Senate bill would prevent data brokers from profiting from location and health data

A new bill introduced on Wednesday would ban something a newcomer to US privacy policy debates might consider already illegal: the sale or transfer of people’s location and health information by data.

The Health and Location Data Protection Act 2022, introduced(Opens in a new window) by Sen. Elizabeth Warren (D-Mass.) and co-sponsored by The Senses. Ron Wyden (D-Ore.), Patty Murray (D-Wash.), Sheldon Whitehouse (DR.I.) and Bernie Sanders (I-Vt.), arrive as the Supreme Court looks set to overturn its 1973 Roe v. Wade Opinion(Opens in a new window) which established a limited national right to abortion.

In a post-Roe environment, privacy advocates worry that location and medical data could be exploited by state or local governments seeking to enforce abortion bans — and who already have a habit of buying location information from data brokers to avoid obtaining warrants.

The draft released by Warren’s office is exceptionally short, running just 13 pages (PDF(Opens in a new window)), with a one-page summary (PDF(Opens in a new window)) available. It defines health data as anything that can “reveal or describe” health care research, details about a disability or physical or mental health condition, and treatment or diagnoses for a disability or condition. It defines location data without reference to its precision or accuracy – anything “capable of determining the past or present physical location of an individual or an individual’s device” counts.

Any data broker – defined as a business that “collects, purchases, licenses or infers data about individuals and then sells, licenses or trades that data” – would be prohibited from selling, licensing, exchange, transfer or share these two types of data.

The bill would grant three exemptions: transfers authorized under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), “the publication of information worthy of legitimate public interest” and the disclosure of data that followed a “valid authorization” by the data subject. The Federal Trade Commission would enforce the bill (and get $1 billion in funding to do so), but states and private citizens could also bring their own lawsuits.

Recommended by our editors

This bill is more narrowly targeted than previous bills that would allow Americans to compel data brokers to leave them alone or implement a comprehensive regime of federal privacy rights, but it will only increase perhaps not its chances of being passed by a Congress struggling to advance privacy legislation. even as the need becomes more evident.

Example: the day after the bill was introduced, The Markup reported(Opens in a new window) that the appointment booking pages of 33 of the top 100 hospitals incorporated Facebook tracking technology, Meta Pixel, which sends snippets of data to the social network, including the IP address of a patient’s computer site visitor and, sometimes, details of health conditions and drug prescriptions. But because Facebook does not actually sell or trade user data(Opens in a new window)– instead it charges advertisers to show their ads to users it finds for them based on their targeting criteria – it seems exempt from this bill anyway.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2022-03-24T14:57:33.000000Z","last_published_at":"2022-03-24T14:57:28.000000Z","created_at":null,"updated_at":"2022-03-24T14:57:33.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs">
Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use and Privacy Policy. You can unsubscribe from newsletters at any time.

Norman D. Briggs