Substitute For
SENATE BILL NO. 1082
A bill to regulate the collection, processing, and selling of reproductive health data; to regulate the disclosure of reproductive health data; to require individual consent to collect, process, and sell reproductive health data; to prohibit the use of geofences around facilities that provide reproductive health services; to provide remedies and prescribe civil sanctions; and to provide for the powers and duties of certain state governmental officers and entities.
the people of the state of michigan enact:
Sec. 1. This act may be cited as the "reproductive health data privacy act".
(a) "Affiliate" means a legal entity that is controlled by or is under common control with another legal entity. For the purposes of this subdivision, an entity is controlled by another entity or under common control if the controlling entity has any of the following:
(i) The majority voting or ownership interest of the outstanding shares of any class of voting security of the controlled entity.
(ii) Control in any manner over the election of a majority of the directors or of individuals exercising similar functions of the controlled entity.
(iii) The power to exercise controlling influence over the management of the controlled entity.
(b) "Collect" means to buy, rent, gather, obtain, receive, or access any reproductive health data about an individual in any manner, including, but not limited to, by receiving data from the individual, actively or passively, or by observing or tracking the individual's online activity.
(c) "Consent" means a clear affirmative act that signifies an individual's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement, that may be given electronically, and is provided in response to a specific request from a regulated entity or a service provider. Consent does not include an agreement obtained by any of the following:
(i) A general or broad terms-of-use agreement or a similar document that contains descriptions of reproductive health data processing along with other unrelated information.
(ii) An individual hovering over, muting, pausing, or closing a given piece of consent.
(iii) Through the use of a deceptive design.
(d) "Deceptive design" means an interface design or choice architecture to obtain required consent that has been designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, or unfairly, fraudulently, or deceptively manipulating or coercing an individual into providing consent.
(e) "Geofence" means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate an individual within a virtual boundary, where the virtual boundary is not more than 1,850 feet from the perimeter of the physical location.
(f) "Mobile application" means a software program that runs on the operating system of a cellular telephone, a tablet computer, or a similar portable computing device that transmits data over a wireless connection and includes a service or application offered via a connected device.
(g) "Person" means an individual or a partnership, corporation, limited liability company, association, governmental entity, or other legal entity.
(h) "Process" means any use of data provided under this act.
(i) "Publicly available information" means information that has been made lawfully available by federal, state, or municipal government records, widely distributed media, or a disclosure to the general public as required under federal, state, or local law. Publicly available information does not include any of the following:
(i) An obscene visual depiction as that term is defined in 18 USC 1460.
(ii) An inference made exclusively from multiple independent sources of publicly available information that reveals an individual's reproductive health data.
(iii) Biometric data.
(iv) Reproductive health data that is created through the combination of information that identifies the individual's past, present, or future reproductive health status with publicly available information.
(v) Genetic data, unless the data is otherwise made publicly available by the individual to whom the information pertains.
(vi) Information made available by an individual on a website or online service made available to all members of the public, for free or for a fee, where the consumer has maintained a reasonable expectation of privacy by restricting the information to a specific audience.
(vii) Intimate images, authentic or computer generated, known to be nonconsensual.
(j) "Regulated entity" means a public, private, operated for profit, or not operated for profit business or organization that provides reproductive health care or services and collects reproductive health data from an individual. Regulated entity includes a business or organization that licenses or certifies other persons to provide reproductive health care or services.
(k) "Reproductive health data" means information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future reproductive health status. Reproductive health data does not include aggregated and de-identified data or information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, including information described under 1967 PA 270, MCL 331.531 to 331.534, that adheres to all other applicable ethics and privacy laws and is approved, monitored, or governed by an institutional review board, human subjects research ethics board, or a similar independent oversight entity that determines that the regulated entity has implemented reasonable safeguards to reduce privacy risks associated with research, including risks associated with reidentification.
(l) "Reproductive health services" means health care services or products that support an individual's reproductive system, pregnancy status, or sexual well-being, including, but not limited to, any of the following:
(i) Individual health conditions, status, diseases, or diagnoses.
(ii) Social, psychological, behavioral, and medical interventions.
(iii) Health-related surgeries or procedures, including, but not limited to, abortions.
