S. 2029

119th CONGRESS 1st Session

To protect the privacy of personal reproductive or sexual health information, and for other purposes.

IN THE SENATE OF THE UNITED STATES · June 11, 2025 · Sponsor: Ms. Hirono · Committee: Committee on Commerce, Science, and Transportation

S. 2029

SEC. 1. Short title

This Act may be cited as the My Body, My Data Act of 2025.

SEC. 2. Minimization

(a) Minimization of collecting, retaining, using, and disclosing
- A regulated entity may not collect, retain, use, or disclose personal reproductive or sexual health information, except as is strictly necessary to provide a product or service that the individual to whom such information relates has requested from such regulated entity.
(b) Minimization of employee access
- A regulated entity shall restrict access to personal reproductive or sexual health information by the employees or service providers of such regulated entity to such employees or service providers for which access is necessary to provide a product or service that the individual to whom such information relates has requested from such regulated entity.

SEC. 3. Right of access, correction, and deletion

(a) Right of access
- (1) In general
  - A regulated entity shall make available a reasonable mechanism by which an individual, upon a verified request, may access—
    - any personal reproductive or sexual health information relating to such individual that is retained by such regulated entity, including—
      - (i) in the case of such information that such regulated entity collected from third parties, how and from which specific third parties such regulated entity collected such information; and
      - (ii) such information that such regulated entity inferred about such individual; and
    - a list of the specific third parties to which such regulated entity has disclosed any personal reproductive or sexual health information relating to such individual.
- (2) Format
  - A regulated entity shall make the information described in paragraph (1) available in both a human-readable format and a structured, interoperable, and machine-readable format.
(b) Right of correction
- A regulated entity shall make available a reasonable mechanism by which an individual, upon a verified request, may direct the correction of any inaccurate personal reproductive or sexual health information relating to such individual that is retained by such regulated entity or the service providers of such regulated entity, including any such information that such regulated entity collected from a third party or inferred from other information retained by such regulated entity.
(c) Right of deletion
- A regulated entity shall make available a reasonable mechanism by which an individual, upon a verified request, may direct the deletion of any personal reproductive or sexual health information relating to such individual that is retained by such regulated entity and the service providers of such regulated entity, including any such information that such regulated entity collected from a third party or inferred from other information retained by such regulated entity.
(d) General provisions
- (1) Reasonable mechanism defined
  - In this section, the term reasonable mechanism means, with respect to a regulated entity and a right under this section, a mechanism that—
    - is provided in the primary manner through which such regulated entity provides the goods or services of such regulated entity;
    - is easy to use and prominently available; and
    - includes an online means of exercising such right.
- (2) Timeline for complying with requests
  - A regulated entity shall comply with a verified request received under this section without undue delay and not later than 15 days after the date on which the requesting individual submits the verified request.

SEC. 4. Privacy policy

(a) Policy required
- A regulated entity shall maintain a privacy policy relating to the practices of such regulated entity regarding the collecting, retaining, using, and disclosing of personal reproductive or sexual health information.
(b) Publication required
- A regulated entity shall prominently publish the privacy policy required by subsection (a) on the website of such regulated entity.
(c) Contents
- The privacy policy required by subsection (a) shall be clear and conspicuous and shall contain, at a minimum, the following:
  - A description of the practices of the regulated entity regarding the collecting, retaining, using, and disclosing of personal reproductive or sexual health information.
  - A concise statement of the categories of such information collected, retained, used, or disclosed by the regulated entity.
  - A concise statement, for each such category, of the purposes of such regulated entity for the collecting, retaining, using, or disclosing of such information.
  - A list of the specific third parties to which such regulated entity discloses such information, and a concise statement of the purposes for which such regulated entity discloses such information, including how such information may be used by each such third party.
  - A list of the specific third parties from which such regulated entity has collected such information, and a concise statement of the purposes for which such regulated entity collects such information.
  - A concise statement describing the extent to which individuals may exercise control over the collecting, retaining, using, and disclosing of personal reproductive or sexual health information by such regulated entity, the steps an individual is required to take to implement such controls, and direct links to such controls.
  - A concise statement describing the efforts of the regulated entity to protect personal reproductive or sexual health information from unauthorized disclosure.

