On November 7, 2024, the Michigan legislature introduced the Reproductive Data Privacy Act (the RDPA) or Senate Bill 1082 (SB 1082). The RPDA was introduced in the aftermath of the 2024 election cycle. Lawmakers supporting the Michigan bill are hoping to pass the act before the end of the year and prior to President-elect Donald Trump”s second term.
SB 1082 would give consumers more control over data linked to their reproductive health data, such as menstrual cycles, fertility, contraception, and other concerns surrounding women’s health and limit disclosure of that data. Michigan would join Connecticut, Nevada and Washington in providing regulation for reproductive health data shared with certain entities, such as menstrual trackers, fertility apps, and other activities that necessarily would not be covered under the federal Health Insurance Portability and Accountability Act (HIPAA).
Scope
The RDPA is modeled after Washington’s My Health, My Data Act (MHMDA), but there are some nuances. The RDPA would apply to entities that provide services or products related to a person’s reproductive system and collect related data, such as tracking bodily functions, diagnostic testing or abortion care.
The RDPA defines “reproductive health data” as “information that is linked or reasonably linkable to an individual and that identifies the individual’s past, present, or future reproductive health status.”
Furthermore, the RDPA also mandates that processing only be done for one of four enumerated purposes outlined below:
- To provide a product, service, or service feature to the individual to whom the reproductive health data pertains when that individual requested the product, service, or service feature by subscribing to, creating an account with, or otherwise contracting with the covered entity or service provider.
- To initiate, manage, execute, or complete a financial or commercial transaction or to fulfill an order for a specific product or service requested by an individual to whom the reproductive health data pertains, including, but not limited to, associated routine administrative, operational, and account servicing activity such as billing, shipping, storage, and accounting.
- To comply with an obligation under a law of this state or federal law.
- To protect public safety or public health.
Disclosure and Consent
The bill requires covered entities to provide notice and obtain consent from consumers for any collection or processing of reproductive health data.
Data Minimization and Retention
The RDPA contains data minimization provisions, prohibiting covered entities from collecting more reproductive health data than necessary to perform these purposes. Covered entities must also not retain reproductive health data longer than necessary to achieve those permitted purposes.
Data Disclosure and Geofencing
Under the RDPA, covered entities can disclose reproductive health data to third parties only as necessary to perform the previous stated purposes or with the consent of the data subject.
Entities would not be able to share data with government agencies or officials without a warrant, unless the disclosure is mandated by Michigan or Federal law, or unless the data subject consents to the disclosure. This provision is aligned with similar bills in other states that have passed in the wake of the Dobbs v. Jackson Women’s Health Organization decision, in order to protect individuals from unwanted government interventions into their reproductive health care.
In addition, a covered entity or service provider cannot implement a “geofence” around an entity that provides in-person reproductive health services if the geofence is used for identifying and/or tracking individuals, collecting reproductive health data, or sending individuals messages related to their reproductive health data or services.
Data Subject Rights
The RDPA provides consumers with rights of access and deletion over their reproductive health data. In addition, it gives data subjects the right to revoke consent at all times for the sale of their reproductive health data.
The RDPA strictly limits geofencing of entities that provide “in-person reproductive health care services.” This includes “services or products that support or relate to an individual’s reproductive system, pregnancy status, or sexual well-being,” such as abortion related services. The bill prohibits the use of such geofences for identifying and/or tracking individuals, collecting reproductive health data, or sending individuals messages related to their reproductive health data or services.
Fines, Penalties and Enforcement
The RDPA would be enforceable by the Michigan Attorney General. Furthermore, the bill provides consumers with a private right of action to seek damages between the amounts of $100 to $750 for each violation and actual damages, as well as injunctive, declaratory, and other appropriate relief.
link