REPRODUCTIVE HEALTH DATA PROTECTION ACT S.B. 1082:

SUMMARY OF INTRODUCED BILL

IN COMMITTEE

 

 

 

 

 

 

Senate Bill 1082 (as introduced 11-02-24)

Sponsor: Senator Mallory McMorrow

Committee: Housing and Human Services

 

Date Completed: 11-10-24

 


INTRODUCTION

 

The bill would require a business or organization that collected reproductive health data to obtain informed consent before collecting or processing an individual's reproductive health data. The collecting entity could only collect or process that data for specific purposes, such as providing requested products or services, fulfilling financial transactions, or protecting public health or safety, among others. Data could not be used or retained longer than needed, and an entity could not disclose data to a government agency except under certain conditions.

 

To sell an individual s reproductive health data, an entity would have to obtain consent that was distinct from consent to collection of data and written. Consent to sale would have to contain the terms of sale and use of that data. An entity would have to allow for the revocation of consent for the collection, use, or sale of that data at any time. Additionally, the bill would prescribe enforcement actions by the Attorney General and allow an individual who suffered damages due to a violation to seek relief.

FISCAL IMPACT

 

The bill could have a minor negative fiscal impact on State and local government. To the extent that under the definitions described in the bill, the State Medicaid program or local health departments would be considered a "covered entity" or a "service provider", there would likely be minor costs to ensure compliance with the requirements.

 

The bill would have a minor negative fiscal impact on the Attorney General and local courts. The Attorney General would have minor administrative costs associated with the promulgation of rules to implement the language of the bill. Local courts are likely to have an increase in hearings associated with requests from the Attorney General for injunctive relief permitted by the language of the bill. For requests from the Attorney General for injunctive relief in which the Attorney General prevailed, the Attorney General could recover reasonable attorney fees.

 

Legislative Analyst: Eleni Lionas

Fiscal Analyst: John P. Maxwell Michael Siracuse


 

CONTENT

 

The bill would enact the "Reproductive Health Data Privacy Act" to do the following:

 

--   Prohibit a covered entity or service provider (entity) from collecting or processing an individual's reproductive health data unless that entity provided the individual with privacy information, obtained consent, and used the data only for specified purposes.

--   Specify the purposes for which an entity could collect or process reproductive health data and prohibit an entity from using or providing to a third-party more data than was necessary or for longer than was necessary.

--   Prohibit an entity from disclosing an individual's reproductive health data to a government agency or official unless presented with a warrant, mandated under law, or as requested by the induvial to whom the data pertained.

--   Beginning June 30, 2025, prohibit an entity from selling or offering for sale an individual's reproductive health data without specific consent.

--   Prescribe requirements for consent to be considered valid in the sale of an individual's reproductive health data.

--   Require an entity to provide a clear and conspicuous link on its website that would allow an induvial to revoke consent of sale or processing of the individual's reproductive health data.

--   Require the seller and purchaser of reproductive health data to enter into a written agreement for the terms and conditions of the data s use.

--   Prohibit an entity from implementing geofencing that tracked or collected information from an induvial seeking reproductive health service, among other things.

--   Allow the Attorney General to bring an action to enjoin a person from violating the Act's provisions.

--   Allow an individual who suffered a loss due to a violation of the Act to collect up to $750 per incident or actual damages, whichever was greater, or other relief.

Definitions

 

"Covered entity" would mean a public, private, operated for profit, or not operated for profit business or organization that provides reproductive health care, placement, or services and collects reproductive health data from an individual. The term would include a business or organization that licenses or certifies other persons to provide reproductive health care, placement, or services.

 

"Service provider" would mean a person that collects, processes, retains, transfers, or sells reproductive health data on behalf of, and at the direction of, a covered entity.

 

"Reproductive health data" would mean information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future reproductive health status. The term would not include information that was used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, including information described under Public Act 270 of 1967, that adheres to all other applicable ethics and privacy laws and was approved, monitored, or governed by an institutional review board, human subjects research ethics board, or a similar independent oversight entity that determined that the covered entity implemented reasonable safeguards to reduce privacy risks associated with research, including risks associated with reidentification.[1]

"Collect" would mean to buy, rent, gather, obtain, receive, or access any reproductive health data about an individual in any manner, including, but not limited to, by receiving data from the individual, actively or passively, or by observing or tracking the individual's online activity.

 

"Reproductive health services" would mean health care services or products that support or relate to an individual's reproductive system, pregnancy status, or sexual well-being, including, any of the following:

 

--   Individual health conditions, status, diseases, or diagnoses.

--   Social, psychological, behavioral, and medical interventions.

--   Health-related surgeries or procedures, including, but not limited to, abortions.

--   Bodily functions, vital signs, symptoms, or measurements of the information described in this subdivision.

--   Diagnoses or diagnostic testing, treatment, or medication.

--   Medical or nonmedical services related to and provided in conjunction with an abortion, including, associated diagnostics, counseling, supplies, and follow-up services.

 

"Reproductive health status" would include all the following as it relates to an individual's reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity:

 

--   Individual health conditions, treatment, diseases, or diagnoses.

