A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

November 19, 2024 in Health + Biotech, Health and Biotech, Hintze Law, Privacy, Health Privacy

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end.

If passed, the act could have a broad and dramatic impact on a wide range of entities that provide services or products related to reproductive and sexual health and wellness.

Scope

The RDPA is modeled after Washington’s My Health, My Data Act (“MHMDA”) in its general form and structure (Hintze Law’s blog series on MHMDA can be found here), but there are some key differences between the two.

Most importantly, the RDPA is drafted to apply to a narrower set of data than MHMDA; rather than governing “consumer health data” broadly, the RDPA would create restrictions related to "reproductive health data." However, this more limited and constrained scope of data is still potentially quite broad and may impact a wide range of organizations that do not think of themselves as providing services specifically related to pregnancy, fertility, or reproduction.

Reproductive health data under the act is “information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future reproductive health status” (emphasis added). The act further defines “reproductive health status” broadly a wide range of data types insofar as this information “relates to an individual's reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity.”

Due to fertility itself often being connected to overall health and the RDPA defining “reproductive health status information” to include a range of information that is “related” to any “type of sexual activity,” there are plausible arguments that the RDPA would apply to a broad range of general and sexual health and wellness information, including activities such as general fitness, buying condoms, or using a dating app. Notably, however, the RDPA diverges from MHMDA’s focus on general consumer health to focus on reproductive health data specifically. This divergence presents a strong counterargument that the RDPA’s scope should be interpreted to extend only to data directly related to pregnancy, fertility, and reproduction.

The RDPA would govern a narrower range of entities than MHMDA does, governing entities of any size, including non-profits, that “provide[] reproductive health care, placement, or services and collect[] reproductive health data from an individual.” Also covered are any “business or organization that licenses or certifies other persons to provide reproductive health care, placement, or services.” As currently drafted, this definition seems to cover organizations operating within and outside of Michigan, regardless of whether they intentionally target Michigan citizens.

Finally, it is notable that there is only a very limited exception for entities that are subject to the Health Insurance Portability and Accountability Act (HIPAA). Specifically, HIPAA covered entities and business associates of HIPAA covered entities are exempt only from the requirements of one section – principally, the limits on data collection and use described below. Most of the RDPA’s restrictions on data disclosure, its "sale" authorization and the right to revoke that authorization (and the corresponding homepage link obligation), and the other obligations of the act would apply to entities covered by HIPAA.

Limits on Data Collection and Use

The RDPA requires covered entities to provide notice and obtain consent from consumers for any collection or processing of reproductive health data. Even with such consent, the RDPA also mandates that processing only be done for one of four enumerated purposes:

to provide products, services, or service features requested by the data subject,
to conduct financial transactions/fulfill orders for “specific” products/services requested by the data subject, including for routine billing and accounting purposes,
to comply with Michigan or federal law, or
“to protect public safety or public health.”

The act contains additional data minimization provisions. Specifically, it prohibits covered entities from collecting more reproductive health data than necessary to perform these purposes. Covered entities may not infer any information from reproductive health data beyond what necessary to for those purposes. Nor can they retain reproductive health data longer than necessary to achieve those permitted purposes.

Strict Limits on Data Disclosure

Under the RDPA, covered entities can disclose reproductive health data to third parties only as necessary to perform the previous stated purposes or with the consent of the data subject.

Additionally, unlike MHMDA, the RDPA contains unique government access provisions, which would establish that neither covered entities nor their service providers are authorized to provide reproductive health data to government agencies or officials unless:

that agency or official has a valid warrant (or establishes circumstances making a warrant impossible to obtain),
the disclosure is mandated by Michigan or federal law, or
the data subject consents to the disclosure.

As currently written, the general limitations on data disclosure as noted above would also apply to government access requests. For example, if a law enforcement agency from a state other than Michigan were to present a warrant to a covered entity, the disclosure could still be prohibited unless it also fell into one of the four permitted purposes (of the data subject consented). And the “comply with law” permitted purpose applies only to Michigan or federal law.

As with similar government access, bills that have passed in other states in the wake of the Dobbs v Jackson Women’s Health Organization decision, this provision appears to be designed to protect individuals from unwanted government interventions into their reproductive health care.

Finally, like MHMDA, the RDPA would establish that covered entities and their service providers may not “sell” reproductive health data without first obtaining a HIPAA-style valid authorization from individuals. “Sale” is defined broadly, using the California Consumer Privacy Act (CCPA) definition. Such authorization is valid for one year and revocable at any time, and entities would be required to retain records of sale authorizations for at least six years. Such sales could only be conducted according to a prescriptive contract which requires the data purchaser to “adhere to the instructions of the covered entity or service provider [and s]et out the extent to which the purchaser may process the reproductive health data.” As with MHMDA, this authorization requirement is tailored to be an effective prohibition on the “sale” of reproductive health data.

