This bill establishes strict regulations regarding the acquisition and disclosure of personal health information, specifically biometric data, health data, and protected health information, by health care providers, mobile application developers, and third parties. It mandates that consent must be obtained from individuals before acquiring their personal health information and no more than three calendar days prior to any disclosure of such information. While a single consent can cover multiple acquisitions, each disclosure requires a separate consent. The bill also clarifies definitions for terms such as "acquire," "disclose," and "health data," ensuring that individuals' rights are protected.

Additionally, the bill exempts disclosures made between health care providers for medical treatment or diagnosis from these consent requirements. It emphasizes that the rights of individuals under the Health Insurance Portability and Accountability Act (HIPAA) remain intact and that violations of this bill can result in damages of $1,000 per violation, along with attorney fees and costs. The private right of action provided does not replace any existing legal claims available under common law or other statutes.