Health and Location Data Protection Act of 2024
📝 TL;DR
This bill would prohibit data brokers from selling or transferring individuals' health and location data, with exceptions for HIPAA-compliant activities and individual consent. It includes strong enforcement through FTC action, state attorneys general, and private lawsuits, with penalties up to 15% of a company's annual revenue. The legislation provides $1 billion to the FTC for implementation and would fundamentally disrupt the current data broker business model.
Sign in to view AI summaries
Get plain English explanations of what this bill actually does.
Sign in with XPlain English Explanation
The Health and Location Data Protection Act of 2024 (H.R. 10540) is a comprehensive privacy bill that would prohibit data brokers from selling, transferring, or sharing individuals' health and location data. Introduced by Rep. Scanlon and three Democratic colleagues on December 19, 2024, the bill addresses growing concerns about the commercial exploitation of sensitive personal information by companies that collect and sell data about individuals without their direct knowledge. The legislation targets the largely unregulated data broker industry, which has faced increasing scrutiny for practices that can expose sensitive information about medical visits, reproductive health decisions, and personal movements to third parties including potential employers, insurers, or government entities. The bill provides multiple enforcement mechanisms and includes substantial funding for the Federal Trade Commission to implement and enforce these new restrictions.
Detailed Analysis
The bill operates through a straightforward prohibition mechanism outlined in Section 2, making it unlawful for data brokers to engage in any commercial transfer of health or location data, whether that data is explicitly declared or computationally inferred. The legislation grants the FTC authority to identify additional categories of protected data and requires the Commission to issue implementing regulations within 180 days. The bill includes three key exceptions: HIPAA-compliant actions by covered entities, publication of newsworthy information of legitimate public concern, and disclosures with valid individual authorization using HIPAA standards.
The enforcement structure is notably robust, establishing a three-tiered approach through Section 3. The FTC receives primary enforcement authority with the power to bring civil actions for injunctive relief, compliance orders, civil penalties, damages, and other equitable remedies. State attorneys general can enforce the law as parens patriae for their residents, subject to coordination requirements with federal enforcement. Most significantly, the bill creates a private right of action allowing individuals to sue directly for violations, with the possibility of recovering attorney's fees and costs.
The penalty structure is designed to be financially meaningful for large corporations. Section 3(d) establishes civil penalties up to 15 percent of the violating entity's ultimate parent company's annual revenues, creating substantial financial risk for data brokers. The bill also includes a six-year statute of limitations and establishes exclusive federal court jurisdiction, with the D.C. Circuit handling all appeals.
Section 4's definitions are crucial to the bill's scope. 'Data broker' is defined broadly as any entity that collects, buys, or licenses individual data for resale, while 'health data' encompasses not just medical records but searches for health services, physical and mental health conditions including pregnancy, and related treatments. 'Location data' covers any information capable of determining past or present physical location of individuals or their devices. The bill requires the FTC to further define 'data' through rulemaking, but specifies it must include information linked to specific individuals or groups sharing residences or IP addresses.
🎯 Key Provisions
Core Prohibition on Data Sales: Establishes blanket prohibition on data brokers selling, licensing, trading, or otherwise transferring health and location data of individuals. The prohibition covers both declared and inferred data. (Section 2(a) - 'It shall be unlawful for a data broker to sell, resell, license, trade, transfer, share, or otherwise provide or make available any of the following forms of data, whether declared or inferred, of an individual: (1) Location data. (2) Health data.')
HIPAA Compliance Exception: Preserves existing HIPAA framework by exempting actions taken by covered entities and business associates that comply with existing health privacy regulations. (Section 2(b)(1) - 'Nothing in this Act shall be construed to prohibit any action taken with respect to the health information of an individual by a data broker acting in its capacity as a business associate or covered entity, that is permissible under the Federal regulations concerning standards for privacy of individually identifiable health information')
Individual Authorization Exception: Allows data transfers when individuals provide valid authorization using HIPAA standards adapted for both health and location data by the FTC. (Section 2(b)(3) - 'Nothing in this Act shall be construed to prohibit a disclosure of the data of an individual for which the individual provides valid authorization...subject to such adaptations as the Commission shall deem necessary to apply such term to the disclosure of both location data and health data.')
Revenue-Based Civil Penalties: Establishes substantial financial penalties up to 15% of the ultimate parent entity's annual revenues, creating significant deterrent effect for large corporations. (Section 3(d) - 'a violation of this Act shall carry a civil penalty not to exceed 15 percent of the revenues earned by the person's ultimate parent entity during the preceding 12-month period')
Private Right of Action: Empowers individuals to sue data brokers directly for violations, with ability to recover damages, attorney's fees, and obtain injunctive relief including data deletion. (Section 3(c) - 'Any person whose interest has been or is threatened or adversely affected by the engagement of any data broker subject to section 2 in a practice that violates such section may bring a civil action')
Comprehensive Health Data Definition: Defines health data broadly to include searches for health services, physical and mental health conditions including pregnancy, and related treatments or diagnoses. (Section 4(4) - 'Health data means data that reveal or describe...the search for, attempt to obtain, or receipt of any health services...any past, present, or future disability, physical health condition, mental health condition, or health condition of an individual, including, but not limited to, pregnancy and miscarriage')
👥 Impact Analysis
Direct Effects If enacted, this bill would immediately prohibit a significant revenue stream for data brokers who currently profit from selling health and location information. Companies like SafeGraph, Verity Solutions, and others that aggregate and sell location data from mobile apps would need to cease these practices or face substantial penalties. The legislation would likely force many data brokers to fundamentally restructure their business models, potentially leading to industry consolidation or exit from the market. Healthcare-adjacent businesses that rely on purchasing location data to identify potential customers (such as fertility clinics buying data about visits to reproductive health facilities) would lose access to this information.
The enforcement mechanisms would create immediate compliance burdens, as companies would need to audit their data practices, implement new policies, and potentially delete existing datasets. The private right of action could generate significant litigation as privacy advocates and affected individuals file lawsuits. The substantial civil penalties tied to corporate revenues would create strong incentives for compliance, particularly among larger technology companies with significant revenue streams.
Indirect Effects The legislation could accelerate broader privacy legislation efforts at both federal and state levels, as it demonstrates legislative appetite for sector-specific data protection. It may prompt increased investment in privacy-preserving technologies and data anonymization techniques as companies seek compliant ways to monetize data. The bill could also influence international privacy standards and trade relationships, as U.S. data protection standards would more closely align with European GDPR frameworks. Some legitimate research activities or public health initiatives that rely on aggregated location or health data might be inadvertently impacted, despite the bill's exceptions for newsworthy information.
Affected Groups - Data brokers and data aggregation companies - Mobile app developers who monetize location data - Healthcare marketing companies - Digital advertising companies - Individuals whose health and location data has been sold - Privacy advocacy organizations - Federal Trade Commission - State attorneys general - Healthcare covered entities under HIPAA
Fiscal Impact The bill includes a substantial $1 billion appropriation to the Federal Trade Commission for fiscal year 2025, with funds remaining available until September 30, 2034, specifically for 'carrying out the work of the Commission.' This represents a significant increase in FTC resources and suggests Congress recognizes the substantial enforcement challenge this legislation would create. The funding would likely support hiring additional attorneys, investigators, technologists, and policy experts to implement the complex rulemaking requirements and enforce violations. Revenue from civil penalties could potentially offset some government costs, as the penalties are designed to be substantial for large violations.
📋 Latest Action
12/19/2024
Referred to the House Committee on Energy and Commerce.