(iv) Bodily functions, vital signs, symptoms, or measurements of the information described in this subdivision.
(v) Diagnoses or diagnostic testing, treatment, or medication.
(vi) Medical or nonmedical services related to and provided in conjunction with an abortion, including, but not limited to, associated diagnostics, counseling, supplies, and follow-up services.
(m) "Reproductive health status" means any of the following as it relates to an individual's reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity:
(i) Individual health conditions, treatment, or diseases.
(ii) Diagnoses done by a medical professional.
(iii) Social, psychological, behavioral, and medical interventions.
(iv) Health-related surgeries or procedures.
(v) Use or purchase of medications.
(vi) Bodily functions, vital signs, symptoms, or measurements of the information described in this subdivision.
(vii) Diagnoses or diagnostic testing, treatment, or medication done or prescribed by a medical professional.
(viii) Data concerning medical or nonmedical services related to and provided in conjunction with an abortion, including, but not limited to, associated diagnostics, counseling, supplies, and follow-up services done by a medical professional.
(ix) Biometric data. As used in this subparagraph, "biometric data" means data generated by automatic measurements of an individual's biological characteristics, including, but not limited to, a fingerprint, a voiceprint, an eye retina, an iris, or any other biological pattern or characteristic used to identify a specific individual. Biometric data does not include any of the following:
(A) A physical or digital photograph.
(B) A video or audio recording.
(C) Any data generated from a physical or digital photograph or a video or audio recording, unless the data is generated to identify a specific individual.
(x) Genetic data.
(xi) Precise location information that could reasonably indicate an individual's attempt to acquire or receive reproductive health services or supplies.
(xii) Data that identifies an individual seeking reproductive health services or supplies.
(xiii) Any information that a regulated entity, or a regulated entity's respective service provider, processes to associate or identify an individual with the data described in subparagraphs (i) to (xi) that is derived or extrapolated from other information, such as proxy, derivative, inferred, or emergent data, by any means, including algorithms and machine learning.
(n) "Sell" or "sale" means the exchange of reproductive health data for monetary or other valuable consideration by a regulated entity to a third party. Sell or sale does not include any of the following:
(i) The exchange of reproductive health data for monetary or other valuable consideration to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the regulated entity's assets, only if the regulated entity, in a reasonable time before the exchange, provides the affected individual with both of the following:
(A) A notice describing the transfer, including the name of the entity receiving the individual's reproductive health data and the applicable privacy policies of the entity.
(B) A reasonable opportunity to withdraw previously provided consent related to the individual's reproductive health data and request the deletion of the individual's reproductive health data.
(ii) The disclosure of reproductive health data to a service provider that processes reproductive health data on behalf of a regulated entity.
(iii) The disclosure or transfer of reproductive health data to an affiliate of a regulated entity.
(iv) The disclosure of publicly available information.
(o) "Service provider" means a person that collects, processes, retains, transfers, or sells reproductive health data on behalf of, and at the direction of, a regulated entity.
(p) "Third party" means a person other than a party to a transaction or a party's representative for the purposes specified under this act.
(q) "Trade secrets" means that term as defined in the uniform trade secrets act, 1998 PA 448, MCL 445.1902.
Sec. 5. (1) A regulated entity shall not collect or process reproductive health data unless the regulated entity does all of the following:
(a) Provides the individual whose reproductive health data is being collected with a copy of the regulated entity's privacy policy.
(b) Obtains consent from the individual to whom the reproductive health data pertains, or the individual's authorized representative.
(c) Collects or processes the reproductive health data only for 1 or more purposes described under subsection (3).
(2) This section does not apply to reproductive health data that is considered protected health information or to information originating from, and intermingled to be indistinguishable with, protected health information that is maintained by a covered entity or business associate as those terms are defined by the health insurance portability and accountability act of 1996, Public Law 104-191, and the regulations promulgated under that act, 45 CFR parts 160 and 164. As used in this subsection, "protected health information" means that term as defined in the health insurance portability and accountability act of 1996, Public Law 104-191.
(3) A regulated entity may process reproductive health data only for the following purposes:
(a) As strictly necessary to provide a product, service, or service feature to the individual to whom the reproductive health data pertains when requested by that individual.
