LegisTrack
Back to all bills
HR 3916119th CongressIn Committee

My Body, My Data Act of 2025

Introduced: Jun 11, 2025
Technology & Innovation
View on Congress.gov
Standard Summary
Comprehensive overview in 1-2 paragraphs

The My Body, My Data Act of 2025 would create a new federal privacy framework focused specifically on personal reproductive and sexual health information. It would require certain entities (designated as “regulated entities”) to minimize collection and use of such data, restrict access to it, and grant individuals strong rights to access, correct, delete, and obtain information about how their data is shared. It would also require clear privacy policies, prohibit retaliation for exercising rights, and establish enforcement primarily through the Federal Trade Commission (FTC) with a private right of action for individuals. Importantly, the bill defines a broad set of health-related data as “personal reproductive or sexual health information” and sets up specific rules for how this data can be collected, stored, disclosed, and protected, while preserving existing federal and state privacy laws where applicable. If enacted, the act could reshape how tech platforms, advertisers, and other non-HIPAA entities handle reproductive and sexual health data by imposing strict minimization, verifiable data-access rights, deletion rights, and robust disclosure requirements. It would also limit dispute resolution by banning pre-dispute arbitration for these claims, potentially increasing consumer remedies and FTC oversight in this area.

Key Points

  • 1Data minimization and access restrictions: Regulated entities may only collect, retain, use, or disclose personal reproductive or sexual health information as strictly necessary to provide a product or service requested by the individual; access to the data must be limited to employees or providers necessary to deliver that product or service.
  • 2Rights to access, correction, and deletion (with machine-readable formats): Individuals may request access to their data (including data from third parties and any inferences), correction of inaccuracies, and deletion of their data, with responses due within 15 days, and without fees. Information must be provided in both human-readable and machine-readable formats.
  • 3Privacy policy requirements: Regulated entities must maintain and prominently publish a clear privacy policy describing data practices, categories of data collected/disclosed, purposes, third-party recipients and their uses, user controls, and protections against unauthorized disclosures.
  • 4Prohibition on retaliation: Entities may not retaliate against individuals for exercising their rights under the Act, such as by denying services, increasing prices, or degrading service quality.
  • 5Enforcement and remedies: The FTC would enforce the Act, treating violations as unfair or deceptive acts or practices. Individuals can bring civil actions with potential damages, attorneys’ fees, and other relief, and the Act bans pre-dispute arbitration and joint-action waivers for disputes under the Act.

Impact Areas

Primary group/area affected: Consumers, particularly individuals who have personal reproductive or sexual health information (e.g., data related to pregnancy, contraception, abortions, menstruation, fertility, sexually transmitted infections, and related services).Secondary group/area affected: Regulated entities, including tech platforms, service providers, and organizations not covered by HIPAA (excluding HIPAA-covered entities and business associates from the definition of “regulated entity”). These entities would need to assess and redesign data collection, storage, access controls, and disclosures to comply.Additional impacts: Potential conflicts or interactions with HIPAA and state privacy laws; expanded FTC enforcement in health-data contexts; costs and operational changes for privacy controls and user-rights processes; impact on innovation and data-driven services that rely on reproductive/sexual health information; and strengthened privacy protections at the intersection of health data and consumer rights.The bill explicitly preserves federal law and allows state laws with greater protections to coexist (no preemption of stronger state privacy standards).HIPAA-covered entities and business associates are excluded from the definition of “regulated entity,” meaning the bill would regulate non-HIPAA entities handling reproductive/sexual health data, potentially creating a complementary or gap-filled regime alongside HIPAA.Arbitration and class-action waivers in disputes under this Act are not allowed, ensuring individuals can pursue remedies in court.
Generated by gpt-5-nano on Oct 7, 2025