HR3916-119

1. Short title This Act may be cited as the My Body, My Data Act of 2025.

2. Minimization A regulated entity may not collect, retain, use, or disclose personal reproductive or sexual health information, except as is strictly necessary to provide a product or service that the individual to whom such information relates has requested from such regulated entity. A regulated entity shall restrict access to personal reproductive or sexual health information by the employees or service providers of such regulated entity to such employees or service providers for which access is necessary to provide a product or service that the individual to whom such information relates has requested from such regulated entity.

3. Right of access, correction, and deletion A regulated entity shall make available a reasonable mechanism by which an individual, upon a verified request, may access— any personal reproductive or sexual health information relating to such individual that is retained by such regulated entity, including— in the case of such information that such regulated entity collected from third parties, how and from which specific third parties such regulated entity collected such information; and such information that such regulated entity inferred about such individual; and a list of the specific third parties to which such regulated entity has disclosed any personal reproductive or sexual health information relating to such individual. A regulated entity shall make the information described in paragraph (1) available in both a human-readable format and a structured, interoperable, and machine-readable format. A regulated entity shall make available a reasonable mechanism by which an individual, upon a verified request, may direct the correction of any inaccurate personal reproductive or sexual health information relating to such individual that is retained by such regulated entity or the service providers of such regulated entity, including any such information that such regulated entity collected from a third party or inferred from other information retained by such regulated entity. A regulated entity shall make available a reasonable mechanism by which an individual, upon a verified request, may direct the deletion of any personal reproductive or sexual health information relating to such individual that is retained by such regulated entity and the service providers of such regulated entity, including any such information that such regulated entity collected from a third party or inferred from other information retained by such regulated entity. In this section, the term reasonable mechanism means, with respect to a regulated entity and a right under this section, a mechanism that— is provided in the primary manner through which such regulated entity provides the goods or services of such regulated entity; is easy to use and prominently available; and includes an online means of exercising such right. A regulated entity shall comply with a verified request received under this section without undue delay and not later than 15 days after the date on which the requesting individual submits the verified request. A regulated entity may not charge a fee to an individual for a request made under this section. Nothing in this section shall be construed to require a regulated entity to— take an action that would convert information that is not personal information into personal information; collect or retain personal information that such regulated entity would otherwise not collect or retain; or retain personal information longer than such regulated entity would otherwise retain such information.

4. Privacy policy A regulated entity shall maintain a privacy policy relating to the practices of such regulated entity regarding the collecting, retaining, using, and disclosing of personal reproductive or sexual health information. A regulated entity shall prominently publish the privacy policy required by subsection (a) on the website of such regulated entity. The privacy policy required by subsection (a) shall be clear and conspicuous and shall contain, at a minimum, the following: A description of the practices of the regulated entity regarding the collecting, retaining, using, and disclosing of personal reproductive or sexual health information. A concise statement of the categories of such information collected, retained, used, or disclosed by the regulated entity. A concise statement, for each such category, of the purposes of such regulated entity for the collecting, retaining, using, or disclosing of such information. A list of the specific third parties to which such regulated entity discloses such information, and a concise statement of the purposes for which such regulated entity discloses such information, including how such information may be used by each such third party. A list of the specific third parties from which such regulated entity has collected such information, and a concise statement of the purposes for which such regulated entity collects such information. A concise statement describing the extent to which individuals may exercise control over the collecting, retaining, using, and disclosing of personal reproductive or sexual health information by such regulated entity, the steps an individual is required to take to implement such controls, and direct links to such controls. A concise statement describing the efforts of the regulated entity to protect personal reproductive or sexual health information from unauthorized disclosure.

5. Prohibition against retaliation A regulated entity may not retaliate against an individual because the individual exercises a right of the individual under this Act, including by— denying goods or services to the individual; charging the individual different prices or rates for goods or services, including by using discounts or other benefits or imposing penalties; providing a different level or quality of goods or services to the individual; or suggesting that the individual will receive a different price or rate for goods or services or a different level or quality of goods or services.

