Sponsors (22)
Introduced June 11, 2025 by Mazie Hirono · Last progress June 11, 2025
The bill substantially strengthens individual privacy, control, and enforceable rights over reproductive and sexual health data (including by covering non‑HIPAA actors), but it also creates significant compliance, litigation, and regulatory complexities that could raise costs, prompt legal challenges, and potentially chill some providers or services.
People seeking reproductive or sexual health services (including pregnant people and patients with chronic conditions) will have substantially stronger privacy protections because the bill limits collection, retention, and use of sensitive reproductive/sexual health data and explicitly covers inferred and location-based data.
Individuals gain clear, enforceable private rights — including the ability to sue, recover statutory damages ($100–$1,000 per violation per day or actual damages), recover attorney’s fees, and avoid pre-dispute arbitration or waiver barriers — making legal remedies realistic for victims of misuse.
People get meaningful control and transparency: rights to access, correct, and delete reproductive/sexual health data; machine-readable portability; disclosure of which third parties received/provided data; and a short no-fee, 15-day response deadline to make exercising rights practical and timely.
Small businesses, hospitals, developers, and other covered entities face substantial compliance costs to change data collection, storage, access controls, and policies — costs that are likely to be passed to consumers through higher prices or reduced services.
Key standards and carve-outs (e.g., the 'strictly necessary' rule, HIPAA 'to the extent' language, what counts as 'suggesting' different treatment, and the definition of an 'actual conflict' with state law) are ambiguous and likely to generate litigation and operational uncertainty for businesses and governments.
Expanded FTC-style rulemaking and retained broad investigatory/enforcement authority could increase government access to sensitive reproductive and sexual health data (including via legal compulsion) and broaden regulatory reach, raising privacy and surveillance concerns that could chill use of services.
Based on analysis of 11 sections of legislative text.
Limits how companies and other covered organizations can collect, keep, use, and share personal reproductive and sexual health information. The bill gives people rights to access, correct, and delete that information (including inferred data), requires clear privacy notices, forbids retaliation for using those rights, and lets the FTC and individuals enforce the law with civil damages and other relief. Applies broadly to entities engaged in commerce (including some nonprofits and communications carriers) but excludes HIPAA-covered actors when they act under HIPAA and certain substance-use confidentiality protections; it preserves other federal and stronger state privacy laws, protects First Amendment rights, and allows compelled disclosures to regulators or courts.