SEC. 5. Prohibition against retaliation

A regulated entity may not retaliate against an individual because the individual exercises a right of the individual under this Act, including by—
- denying goods or services to the individual;
- charging the individual different prices or rates for goods or services, including by using discounts or other benefits or imposing penalties;
- providing a different level or quality of goods or services to the individual; or
- suggesting that the individual will receive a different price or rate for goods or services or a different level or quality of goods or services.

SEC. 6. Enforcement

(a) Enforcement by the Commission
- (1) Unfair or deceptive acts or practices
  - A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act () regarding unfair or deceptive acts or practices. 15 U.S.C. 57a(a)(1)(B)
- (2) Powers of Commission
  - (A) In general
    - Except as provided in section 7(6)(A)(ii), the Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act () were incorporated into and made a part of this Act. 15 U.S.C. 41 et seq.
  - (B) Privileges and immunities
    - Any regulated entity that violates this Act or a regulation promulgated under this Act shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.
  - (C) Authority preserved
    - Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.
  - (D) Rulemaking authority
    - The Commission may promulgate, in accordance with section 553 of title 5, United States Code, such regulations as may be necessary to carry out this Act.
(b) Enforcement by individuals
- (1) In general
  - Any individual alleging a violation of this Act or a regulation promulgated under this Act may bring a civil action in any court of competent jurisdiction.
- (2) Relief
  - In a civil action brought under paragraph (1) in which the plaintiff prevails, the court may award—
    - an amount not less than $100 and not greater than $1,000 per violation per day, or actual damages, whichever is greater;
    - punitive damages;
    - reasonable attorney’s fees and litigation costs; and
    - any other relief, including equitable or declaratory relief, that the court determines appropriate.
- (3) Injury in fact
  - A violation of this Act, or a regulation promulgated under this Act, with respect to personal reproductive or sexual health information constitutes a concrete and particularized injury in fact to the individual to whom such information relates.
- (4) Invalidity of pre-dispute arbitration agreements and pre-dispute joint action waivers
  - (A) In general
    - Notwithstanding any other provision of law, no pre-dispute arbitration agreement or pre-dispute joint-action waiver shall be valid or enforceable with respect to a dispute arising under this Act.

SEC. 7. Definitions

In this Act:
- The term collect means, with respect to personal reproductive or sexual health information, for a regulated entity to obtain such information in any manner.
- The term Commission means the Federal Trade Commission.
- The term disclose means, with respect to personal reproductive or sexual health information, for a regulated entity to release, transfer, sell, provide access to, license, or divulge such information in any manner to a third party or government entity.
- The term personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual, household, or device.
- The term personal reproductive or sexual health information means personal information relating to the past, present, or future reproductive or sexual health of an individual, including—
- The term third party means, with respect to the disclosing or collecting of personal reproductive or sexual health information, any person who is not—

SEC. 8. Rule of construction

Nothing in this Act shall be construed to limit or diminish First Amendment freedoms guaranteed under the Constitution.

SEC. 9. Relationship to Federal and State laws

(a) Federal law preservation
- Nothing in this Act, or a regulation promulgated under this Act, shall be construed to limit any other provision of Federal law, except as specifically provided in this Act.
(b) State law preservation
- (1) In general
  - Nothing in this Act, or a regulation promulgated under this Act, shall be construed to preempt, displace, or supplant any State law, except to the extent that a provision of State law conflicts with a provision of this Act, or a regulation promulgated under this Act, and then only to the extent of the conflict.
- (2) Greater protection under State law
  - For purposes of this subsection, a provision of State law does not conflict with a provision of this Act, or a regulation promulgated under this Act, if such provision of State law provides greater privacy protection than the privacy protection provided by such provision of this Act or such regulation.

SEC. 10. Savings clause

Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law. Nothing in this Act, or a regulation promulgated under this Act, shall be construed to prohibit a regulated entity from disclosing personal reproductive or sexual health information to the Commission as required by law, in compliance with a court order, or in compliance with a civil investigative demand or similar process authorized under law.

SEC. 11. Severability clause

If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the remainder of this Act, and the application of such provision to other persons not similarly situated or to other circumstances, shall not be affected by the invalidation.