Data Subject Rights

The RDPA contains strict obligations regarding data subject rights. The act provides individuals with rights of access and deletion over their reproductive health data. Additionally, it gives data subjects the right to revoke consent for the sale of reproductive health data at any time. In a unique requirement that goes beyond what is required by MHMDA, the act also requires covered entities to provide a “clear and conspicuous” link on their homepage through which individuals could exercise these rights. It is not clear whether this requirement could be satisfied through a link to a privacy center or whether the RDPA would require that these rights be able to be exercised directly through this link.

Notice

While the RDPA contains privacy notice obligations, it does not require a specific and separate privacy notice for reproductive health data. This is another departure from the MHMDA which requires a separate Consumer Health Data Privacy Notice.

Geofencing Prohibition

The RDPA strictly limits geofencing of entities that provide “in-person reproductive health care services.” Defined broadly, this includes abortion-related services as well as “services or products that support or relate to an individual's reproductive system, pregnancy status, or sexual well-being.” Specifically, the act prohibits the use of such geofences for identifying and/or tracking individuals, collecting reproductive health data, or sending individuals messages related to their reproductive health data or services.

Enforcement

The RDPA would be enforceable by the Michigan Attorney General as well as and through a private right of action (“PRA”). This PRA would allow private plaintiffs to seek damages between the amounts of $100.00 - $750.00 (USD) per violation and actual damages, as well as injunctive, declaratory, and other appropriate relief.

While the RDPA as currently drafted is significantly narrower in scope than MHMDA, its broad definitions and strict requirements suggest that, if the act were to be enforceable by private plaintiffs, it could have a significant impact on companies operating throughout the health and wellness spaces. We will be watching closely for new versions of the bill and to see whether Michigan’s Legislature passes the RDPA into law during the final weeks of the 2024 lame duck session.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader with over 25 years of experience in privacy and data protection law, policy, and strategy.

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

November 07, 2024 in Hintze Law, Awards, Best Lawyers, Best Law Firms, Technology Law, Information Technology La

We are pleased to share that Hintze Law has been recognized for excellence in Information Technology Law and Technology Law in the 2025 edition Best Law Firms® rankings. The firm has been ranked in these areas both nationally and in the Seattle area.

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others

October 08, 2024 in CCPA, Cybersecurity, Hintze Law, Privacy

By Emily Litka

In September 2024, California Governor Gavin Newsome signed a number of new generative AI (“genAI”) bills into law. These laws address risks associated with deepfakes, training dataset transparency, use of genAI in healthcare settings, privacy, and AI literacy in schools. California is the first US state to enact such sweeping genAI regulations.

Congrats to Taylor Widawski for Promotion to Partner

September 03, 2024 in Hintze Law

Hintze Law, PLLC is delighted to announce that, effective September 2024, Taylor Widawski has been promoted to partner!

Hintze Law and Attorneys Recognized in Chambers USA Guide 2024 Rankings

June 11, 2024 in Hintze Law

We’re pleased to share that Hintze Law and attorneys at the firm have been recognized once again by Chambers & Partners for expertise in a number of Privacy and Data Security areas in the 2024 Chambers USA Guide. These recognitions include Hintze Law’s fourth year being ranked as an Elite Law Firm for Privacy and Data Security – USA Nationwide. One of Hintze Law’s clients that Chambers interviewed shared that "Hintze's team has unique experience that allows them to dig into complex issues and provide practical, actionable advice."

Hintze Global Privacy and Security Updates

February 29, 2024 in Global Privacy Updates, Global Privacy & Security, Hintze Law, Privacy

Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.

Destiny Ginn Joins Hintze Law as an Associate

August 28, 2023 in Hintze Law

Hintze Law PLLC is excited to announce that Destiny Ginn has joined the firm as a first-year associate* in the Seattle office.

Hintze Law Attorneys Mike Hintze and Jevan Hutson recognized by The Best Lawyers in America 2024

August 18, 2023 in Hintze Law

Hintze Law PLLC is delighted to announce that Mike Hintze, Member Partner, and Jevan Hutson, Associate, have been recognized by Best Lawyers®. Mike is recognized in The Best Lawyers in America® 2024 edition under the category of Information Technology Law and Technology Law for his work in privacy and data security. Jevan is recognized in the 2024 Best Lawyers: Ones to Watch™ in America for his work in Privacy and Data Security Law.

Hintze Law Associate Jevan Hutson Recognized as Super Lawyer

August 01, 2023 in Hintze Law

Please join us in congratulating, Jevan Hutson, Associate at Hintze Law PLLC, for earning recognition as 2023 Washington Rising Star by Super Lawyers, part of Thomson Reuters. Jevan is a Certified Information Privacy Professional (CIPP) and Certified Information Privacy Manager and key member of Hintze’s Cybersecurity & Breach Response Group and the Artificial Intelligence and Machine Learning Group. His recognition stems in part from his role as a respected expert and thought leader on artificial intelligence (AI) and machine learning (ML) ethics, law, and policy.

