My Body, My Data Act: Reclaiming Control Over Reproductive and Sexual Health Data
By Kewa Jiang
On June 24, 2022, the Supreme Court officially overturned Roe v. Wade and Planned Parenthood v. Casey. Prior to the announcement of the decision, alarms were raised about how health information collected by mobile apps and tech companies may be abused and used to penalize women for seeking or considering an abortion. On June 16, 2022, Congressional Representative Sara Jacobs (D-California), Senator Mazie Hirono (D-Hawaii) and Senator Ron Wyden (D-Oregon) responded to such concerns by introducing the federal privacy bill, My Body, My Data Act (“the Act”).
The Act is meant to bridge the gaps in data privacy protection left by the current patchwork of federal privacy laws. For instance, the Health Insurance Portability and Accountability Act (HIPAA) only applies to covered entities or their business associates, which does not cover many mHealth apps. On the state level, the Act also affirms that any state laws that provide greater protections do not conflict with its provisions.
Spotlighting Provisions of the Act
The Act will apply to “regulated entities,” which is defined as “any entity (to the extent such an entity is engaged in activities in or affecting commerce…” But a regulated entity does not include a “covered entity” or “business associate” under HIPAA privacy regulations which would continue to be regulated by HIPAA. The Act defines “personal reproductive or sexual health information” to include personal information related to past, present, or future reproductive or sexual health of an individual. The type of health information includes efforts to research or obtain reproductive or sexual information services or supplies, whether an individual is sexually active, ability to conceive a pregnancy, ovulation, menstruation, and reproductive and sexual health related surgeries or procedures, such as termination of a pregnancy.
The Act limits the collection, retention, use, or disclosure of personal reproductive or sexual health information to what is strictly necessary to provide service or with the express consent of the user. The Act also specifically states that regulated entities must limit the access of their own employees or service provider to users’ personal reproductive or sexual health information to what is necessary to provide a product or service.
Right of Access and Deletion
The Act requires the regulated entity to create reasonable mechanisms to allow users the ability to request deletion of and access to any personal reproductive or sexual health information retained by the entity. The information provided to the user must be in both “human-readable format” and “machine-readable format.” Users may access or delete information that includes:
- Information the entity collected from third parties, such as how and from which specific third parties,
- Information the regulated entity inferred about the user, and
- List of specific third parties the regulated entity disclosed any personal reproductive or sexual health information to.
FTC Enforcement and Private Right of Action
The Act delegates the power to promulgate rules and enforce regulations to the Federal Trade Commission (FTC). The FTC’s enforcement powers of the Act will be derived from the Unfair or Deceptive Acts or Practices provisions of the Federal Trade Commission Act.
Another important provision is that plaintiffs are provided an injury-in-fact under the Act. The Act states that plaintiffs who allege violations of their “personal reproductive or sexual health information constitutes a concrete and particularized injury in fact…” This is crucial given the difficulty plaintiffs have faced in proving standing in data and privacy breach lawsuits. Under the Act, courts may award plaintiffs no less than $100 and not greater than $1,000 per violation per day or actual damages (whichever is greater). Additionally, plaintiffs may be awarded punitive damages, reasonable attorney’s fees and litigation costs, and other reliefs, such as equitable or declaratory reliefs.
Today the fight for reproductive and sexual freedom and access to healthcare no longer ends at physical bodily autonomy but also extends to digital autonomy and control over one’s own data. My Body, My Data Act will provide an opportunity for users to reclaim control over their reproductive and sexual health data, but much remains to be seen as the bill winds its way through Congress.