By Mike Hintze and Felicity Slater
On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end.
If passed, the act could have a broad and dramatic impact on a wide range of entities that provide services or products related to reproductive and sexual health and wellness.
Scope
The RDPA is modeled after Washington’s My Health, My Data Act (“MHMDA”) in its general form and structure (Hintze Law’s blog series on MHMDA can be found here), but there are some key differences between the two.
Most importantly, the RDPA is drafted to apply to a narrower set of data than MHMDA; rather than governing “consumer health data” broadly, the RDPA would create restrictions related to "reproductive health data." However, this more limited and constrained scope of data is still potentially quite broad and may impact a wide range of organizations that do not think of themselves as providing services specifically related to pregnancy, fertility, or reproduction.
Reproductive health data under the act is “information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future reproductive health status” (emphasis added). The act further defines “reproductive health status” broadly a wide range of data types insofar as this information “relates to an individual's reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity.”
Due to fertility itself often being connected to overall health and the RDPA defining “reproductive health status information” to include a range of information that is “related” to any “type of sexual activity,” there are plausible arguments that the RDPA would apply to a broad range of general and sexual health and wellness information, including activities such as general fitness, buying condoms, or using a dating app. Notably, however, the RDPA diverges from MHMDA’s focus on general consumer health to focus on reproductive health data specifically. This divergence presents a strong counterargument that the RDPA’s scope should be interpreted to extend only to data directly related to pregnancy, fertility, and reproduction.
The RDPA would govern a narrower range of entities than MHMDA does, governing entities of any size, including non-profits, that “provide[] reproductive health care, placement, or services and collect[] reproductive health data from an individual.” Also covered are any “business or organization that licenses or certifies other persons to provide reproductive health care, placement, or services.” As currently drafted, this definition seems to cover organizations operating within and outside of Michigan, regardless of whether they intentionally target Michigan citizens.
Finally, it is notable that there is only a very limited exception for entities that are subject to the Health Insurance Portability and Accountability Act (HIPAA). Specifically, HIPAA covered entities and business associates of HIPAA covered entities are exempt only from the requirements of one section – principally, the limits on data collection and use described below. Most of the RDPA’s restrictions on data disclosure, its "sale" authorization and the right to revoke that authorization (and the corresponding homepage link obligation), and the other obligations of the act would apply to entities covered by HIPAA.
Limits on Data Collection and Use
The RDPA requires covered entities to provide notice and obtain consent from consumers for any collection or processing of reproductive health data. Even with such consent, the RDPA also mandates that processing only be done for one of four enumerated purposes:
to provide products, services, or service features requested by the data subject,
to conduct financial transactions/fulfill orders for “specific” products/services requested by the data subject, including for routine billing and accounting purposes,
to comply with Michigan or federal law, or
“to protect public safety or public health.”
The act contains additional data minimization provisions. Specifically, it prohibits covered entities from collecting more reproductive health data than necessary to perform these purposes. Covered entities may not infer any information from reproductive health data beyond what necessary to for those purposes. Nor can they retain reproductive health data longer than necessary to achieve those permitted purposes.
Strict Limits on Data Disclosure
Under the RDPA, covered entities can disclose reproductive health data to third parties only as necessary to perform the previous stated purposes or with the consent of the data subject.
Additionally, unlike MHMDA, the RDPA contains unique government access provisions, which would establish that neither covered entities nor their service providers are authorized to provide reproductive health data to government agencies or officials unless:
that agency or official has a valid warrant (or establishes circumstances making a warrant impossible to obtain),
the disclosure is mandated by Michigan or federal law, or
the data subject consents to the disclosure.
As currently written, the general limitations on data disclosure as noted above would also apply to government access requests. For example, if a law enforcement agency from a state other than Michigan were to present a warrant to a covered entity, the disclosure could still be prohibited unless it also fell into one of the four permitted purposes (of the data subject consented). And the “comply with law” permitted purpose applies only to Michigan or federal law.
As with similar government access, bills that have passed in other states in the wake of the Dobbs v Jackson Women’s Health Organization decision, this provision appears to be designed to protect individuals from unwanted government interventions into their reproductive health care.
Finally, like MHMDA, the RDPA would establish that covered entities and their service providers may not “sell” reproductive health data without first obtaining a HIPAA-style valid authorization from individuals. “Sale” is defined broadly, using the California Consumer Privacy Act (CCPA) definition. Such authorization is valid for one year and revocable at any time, and entities would be required to retain records of sale authorizations for at least six years. Such sales could only be conducted according to a prescriptive contract which requires the data purchaser to “adhere to the instructions of the covered entity or service provider [and s]et out the extent to which the purchaser may process the reproductive health data.” As with MHMDA, this authorization requirement is tailored to be an effective prohibition on the “sale” of reproductive health data.
Data Subject Rights
The RDPA contains strict obligations regarding data subject rights. The act provides individuals with rights of access and deletion over their reproductive health data. Additionally, it gives data subjects the right to revoke consent for the sale of reproductive health data at any time. In a unique requirement that goes beyond what is required by MHMDA, the act also requires covered entities to provide a “clear and conspicuous” link on their homepage through which individuals could exercise these rights. It is not clear whether this requirement could be satisfied through a link to a privacy center or whether the RDPA would require that these rights be able to be exercised directly through this link.
Notice
While the RDPA contains privacy notice obligations, it does not require a specific and separate privacy notice for reproductive health data. This is another departure from the MHMDA which requires a separate Consumer Health Data Privacy Notice.
Geofencing Prohibition
The RDPA strictly limits geofencing of entities that provide “in-person reproductive health care services.” Defined broadly, this includes abortion-related services as well as “services or products that support or relate to an individual's reproductive system, pregnancy status, or sexual well-being.” Specifically, the act prohibits the use of such geofences for identifying and/or tracking individuals, collecting reproductive health data, or sending individuals messages related to their reproductive health data or services.
Enforcement
The RDPA would be enforceable by the Michigan Attorney General as well as and through a private right of action (“PRA”). This PRA would allow private plaintiffs to seek damages between the amounts of $100.00 - $750.00 (USD) per violation and actual damages, as well as injunctive, declaratory, and other appropriate relief.
While the RDPA as currently drafted is significantly narrower in scope than MHMDA, its broad definitions and strict requirements suggest that, if the act were to be enforceable by private plaintiffs, it could have a significant impact on companies operating throughout the health and wellness spaces. We will be watching closely for new versions of the bill and to see whether Michigan’s Legislature passes the RDPA into law during the final weeks of the 2024 lame duck session.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader with over 25 years of experience in privacy and data protection law, policy, and strategy.
Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.
