Bill Would Ban Brokers From Selling Health, Location DataWarren's Proposals Seek to Protect Consumers' Sensitive Information
Legislation introduced in the U.S. Senate last week proposes a ban on data brokers from selling or transferring sensitive health and location data.
The Health and Location Data Protection Act, introduced on Wednesday by Sen. Elizabeth Warren, D-Mass., has the support of four additional lawmakers.
Backers frame the legislation as especially urgent amid an expected ruling from the Supreme Court overturning Roe v. Wade and a subsequent surge in restrictions against abortion in two dozen American states.
Location data gleaned from smartphones or information taken from a menstruation app could be used to "track and prosecute women across the U.S.," says Sen. Ron Wyden, D-Oregon.
Largely unregulated by federal law, data brokers collect personal data such as location data from "seemingly innocuous sources," including weather apps, without consumers' consent or knowledge, Warren says.
The other co-sponsors of Warren's bill are Sens. Patty Murray, D-Wash.; Sheldon Whitehouse, D-R.I.; and Bernie Sanders, I-Vt.
The Health and Location Data Protection Act proposes to:
- Ban data brokers from selling or transferring location data and health data and require the Federal Trade Commission to write rules to implement the law within 180 days;
- Empower the FTC, state attorneys general and private individuals to sue to enforce the bill's provisions and allow for legal remedies such as damages and injunctions;
- Appropriate $1 billion in funding over the next decade to the FTC to carry out its work, including the enforcement of the legislation.
The bill defines "health data" as information that reveals any successful or unsuccessful attempt to obtain health services as well as data revealing health conditions, "including, but not limited to, pregnancy and miscarriage." It also includes the diagnosis or treatment of health conditions.
The bill contains an exemption for data authorized for sharing by an individual, with authorization subject to standards set by the HIPAA Privacy Rule.
Warren's bill addresses issues tackled by other proposed privacy bills but treats location and health data with greater urgency, health privacy experts tell Information Security Media Group.
"The current debate about a post-Dobbs world has increased pressure on these points and the risks of this data," says privacy attorney Kirk Nahra of the law firm WilmerHale about the Warren proposals.
Dobbs v. Jackson Women's Health Organization is a pending Supreme Court case brought by opponents of a Mississippi law banning most abortions after the first 15 weeks of pregnancy. A leaked draft majority opinion written by Justice Samuel Alito called the Roe decision "egregiously wrong from the start" and argued abortion is not a constitutionally protected right.
"This particular set of [data broker] concerns has some momentum behind them that could prompt aggressive action on this issue separate from a national privacy law," Nahra says.
The legislation likewise spotlights mounting concerns about health data residing outside the protections of HIPAA. Data originating outside clinical settings isn’t protected by the law despite the ability of apps to collect sensitive data such as early pregnancy or caloric intake.
A study of more than 20,000 health-related apps for Android devices published last year by the British Medical Journal found the vast majority contained code that could potentially collect user data.
The investigation alleges that Facebook collects "ultrasensitive personal data about abortion seekers" and enables "anti-abortion organizations to use that data as a tool to target and influence people online, in violation of its own policies and promises."
The social media giant gathers data through a tracking tool called the Meta Pixel that works whether or not a person is logged in to their Facebook account.
Facebook did not immediately respond to ISMG's request for comment on the investigation.