7. Definitions In this Act: The term collect means, with respect to personal reproductive or sexual health information, for a regulated entity to obtain such information in any manner. The term Commission means the Federal Trade Commission. The term disclose means, with respect to personal reproductive or sexual health information, for a regulated entity to release, transfer, sell, provide access to, license, or divulge such information in any manner to a third party or government entity. The term personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, household, or device. The term personal reproductive or sexual health information means personal information relating to the past, present, or future reproductive or sexual health of an individual, including— efforts to research or obtain reproductive or sexual health information, services, or supplies, including location information that might indicate an attempt to acquire or receive such information, services, or supplies; reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy and pregnancy-related conditions, menstruation, ovulation, ability to conceive a pregnancy, whether such individual is sexually active, and whether such individual is engaging in unprotected sex; reproductive- and sexual-health-related surgeries or procedures, including abortion; use or purchase of contraceptives, medication abortion, or any other drug, device, or materials related to reproductive health; bodily functions, vital signs, measurement, or symptoms related to menstruation or pregnancy, such as basal temperature, cramps, bodily discharge, or hormone levels; any information about diagnoses or diagnostic testing, treatment, medications, or the purchase or use of any product or service relating to the matters described in subparagraphs (A) through (E); and any information described in subparagraphs (A) through (F) that is derived or extrapolated from non-health information, including proxy, derivative, inferred, emergent, and algorithmic data. The term regulated entity means any entity (to the extent such entity is engaged in activities in or affecting commerce (as defined in section 4 of the Federal Trade Commission Act (15 U.S.C. 44))) that is— a person, partnership, or corporation subject to the jurisdiction of the Commission under section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)); or notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade Commission Act (15 U.S.C. 44; 45(a)(2); 46) or any jurisdictional limitation of the Commission— a common carrier subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.) and all Acts amendatory thereof and supplementary thereto; or an organization not organized to carry on business for its own profit or that of its members. The term regulated entity does not include— an entity that is a covered entity, as defined in section 160.103 of title 45, Code of Federal Regulations (or any successor to such regulation), to the extent such entity is acting as a covered entity under the HIPAA privacy regulations (as defined in section 1180(b)(3) of the Social Security Act (42 U.S.C. 1320d–9(b)(3))); an entity that is a business associate, as defined in section 160.103 of title 45, Code of Federal Regulations (or any successor to such regulation), to the extent such entity is acting as a business associate under the HIPAA privacy regulations (as defined in such section 1180(b)(3)); or an entity that is subject to restrictions on disclosure of records under section 543 of the Public Health Service Act (42 U.S.C. 290dd–2), to the extent such entity is acting in a capacity subject to such restrictions. The term service provider means a person who— collects, retains, uses, or discloses personal reproductive or sexual health information for the sole purpose of, and only to the extent that such person is, conducting business activities on behalf of, for the benefit of, under instruction of, and under contractual agreement with a regulated entity and not any other individual or entity; and does not divulge personal reproductive or sexual health information to any individual or entity other than such regulated entity or a contractor to such service provider bound to information processing terms no less restrictive than terms to which such service provider is bound. Such person shall only be considered a service provider in the course of activities described in subparagraph (A)(i). For purposes of compliance with section 2 by a service provider of a regulated entity, a request from an individual to such regulated entity for a product or service shall be treated as having also been provided to such service provider. The term third party means, with respect to the disclosing or collecting of personal reproductive or sexual health information, any person who is not— the regulated entity that is disclosing or collecting such information; the individual to whom such information relates; or a service provider.

8. Rule of construction Nothing in this Act shall be construed to limit or diminish First Amendment freedoms guaranteed under the Constitution.

9. Relationship to Federal and State laws Nothing in this Act, or a regulation promulgated under this Act, shall be construed to limit any other provision of Federal law, except as specifically provided in this Act. Nothing in this Act, or a regulation promulgated under this Act, shall be construed to preempt, displace, or supplant any State law, except to the extent that a provision of State law conflicts with a provision of this Act, or a regulation promulgated under this Act, and then only to the extent of the conflict. For purposes of this subsection, a provision of State law does not conflict with a provision of this Act, or a regulation promulgated under this Act, if such provision of State law provides greater privacy protection than the privacy protection provided by such provision of this Act or such regulation.

10. Savings clause Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law. Nothing in this Act, or a regulation promulgated under this Act, shall be construed to prohibit a regulated entity from disclosing personal reproductive or sexual health information to the Commission as required by law, in compliance with a court order, or in compliance with a civil investigative demand or similar process authorized under law.

11. Severability clause If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the remainder of this Act, and the application of such provision to other persons not similarly situated or to other circumstances, shall not be affected by the invalidation.