My Body, My Data Act of 2025
The My Body, My Data Act of 2025 establishes a new federal privacy framework focused on personal reproductive or sexual health information. It requires regulated entities (broadly defined tech platforms, apps, and other organizations engaged in commerce) to minimize how they collect, retain, use, and disclose such data—restricting it to what is strictly necessary to provide a product or service the individual has requested. The bill also gives individuals strong rights over their data: a right to access, correct, and delete their information (with a set 15-day response timeline and no fees), plus a requirement for easy-to-use privacy policies that disclose what data is collected, with whom it is shared, and how individuals can exercise control. It prohibits retaliation for exercising these rights and empowers the Federal Trade Commission (FTC) to enforce the act, including a private right of action for individuals, potential damages, and a ban on pre-dispute arbitration or class-action waivers for disputes under the act. In addition to the minimization and rights provisions, the bill prescribes a required privacy policy, outlines enforcement mechanisms (FTC authority and private litigation), and defines who counts as a regulated entity, service provider, or third party. It carves out certain protections for HIPAA-covered entities and business associates and does not preempt state laws that provide greater protections. Overall, the measure aims to give individuals targeted protections for highly sensitive reproductive and sexual health data and to deter misuse through both regulatory and private enforcement.
Key Points
- 1Minimization and access controls for sensitive data: Regulated entities may only collect, retain, use, or disclose personal reproductive or sexual health information to the extent strictly necessary to provide a requested product or service, and access by employees or contractors must be limited to what is necessary.
- 2Strong individual rights and data portability: Individuals can access, correct, and delete their data, including information derived or inferred about them, with a verified request. Access must be provided in human-readable and machine-readable formats, and requests must be fulfilled within 15 days without fees.
- 3Privacy policy and transparency: Regulated entities must maintain and prominently publish a privacy policy detailing data practices, categories of data collected and disclosed, third-party recipients and purposes, user controls, and security efforts.
- 4Private right of action and strong remedies: Individuals may sue for violations, with damages ranging from at least $100 to $1,000 per violation per day (or actual damages, whichever is greater), plus punitive damages and attorneys’ fees. The bill also blocks pre-dispute arbitration and joint-action waivers for disputes under the act.
- 5FTC enforcement framework and exceptions: The FTC enforces the act as if it were unfair or deceptive acts or practices under the Federal Trade Commission Act. HIPAA-covered entities and certain other exclusions are defined, and the act preserves existing federal law while permitting regulations to be issued to implement the act.