plaintiffs $100–$1,000 per violation per day (or actual damages, if greater), punitive damages, attorney’s fees and costs, and other relief; deems violations involving personal reproductive or sexual health information to constitute injury in fact; and invalidates pre-dispute arbitration agreements and joint-action waivers for disputes under the Act (with courts, not arbitrators, determining applicability).
This section establishes definitions for purposes of the Act, including "(1) collect," meaning for a regulated entity to obtain personal reproductive or sexual health information in any manner; "(2) Commission," meaning the Federal Trade Commission; "(3) disclose," meaning for a regulated entity to release, transfer, sell, provide access to, license, or divulge such information to a third party or government entity; "(4) personal information," meaning information that identifies or is reasonably linkable to a particular individual, household, or device; and "(5) personal reproductive or sexual health information," meaning personal information relating to an individual's past, present, or future reproductive or sexual health (e.g., pregnancy status, contraception use, abortion procedures, menstruation symptoms, and inferred data derived therefrom). This section further defines "(6) regulated entity" as any entity engaged in or affecting commerce (as defined in 15 U.S.C. 44) that is subject to FTC jurisdiction or, notwithstanding certain FTC Act limitations, a common carrier under the Communications Act of 1934 or a nonprofit organization—excluding HIPAA covered entities and business associates acting under HIPAA privacy rules and entities restricted under 42 U.S.C. 290dd–2; "(7) service provider," meaning a person handling such information solely on behalf of and under contract with a regulated entity, with duties including data minimization; and "(8) third party," meaning any person other than the regulated entity, the affected individual, or a service provider.
This section provides that nothing in the Act or its regulations limits other federal laws except as specifically provided and does not preempt, displace, or supplant state laws except to the extent of any direct conflict, with state laws providing greater privacy protections deemed not to conflict.
This section includes a savings clause preserving the Commission's authority under any other provision of law and clarifying that neither the Act nor regulations promulgated thereunder prohibit a regulated entity from disclosing personal reproductive or sexual health information to the Commission as required by law, in compliance with a court order, or in compliance with a civil investigative demand or similar process authorized under law.
This section establishes a severability clause, providing that if any provision of the Act, or its application to any person or circumstance, is held invalid, the remainder of the Act and the application of such provision to other persons or circumstances remains unaffected.