Privacy Law

My Body, My Data Act: Reclaiming Control Over Reproductive and Sexual Health Data

Please share:

By Kewa Jiang

July 2022

On June 24, 2022, the Supreme Court officially overturned Roe v. Wade and Planned Parenthood v. Casey. Prior to the announcement of the decision, alarms were raised about how health information collected by mobile apps and tech companies may be abused and used to penalize women for seeking or considering an abortion. On June 16, 2022, Congressional Representative Sara Jacobs (D-California), Senator Mazie Hirono (D-Hawaii) and Senator Ron Wyden (D-Oregon) responded to such concerns by introducing the federal privacy bill, My Body, My Data Act (“the Act”).

The Act is meant to bridge the gaps in data privacy protection left by the current patchwork of federal privacy laws. For instance, the Health Insurance Portability and Accountability Act (HIPAA) only applies to covered entities or their business associates, which does not cover many mHealth apps. On the state level, the Act also affirms that any state laws that provide greater protections do not conflict with its provisions.

Spotlighting Provisions of the Act

The Act will apply to “regulated entities,” which is defined as “any entity (to the extent such an entity is engaged in activities in or affecting commerce…” But a regulated entity does not include a “covered entity” or “business associate” under HIPAA privacy regulations which would continue to be regulated by HIPAA. The Act defines “personal reproductive or sexual health information” to include personal information related to past, present, or future reproductive or sexual health of an individual. The type of health information includes efforts to research or obtain reproductive or sexual information services or supplies, whether an individual is sexually active, ability to conceive a pregnancy, ovulation, menstruation, and reproductive and sexual health related surgeries or procedures, such as termination of a pregnancy.

Data Minimization

The Act limits the collection, retention, use, or disclosure of personal reproductive or sexual health information to what is strictly necessary to provide service or with the express consent of the user. The Act also specifically states that regulated entities must limit the access of their own employees or service provider to users’ personal reproductive or sexual health information to what is necessary to provide a product or service.

Right of Access and Deletion

The Act requires the regulated entity to create reasonable mechanisms to allow users the ability to request deletion of and access to any personal reproductive or sexual health information retained by the entity. The information provided to the user must be in both “human-readable format” and “machine-readable format.” Users may access or delete information that includes:

  • Information the entity collected from third parties, such as how and from which specific third parties,
  • Information the regulated entity inferred about the user, and
  • List of specific third parties the regulated entity disclosed any personal reproductive or sexual health information to.

FTC Enforcement and Private Right of Action  

The Act delegates the power to promulgate rules and enforce regulations to the Federal Trade Commission (FTC). The FTC’s enforcement powers of the Act will be derived from the Unfair or Deceptive Acts or Practices provisions of the Federal Trade Commission Act.

But, unlike some state consumer privacy protection laws, the Act provides a private right of action by individuals. This private right of action is protected even if there was a pre-dispute arbitration agreement or pre-dispute joint action waiver. This provision is particularly important given that many tech companies include some form of an arbitration clause or joint action waiver in their terms of use. As a result, few arbitration claims are filed by users and joint action waivers prevent users from coming together to file class actions against companies. 

Another important provision is that plaintiffs are provided an injury-in-fact under the Act. The Act states that plaintiffs who allege violations of their “personal reproductive or sexual health information constitutes a concrete and particularized injury in fact…” This is crucial given the difficulty plaintiffs have faced in proving standing in data and privacy breach lawsuits. Under the Act, courts may award plaintiffs no less than $100 and not greater than $1,000 per violation per day or actual damages (whichever is greater). Additionally, plaintiffs may be awarded punitive damages, reasonable attorney’s fees and litigation costs, and other reliefs, such as equitable or declaratory reliefs.

Looking Ahead

Today the fight for reproductive and sexual freedom and access to healthcare no longer ends at physical bodily autonomy but also extends to digital autonomy and control over one’s own data. My Body, My Data Act will provide an opportunity for users to reclaim control over their reproductive and sexual health data, but much remains to be seen as the bill winds its way through Congress.

Forgot Password

Enter the email associated with you account. You will then receive a link in your inbox to reset your password.

Personal Information

Select Section(s)

CLA Membership is $99 and includes one section. Additional sections are $99 each.