(b) To initiate, manage, execute, or complete a financial or commercial transaction or to fulfill an order for a specific product or service requested by an individual to whom the reproductive health data pertains, including, but not limited to, associated routine administrative, operational, and account servicing activity such as billing, shipping, storage, and accounting.
(c) To comply with an obligation under a law of this state or federal law.
(d) To protect public safety or public health.
(e) To prevent, detect, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activities, or activities that are illegal under the laws of this state.
(f) To preserve the integrity or security of systems.
(g) To investigate, report, or prosecute persons responsible for activities that are illegal under the laws of this state.
(4) A regulated entity that collects or processes reproductive health data shall not do any of the following:
(a) Collect more precise reproductive health data than is necessary to perform a purpose described in subsection (3).
(b) Retain reproductive health data for longer than is necessary to perform a purpose described in subsection (3).
(c) Derive or infer from reproductive health data any information that is not necessary to perform a purpose described in subsection (3).
(d) Disclose, cause to disclose, assist with the disclosure of, or facilitate the disclosure of an individual's reproductive health data to a third party, unless the disclosure is either of the following:
(i) Necessary to perform a purpose described under subsection (3).
(ii) Subject to the requirements of section 6, disclosed to a service provider.
(5) A regulated entity that collects or processes reproductive health data shall provide a clear and conspicuous link, that is secure and reliable, on the regulated entity's internet homepage or mobile application that enables an individual, or a person authorized by the individual, to request access to and deletion of the individual's reproductive health data. Access provided under this subsection must not require the disclosure of trade secrets.
(6) A regulated entity shall respond to a request under this section without undue delay, but not later than 45 days after the receipt of the individual's request. The response period may be extended by an additional 45 days if reasonably necessary, considering the complexity and volume of the individual's requests. The individual must be informed of an extension and the reason for the extension within the initial 45-day response period.
Sec. 6. (1) A service provider shall process reproductive health data only under a contract with a regulated entity that sets forth the processing instructions and limits the actions that the service provider may take with respect to the reproductive health data that the service provider processes on behalf of the regulated entity.
(2) A service provider shall process reproductive health data in a manner that is consistent with the instructions set forth in the contract under subsection (1).
(3) If a service provider knowingly fails to comply with the instructions in the contract under subsection (1) or processes reproductive health data in a manner inconsistent with the contract under subsection (1), the service provider is considered a regulated entity regarding that reproductive health data and is subject to all of the requirements of this act.
(4) A service provider shall assist the regulated entity by appropriate technical or organizational measures, if possible, in fulfilling the regulated entity's obligations under this act.
Sec. 7. A regulated entity or service provider shall not disclose an individual's reproductive health data to a federal, state, or local governmental agency or official unless 1 or more of the following applies:
(a) The governmental agency or official serves the regulated entity or service provider with a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant, except as prohibited by the laws of this state.
(b) Disclosure is mandated under the laws of this state or federal law.
(c) Disclosure is requested by the individual to whom the reproductive health data pertains.
(d) Disclosure is ordered by a federal court.
Sec. 9. (1) Beginning on June 30, 2027, a regulated entity or service provider shall not sell or offer to sell reproductive health data unless the regulated entity or service provider obtains valid consent in accordance with subsection (4) from the individual to whom the reproductive health data pertains before selling or offering to sell the reproductive health data.
(2) A regulated entity or service provider shall not sell or offer to sell reproductive health data in a manner that is inconsistent with valid consent obtained under this section.
(3) Valid consent under this section is separate and distinct from consent obtained under section 5.
(4) To be valid, consent under this section must be in writing, in plain language, and contain all of the following:
(a) The specific reproductive health data concerning the individual that the regulated entity or service provider intends to sell.
(b) The name and contact information of the regulated entity or service provider collecting and selling the reproductive health data described in subdivision (a).
(c) The name and contact information of the person purchasing the reproductive health data described in subdivision (a).
(d) A description of the purpose for the sale, including how the reproductive health data will be gathered by the regulated entity or service provider and how the reproductive health data will be used by the person purchasing the reproductive health data.
