Sec. 203. Prohibitions on disclosing of personal information
470 words·~2 min read·
/bill/119/hr/8014/ih/section-203·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity may not intentionally disclose personal information unless the covered entity obtains consent of the individual whose personal information is being disclosed for each category of third party to which such personal information will be disclosed. Such covered entity must also provide such individual with notice of— each category of third party; the personal information to be disclosed; and a concise and clear description of the business or commercial purpose for disclosing such personal information. A covered entity may not intentionally sell personal information unless the covered entity— obtains the consent required by paragraph
(1)for disclosing such personal information; and provides the individual to whom such personal information relates with the identity of the specific third party to which such personal information will be disclosed. Subparagraph
(A)shall not apply to a covered entity in a case in which an individual is directing the covered entity to disclose the personal information of such individual for the sole purpose of procuring goods or services, or offers for goods or services, for such individual, if there is a reasonable mechanism for the individual to withdraw consent. A covered entity may not intentionally disclose personal information without including the purpose for which the personal information was originally collected. Notwithstanding paragraph (1), consent is not required for disclosing (not including selling) personal information secured using privacy-preserving computing. Notwithstanding paragraph (1), consent is not required for disclosing (not including selling) de-identified personal information where the disclosed personal information is limited to the narrowest possible scope likely to yield the intended benefit and contractual obligations are in place that prohibit— re-identification of the disclosed personal information; and the processing of additional personal information in combination with the disclosed personal information that would allow for the re-identification of the disclosed personal information. A covered entity may not intentionally disclose for advertising or marketing purposes a unique identifier or any other personal information that would allow information disclosed to be linked to information relating to the same individual or device disclosed in the past. Disclosing personal information or contents of communication for advertising or marketing purposes may not be treated as violating paragraph
(1)by reason of including any or all of the following: Internet Protocol addresses truncated to no more than the first 24 bits for Internet Protocol version 4 and the first 48 bits for Internet Protocol version 6, or for a successor protocol truncated to limit the precision of the identifier to a network address of the internet access provider. Geolocation information truncated to allow no more than the equivalent of two decimal degrees of precision at the equator or prime meridian, or an equivalent precision in another geolocation standard. A general description of a device, browser, or operating system, or any combination thereof. An identifier that is unique to a disclosure.