Hintze Law Receives DEI Roundtable Law Firm Diversity Award

August 01, 2023 in Hintze Law

By Ro Friend & Susan Hintze

Here at Hintze Law, we are thrilled and honored to announce that through a nomination by LinkedIn, we have been awarded the DEI Roundtable Law Firm Diversity Award for our commitment to diversity, equity, and inclusion. The DEI Roundtable consists of legal counsel from tech leaders AirBnB, ByteDance/TikTok, Google, LinkedIn, Meta, Microsoft, Snap, & ZenDesk and provides a platform for fruitful discussions about how we can collectively support and improve diversity in our community.

Hintze Law Welcomes Zachary Douglas as a Privacy Analyst & Sr. Paralegal

July 13, 2023 in Hintze Law

Hintze Law PLLC is thrilled to announce that Zachary Douglas has joined the firm as a part of our growing team of talented privacy analysts who complement Hintze Law’s team of privacy and cybersecurity attorneys.

Hintze Law Recognized in Chambers and The Legal 500 2023 Guides

July 06, 2023 in Hintze Law, Health and Biotech

Hintze Law PLLC is pleased to announce that Chambers & Partners has once again recognized Hintze Law and its partners Sheila Sokolowski, Susan Hintze, and Mike Hintze in its 2023 USA Privacy & Data Security rankings. The firm was also recently recognized in The Legal 500’s 2023 US Cyber Law rankings.

Amy Lanchester Joins Hintze Law PLLC as a Senior Privacy Analyst

April 17, 2023 in Hintze Law

Hintze Law PLLC is pleased to announce that Amy Lanchester has joined the firm as a Senior Privacy Analyst. Amy, based in the Atlanta-metro area, comes to Hintze with over six years of experience working on global data protection matters, including the California Consumer Protection Act (CCPA), the EU General Data Protection Regulation (GDPR), and COPPA. Amy is skilled at crafting and executing strategies to prioritize and unify privacy program objectives. Amy joins Hintze Law’s growing team of talented privacy analysts who complement Hintze Law’s team of privacy and cybersecurity attorneys.

Hintze Law PLLC Welcomes Leslie Veloz & Cameron Cantrell as Associates

October 07, 2022 in Hintze Law

We are thrilled to announce that first-year associates, Leslie Veloz and Cameron Cantrell, have joined Hintze Law in the Seattle Office.

Taylor Widawski Joins Hintze Law as Senior Associate

September 12, 2022 in Hintze Law

Hintze Law PLLC announced today that Taylor Widawski has joined the firm as Senior Associate. Taylor comes to Hintze Law’s Seattle office from Chime Financial, where she was in house privacy counsel. Prior to that, she was privacy counsel at T-Mobile and an associate with a large national law firm.

Deb Gray Joins Hintze Law's Growing Team of Privacy & Cybersecurity Analysts

August 22, 2022 in Hintze Law

Hintze Law PLLC is very pleased to announce that Deb Gray has joined the firm as a Senior Privacy Analyst. Deb comes to Hintze Law’s Seattle office with over two decades of deep and wide-ranging experience and programmatic skills in privacy and data protection matters, including the California Consumer Protection Act (CCPA), the EU General Data Protection Regulation (GDPR), and COPPA. Deb joins Hintze Law’s growing team of talented privacy analysts who complement Hintze Law’s team of privacy and cybersecurity attorneys.

Hintze Law Welcomes Sam Castic as its Newest Partner

August 15, 2022 in Hintze Law

Hintze Law PLLC is delighted to announce that Sam Castic has joined the firm as its newest Partner. Sam comes to Hintze Law’s Seattle office with over 15 years of global privacy and cybersecurity experience, most recently as Chief Privacy Officer for Blackhawk Network and as Senior Director Privacy & Associate General Counsel at Nordstrom. In addition to Sam’s experience leading corporate privacy teams and programs, he has advised clients ranging from early-stage startups to large global corporations on privacy, cybersecurity, and data protection matters at Orrick and at K&L Gates.

Chambers Ranks Hintze Law and Partners Sheila Sokolowski, Susan Hintze, and Mike Hintze in 2022 USA Privacy & Data Security Reviews

June 02, 2022 in Hintze Law

We are honored to announce that Chambers & Partners has recognized Sheila Sokolowski, Partner and Chair of Hintze Law’s Health & Biotech Privacy Group in its 2022 USA - Nationwide Privacy& Data Security Healthcare rankings. Chambers has also once again recognized Hintze Law and Member Partners, Mike Hintze and Susan Hintze, in its 2022 Privacy & Data Security USA – Nationwide rankings.

Hintze Law Adds Laura Lemire as Of Counsel

April 08, 2022 in Hintze Law

Hintze Law PLLC announced today that Laura Lemire has joined the firm as Of Counsel. Laura comes to Hintze Law’s Seattle office with over a decade of global privacy, cybersecurity, and technology law experience as former privacy counsel for Twitter and Microsoft.

Hintze Law Welcomes Mason Fitch to Health and Biotech Team

January 25, 2022 in Hintze Law

We are excited to announce that Mason Fitch has joined the Hintze Law team as the newest member of our Health & Biotech Team. Mason joins us from Hims & Hers Health, a telehealth startup, where he served as their first Privacy Counsel.