Health and Location Data Protection Act of 2024

It shall be unlawful for a data broker to sell, resell, license, trade, transfer, share, or otherwise provide or make available any of the following forms of data, whether declared or inferred, of an individual:

(1) Location data.

(2) Health data.

(3) Other categories of data identified by the Commission that address or reveal a category of data described in paragraphs (1) and (2).

Nothing in this Act shall be construed to prohibit any action taken with respect to the health information of an individual by a data broker, acting in its capacity as a business associate or covered entity, that is permissible under the Federal regulations concerning standards for privacy of individually identifiable health information promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).

In paragraph (1), the terms business associate, covered entity, and health information shall have the meaning given those terms in the Federal regulations specified in such paragraph.

Nothing in this Act shall be construed to prohibit the publication of newsworthy information of legitimate public concern.

Nothing in this Act shall be construed to prohibit a disclosure of the data of an individual for which the individual provides valid authorization. For purposes of this paragraph, the term valid authorization has the meaning given such term in section 164.508 of title 45, Code of Federal Regulations (or a successor regulation), subject to such adaptations as the Commission shall deem necessary to apply such term to the disclosure of both location data and health data.

The prohibition under subsection (a) shall take effect on the earlier of—

(1) the date the Commission issues the final rule under subsection (d); or

(2) 180 days after the date of enactment of this Act.

Pursuant to section 553 of title 5, United States Code, the Commission shall promulgate regulations to carry out the provisions of this Act. The Commission shall issue a final rule by not later than 180 days after the date of enactment of this Act.

Pursuant to section 553 of title 5, United States Code, the Commission may promulgate further regulations to carry out the provisions of this Act, including further guidance regarding the types of data described in subsection (a).

A violation of section 2 shall be treated as a violation of a rule defining an unfair or a deceptive act or practice under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

Except as provided in subparagraphs (D) and (E), the Commission shall enforce section 2 in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.

Any person who violates section 2 shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).

Nothing in this Act shall be construed to limit the authority of the Federal Trade Commission under any other provision of law.

Notwithstanding section 4 of the Federal Trade Commission Act (15 U.S.C. 44) or any jurisdictional limitation of the Commission, the Commission shall also enforce this Act, in the same manner provided in subparagraphs (A) and (B), with respect to organizations not organized to carry on business for their own profit or that of their members.

In any case in which the Commission has reason to believe that a data broker is violating or has violated section 2, the Commission may bring a civil action in an appropriate district court of the United States to—

(i) enjoin any further such violation by such person;

(ii) enforce compliance with this Act, including through deletion of the relevant information;

(iii) obtain a permanent, temporary, or preliminary injunction;

(iv) obtain civil penalties;

(v) obtain damages (whether actual, punitive, or otherwise), restitution, disgorgement of unjust enrichment, or other compensation on behalf of aggrieved persons; or

(vi) obtain any other appropriate equitable relief.

In any case in which the attorney general of a State has reason to believe that an interest of the residents of the State has been or is threatened or adversely affected by the engagement of any data broker subject to section 2 in a practice that violates such section, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to—

(A) enjoin any further such violation by such person;

(B) enforce compliance with this Act, including through deletion of the relevant information;

(C) obtain a permanent, temporary, or preliminary injunction;

(D) obtain civil penalties;

(E) obtain damages (whether actual, punitive, or otherwise), restitution, disgorgement of unjust enrichment, or other compensation on behalf of aggrieved persons; or

(F) obtain any other appropriate equitable relief.

Before filing an action under paragraph (1), the attorney general, official, or agency of the State involved shall provide to the Commission a written notice of such action and a copy of the complaint for such action. If the attorney general, official, or agency determines that it is not feasible to provide the notice described in this paragraph before the filing of the action, the attorney general, official, or agency shall provide written notice of the action and a copy of the complaint to the Commission immediately upon the filing of the action.

If the Commission has instituted a civil action for a violation of section 2, no State attorney general, or official or agency of a State, may bring an action under this paragraph during the pendency of that action against any defendant named in the complaint of the Commission for any violation of section 2 alleged in the complaint.

If the attorney general of a State has authority to bring an action under State law directed at acts or practices that also violate section 2, the attorney general may assert the State-law claim and a claim under section 2 in the same civil action.

Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.

Any person whose interest has been or is threatened or adversely affected by the engagement of any data broker subject to section 2 in a practice that violates such section may bring a civil action in an appropriate district court of the United States to—

(1) enjoin any further such violation by such person;

(2) enforce compliance with this Act, including through deletion of the relevant information;

(3) obtain a permanent, temporary, or preliminary injunction;

(4) obtain damages (whether actual, punitive, or otherwise), restitution, or other compensation;

(5) obtain reasonable attorney’s fees, including litigation expenses, and costs; or

(6) obtain any other appropriate equitable relief.

In addition to any other penalties as may be prescribed by law, a violation of this Act shall carry a civil penalty not to exceed 15 percent of the revenues earned by the person’s ultimate parent entity during the preceding 12-month period.

For any action brought under this Act, the following district courts shall have exclusive jurisdiction:

(A) For actions brought by the Commission, the United States District Court for the District of Columbia.

(B) For actions brought by a State attorney general, the district court of the United States for the judicial district in which the capital of the State is located.

(C) For private actions brought by persons—

(i) the United States District Court for the District of Columbia; or

(ii) the district court of the United States for the judicial district in which the violation took place or in which any defendant resides or does business.

The United States Court of Appeals for the District of Columbia Circuit shall have exclusive jurisdiction of appeals from all decisions under paragraph (1).

A proceeding for a violation of this Act may be commenced not later than 6 years after the date upon which the plaintiff obtains actual knowledge of the facts giving rise to such violation.

The provisions of this Act preempt only the provisions of State or local law that require disclosure prohibited by this Act.

The term Commission means the Federal Trade Commission.

Not later than 180 days after the date of enactment of this Act, the Commission shall adopt rules in accordance with section 553 of title 5, United States Code, to define the term data for the purpose of implementing and enforcing this Act.

The term data shall include information that is linked, or reasonably linkable, to—

(i) specific individuals; or

(ii) specific groups of individuals who share the same place of residence or internet protocol address.

The term data broker means a person that collects, buys, licenses, or infers data about individuals and then sells, licenses, or trades that data.

The term health data means data that reveal or describe—

(A) the search for, attempt to obtain, or receipt of any health services;

(B) any past, present, or future disability, physical health condition, mental health condition, or health condition of an individual, including, but not limited to, pregnancy and miscarriage; or

(C) any treatment or diagnosis of a disability or condition described in subparagraph (B).

The term location data means data capable of determining the past or present physical location of an individual or an individual’s device.

The term State means each of the several States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.

The term ultimate parent entity has the meaning given the term in section 801.1 of title 16, Code of Federal Regulations (or any successor regulation).