(e) A statement that the provision of goods and services is not conditioned on the individual signing the consent.
(f) A statement that the individual has a right to revoke the individual's consent at any time, and a description of how to submit a revocation of the consent.
(g) A statement that the reproductive health data sold in accordance with valid consent may be subject to redisclosure by the person purchasing the reproductive health data and may no longer be protected under this section.
(h) The signature of the individual providing consent and the date on which the consent was signed by the individual.
(i) An expiration date for the consent, which must expire within 1 year after the individual's signature.
(5) Consent is not valid if it has any of the following defects:
(a) The expiration date has passed.
(b) The consent does not contain all of the information required under subsection (4).
(c) The consent has been revoked by the individual.
(d) The consent has been combined with other documents to create a compound authorization.
(e) The provision of goods or services is conditioned on the individual signing the consent document.
(6) A copy of the valid consent must be provided to the individual by the regulated entity or service provider selling or offering to sell the reproductive health data.
(7) The regulated entity or service provider selling or offering to sell the reproductive health data and the purchaser of the reproductive health data shall retain a copy of the valid consent for not less than 6 years after the date that the consent is signed by the individual or the date when the consent was last in effect, whichever is later.
(8) A regulated entity or service provider that sells reproductive health data shall provide a clear and conspicuous link on the regulated entity or service provider's internet homepage or mobile application that enables an individual, or a person authorized by the individual, to revoke the individual's consent to sell reproductive health data at any time.
(9) A regulated entity or service provider selling an individual's reproductive health data and the purchaser of the reproductive health data shall enter into a written agreement governing the purchaser's processing of the individual's reproductive health data. The written agreement must do all of the following:
(a) Legally bind the purchaser and the regulated entity or service provider selling the reproductive health data.
(b) Clearly set forth the nature and purpose of the sale, the type of reproductive health data subject to the sale, the duration of processing, and the rights and obligations of both parties.
(c) Require the purchaser to adhere to the instructions of the regulated entity or service provider.
(d) Set out the extent to which the purchaser may process the reproductive health data.
(e) Require the purchaser to process the reproductive health data that the purchaser receives from the regulated entity or service provider only to the extent provided for under subdivision (d).
(f) Require the purchaser to delete or return all reproductive health data to the regulated entity or service provider at the end of the provision of services or on revocation of consent by the individual, unless retention of the reproductive health data is required by law.
Sec. 11. A person shall not implement a geofence around an entity that provides in-person reproductive health services if the geofence is used to do any of the following:
(a) Identify or track individuals for the purpose of determining whether the individual is seeking reproductive health services.
(b) Collect reproductive health data from individuals.
(c) Send notifications, messages, or advertisements to individuals related to the individual's reproductive health data or reproductive health services.
Sec. 13. (1) The attorney general may bring an action to enjoin any person from violating this act. On proper showing, a court may grant a permanent or temporary injunction, restraining order, writ of mandamus, or any other order or judgment necessary to enjoin a person from violating this act. For any action in which the attorney general prevails, the attorney general may recover the costs of the action, including reasonable attorney fees.
(2) The attorney general or an individual who alleges a loss as a result of a violation of this act may bring a civil action against the person that committed the violation to recover any of the following:
(a) Damages in an amount of not less than $100.00 and not more than $750.00 per incident or actual damages, whichever is greater.
(b) Injunctive or declaratory relief.
(c) Any other appropriate relief.
(3) The court may consider any relevant circumstances in determining the amount of damages, including, but not limited to, all of the following:
(a) The nature and seriousness of the misconduct.
(b) The number of violations.
(c) The persistence of the misconduct.
(d) The length of time over which the misconduct occurred.
(e) The willfulness of the defendant's misconduct.
(f) The defendant's assets, liabilities, and net worth.
(4) This act does not serve as a basis for a private right of action under any other law. This subsection does not deprive or relieve a person from any rights, duties, or obligations imposed under other laws of this state or federal law.
Sec. 15. The attorney general may promulgate rules to implement this act under the administrative procedures act of 1969, 1969 PA 306, MCL 24.201 to 24.328.
Enacting section 1. This act takes effect 2 years after the date it is enacted into law.