--   Social, psychological, behavioral, and medical interventions.

--   Health-related surgeries or procedures.

--   Use or purchase of medications.

--   Bodily functions, vital signs, symptoms, or measurements of such information.

--   Diagnoses or diagnostic testing, treatment, or medication.

--   Data concerning medical or nonmedical services related to and provided in conjunction with an abortion, including, associated diagnostics, counseling, supplies, and follow-up services.

--   Biometric data.

 

"Biometric data" would mean data generated by automatic measurements of an individual's biological characteristics, including, a fingerprint, a voiceprint, an eye retina, an iris, or any other biological pattern or characteristic used to identify a specific individual. The term would not include any of the following:

 

--   A physical or digital photograph.

--   A video or audio recording.

--   Any data generated from a physical or digital photograph or a video or audio recording, unless the data was generated to identify a specific individual.

--   Genetic data.

--   Precise location information that could reasonably indicate an individual's attempt to acquire or receive reproductive health services or supplies.

--   Data that identified an individual seeking reproductive health services or supplies.

--   Any information that a covered entity, or a covered entity's respective service provider, processed to associate or identify an individual with reproductive health data that was derived or extrapolated from nonhealth information, such as proxy, derivative, inferred, or emergent data, by any means, including algorithms and machine learning.

 

"Consent" would mean a clear affirmative act that signifies an individual's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement and is provided in response to a specific request from a covered entity or a service provider. Additionally, consent could be obtained by electronic means. Consent could not be obtained by any of the following:

   --   A general or broad terms-of-use agreement or a similar document that contained descriptions of reproductive health data processing along with other unrelated information.

   --   An individual hovering over, muting, pausing, or closing a given piece of consent.

   --   Through the use of a deceptive design.

 

"Deceptive design" would mean an interface design or choice architecture to obtain required consent that has been designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, or unfairly, fraudulently, or deceptively manipulating or coercing an individual into providing consent.

 

"Person" would mean an individual or a partnership, corporation, limited liability company, association, governmental entity, or other legal entity.

 

"Process" would mean any use of data provided under the Act.

 

"Sell" or "sale" would mean the exchange of reproductive health data for monetary or other valuable consideration, including the rent, trade, gift, or lease of data for valuable consideration or the expectation of valuable consideration. The term would not include the exchange of reproductive health data for monetary or other valuable consideration to a third party as an asset that was part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumed control of all or part of the covered entity's assets that complied with the requirements and obligations in the Act.

 

"Third party" would mean a person that is not party to a transaction or party's representative for the purposes specified under the Act.

 

Reproductive Health Data Protection

 

The Act would prohibit an entity from collecting or processing reproductive health data unless the entity did the following:

 

--   Provided the individual whose reproductive health data was being collected with a copy of the entity or provider's privacy policy.

--   Obtained clear consent from the individual to whom the reproductive health data pertained, or the individual's authorized representative.

--   Collected or processed the reproductive health data only for at least one of the purposes described below.

 

A covered entity or service provider could collect or process reproductive health data only for the following purposes:

 

--   To provide a product, service, or service feature to the individual to whom the reproductive health data pertained when that individual requested the product, service, or service feature by subscribing to, creating an account with, or otherwise contracting with the covered entity or service provider.

--   To initiate, manage, execute, or complete a financial or commercial transaction or to fulfill an order for a specific product or service requested by an individual to whom the reproductive health data pertained, including associated routine administrative, operational, and account servicing activity such as billing, shipping, storage, and accounting.

--   To comply with an obligation under a State or Federal law.

--   To protect public safety or public health.

 

The Act would prohibit an entity that collected or processed reproductive health data from doing any of the following in performing the purposes described above:

 

--   Collecting more precise reproductive health data than was necessary.

--   Retaining reproductive health data for longer than was necessary.

--   Deriving or inferring from reproductive health data any information that was not necessary.

 

Additionally, an entity could not disclose, cause to disclose, assist with the disclosure of, or facilitate the disclosure of an individual's reproductive health data to a third party, unless the disclosure was necessary to perform a purpose described above or was performed with valid consent obtained from the individual to whom the reproductive health data pertained. An entity that collected or processed reproductive health data would have to provide a clear and conspicuous link on the covered entity or service provider's internet homepage that enabled an individual, or a person authorized by the individual, to request access to and deletion of the individual's reproductive health data.

The provisions described above would not apply to a covered entity or a business associate regarding protected health information under the Health Insurance Portability and Accountability Act (HIPPA) and the regulations promulgated under HIPPA.[2]

 

Prohibition of Disclosure to Governmental Agency

 

The bill would prohibit an entity from disclosing an individual's reproductive health data to a Federal, state, or local governmental agency or official unless at least one of the following applied:

 

--   The governmental agency or official served the covered entity or service provider with a valid warrant or established the existence of exigent circumstances that make it impracticable to obtain a warrant.

--   Disclosure was mandated under State or federal law.

--   Disclosure was requested by the individual to whom the reproductive health data pertained.

