Democratic Senators Introduce Bill Banning Data Brokers from Selling Location & Health Data
A new bill has been introduced in the Senate that seeks to prevent data brokers from engaging in “unfair and deceptive acts and practices relating to health and location data,” specifically prohibiting data brokers from selling, reselling, licensing, trading, transferring, sharing, or otherwise making available location data, health data, and other categories of sensitive data identified by the Federal Trade Commission (FTC). The bill was introduced by Senator Elizabeth Warren (D-MA), Ron Wyden (D-OR), Sheldon Whitehouse (D-OH), and Bernie Sanders (I-VT) and follows similar legislation introduced earlier in the year; however, there is little time left for the bill to be enacted, as the current Senate comes to an end next month.
The Health and Location Data Protection Act of 2024 calls for the creation of a federal registry of data brokers and would give consumers the right to request brokers not collect their data. Brokers would also be required to disclose details of the individuals and companies they share data with and the reason for sharing data. The bill does not prohibit any actions that are HIPAA-compliant, such as the sharing of health data in a data broker’s capacity as a HIPAA-covered entity or business associate, the publication of newsworthy information of legitimate public concern, or disclosures pursuant to a valid authorization.
Location data is often shared or sold by data brokers without consumers’ knowledge or consent, by companies that consumers may be completely unaware of. Currently, the data broker industry is largely unregulated with little to no restrictions on data sharing. There has been growing concern about the data being collected and sold, which may include precise geolocation data collected via mobile phones that can place individuals not just at a specific location but also in certain rooms within a building. In the case of a healthcare facility, that information could reveal the likely health conditions of individuals.
This year, the HHS’ Office for Civil Rights published an update to the HIPAA Privacy Rule that prohibits HIPAA-regulated entities from disclosing reproductive healthcare information when that information is sought to prosecute or impose liability on individuals or healthcare providers who facilitate legal reproductive healthcare. Location data, combined with unique device identifiers and data from other sources, could reveal information about individuals’ reproductive healthcare and could be used for those purposes.
The use of location data to target individuals seeking legal reproductive healthcare is not just theoretical. Earlier this year, an investigation by Sen. Wyden found that location data collected from mobile phones that identified individuals’ visits to abortion clinics had been provided to an anti-abortion group that used the data for a targeted advertising campaign on women seeking abortions.
Recently, the FTC agreed to a settlement with two data brokers – Gravy Analytics Inc. and Venntel Inc. – that prohibits them from using, selling, licensing, transferring, sharing, or otherwise disclosing consumers’ visits to sensitive locations, including medical facilities, correctional facilities, schools/childcare facilities, military installations, religious organizations, labor union offices, services supporting people based on racial and ethnic backgrounds, and services sheltering homeless, domestic abuse, refugee, or immigrant populations.