 

Additional Consent for Sale of Data

 

Beginning on June 30, 2025, an entity could not sell or offer to sell reproductive health data unless that entity obtained valid consent from the individual to whom the reproductive health data pertained before selling or offering to sell the data. The entity would have to ensure that the manner of sale was consistent with valid consent requirements of the Act.

 

The bill would specify that valid consent for the sale of data would have to be separate and distinct from the consent to collection or processing of the data an entity would have to obtain.

 

To be valid, consent to sale would have to be in writing, in plain language, and contain all the following:

 

--   The specific reproductive health data concerning the individual that the covered entity or service provider intended to sell.

--   The name and contact information of the covered entity or service provider collecting and selling the specific reproductive health data consented to.

--   The name and contact information of the person purchasing the specific reproductive health data.

--   A description of the purpose for the sale, including how the reproductive health data would be gathered by the covered entity or service provider and how the reproductive health data would be used by the person purchasing the reproductive health data.

--   A statement that the provision of goods and services was not conditioned on the individual signing the consent.

--   A statement that the individual had a right to revoke the individual's consent at any time, and a description of how to submit a revocation of the consent.

--   A statement that the reproductive health data sold in accordance with valid consent may be subject to redisclosure by the person purchasing the reproductive health data and could no longer be protected under the consent to sale.

--   The signature of the individual providing consent and the date on which the consent was signed by the individual.

--   An expiration date for the consent, which would have to expire within one year after the individual's signature.

 

Consent would be considered invalid if it had any of the following defects:

 

--   The expiration date had passed.

--   The consent did not contain all the information described above.

--   The consent had been revoked by the individual.

--   The consent had been combined with other documents to create a compound authorization.

--   The provision of goods or services was conditioned on the individual signing the consent document.

 

An entity that sold reproductive health data would have to provide a clear and conspicuous link on the entity's internet homepage that enabled an individual, or a person authorized by the individual, to revoke the individual's consent to sell reproductive health data at any time.

 

The entity would have to provide the signing individual with a copy of the valid consent. Additionally, the entity selling or offering to sell the data and the purchaser of the data would have to retain a copy of the valid consent for at least six years after the date that the consent was signed by the individual or the date when the consent was last in effect, whichever was later.

 

An entity selling an individual's reproductive health data and the purchaser of the reproductive health data would have to enter into a written agreement governing the purchaser's processing of the individual's reproductive health data. The written agreement would have to do all the following:

 

--   Legally bind the purchaser and the entity selling the reproductive health data.

--   Clearly set forth the nature and purpose of the sale, the type of reproductive health data subject to the sale, the duration of processing, and the rights and obligations of both parties.

--   Require the purchaser to adhere to the instructions of the entity.

--   Set out the extent to which the purchaser could process the reproductive health data.

--   Require the purchaser to process the reproductive health data that the purchaser received from the entity only to the extent provided under the requirements of the Act.

--   Require the purchaser to delete or return all reproductive health data to the covered entity or service provider at the end of the provision of services or on revocation of


consent by the individual, unless retention of the reproductive health data was required by law.

 

GeoFence

 

The bill would prohibit an entity from implementing a geofence around an entity that provided in-person reproductive health services if the geofence were used to do any of the following:

 

--   Identify or track individuals seeking reproductive health services.

--   Collect reproductive health data from individuals.

--   Send notifications, messages, or advertisements to individuals related to the individual's reproductive health data or reproductive health services.

 

"Geofence" would mean technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate an individual within a virtual boundary, where the virtual boundary is not more than 1,850 feet from the perimeter of the physical location.

 

Violations & Attorney General Rules

 

Under the Act, the Attorney General could bring an action to enjoin any person from violating the Act. Upon proper showing, a court could grant a permanent or temporary injunction, restraining order, writ of mandamus, or any other order or judgment necessary to enjoin a person from violating the Act. For any action in which the Attorney General prevailed, the Attorney General could recover the costs of the action, including reasonable attorney fees.

 

An individual who suffered a loss as a result of a violation of the Act could bring a civil action against the person that committed the violation to recover any of the following:

 

--   Damages in an amount of not less than $100 and not more than $750 per incident or actual damages, whichever was greater.

--   Injunctive or declaratory relief.

--   Any other appropriate relief.

 

The court could consider any relevant circumstances in determining the amount of damages, including all the following:

 

--   The nature and seriousness of the misconduct.

--   The number of violations.

--   The persistence of the misconduct.

--   The length of time over which the misconduct occurred.

--   The willfulness of the defendant's misconduct.

--   The defendant's assets, liabilities, and net worth.

 

The Act would not serve as a basis for a private right of action under any other law and this provision could not deprive or relieve a person from any rights, duties, or obligations imposed under other State or Federal law. The Attorney General would have to promulgate rules to implement the Act under the Administrative Procedures Act.

 

 

This analysis was prepared by nonpartisan Senate staff for use by the Senate in its deliberations and does not constitute an official statement of legislative intent.

 



[1] Public Act 270 of 1967 governs the collection, reporting, and release of information for medical and healthcare research and education.

[2] "Business associate" would mean a person or entity that performs activities and functions involving the use or disclosure of protected health information on behalf of, or provides services to, certain covered entities under HIPPA.