privacy

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end. 

If passed, the act could have a broad and dramatic impact on a wide range of entities that provide services or products related to reproductive and sexual health and wellness.   

Scope 

The RDPA is modeled after Washington’s My Health, My Data Act (“MHMDA”) in its general form and structure (Hintze Law’s blog series on MHMDA can be found here), but there are some key differences between the two.

Most importantly, the RDPA is drafted to apply to a narrower set of data than MHMDA; rather than governing “consumer health data” broadly, the RDPA would create restrictions related to "reproductive health data." However, this more limited and constrained scope of data is still potentially quite broad and may impact a wide range of organizations that do not think of themselves as providing services specifically related to pregnancy, fertility, or reproduction.

Reproductive health data under the act is “information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future reproductive health status” (emphasis added). The act further defines “reproductive health status” broadly a wide range of data types insofar as this information “relates to an individual's reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity.” 

Due to fertility itself often being connected to overall health and the RDPA defining “reproductive health status information” to include a range of information that is “related” to any “type of sexual activity,” there are plausible arguments that the RDPA would apply to a broad range of general and sexual health and wellness information, including activities such as general fitness, buying condoms, or using a dating app. Notably, however, the RDPA diverges from MHMDA’s focus on general consumer health to focus on reproductive health data specifically. This divergence presents a strong counterargument that the RDPA’s scope should be interpreted to extend only to data directly related to pregnancy, fertility, and reproduction. 

The RDPA would govern a narrower range of entities than MHMDA does, governing entities of any size, including non-profits, that “provide[] reproductive health care, placement, or services and collect[] reproductive health data from an individual.” Also covered are any “business or organization that licenses or certifies other persons to provide reproductive health care, placement, or services.” As currently drafted, this definition seems to cover organizations operating within and outside of Michigan, regardless of whether they intentionally target Michigan citizens. 

Finally, it is notable that there is only a very limited exception for entities that are subject to the Health Insurance Portability and Accountability Act (HIPAA). Specifically, HIPAA covered entities and business associates of HIPAA covered entities are exempt only from the requirements of one section – principally, the limits on data collection and use described below.  Most of the RDPA’s restrictions on data disclosure, its "sale" authorization and the right to revoke that authorization (and the corresponding homepage link obligation), and the other obligations of the act would apply to entities covered by HIPAA. 

Limits on Data Collection and Use 

The RDPA requires covered entities to provide notice and obtain consent from consumers for any collection or processing of reproductive health data. Even with such consent, the RDPA also mandates that processing only be done for one of four enumerated purposes:  

  1. to provide products, services, or service features requested by the data subject,  

  2. to conduct financial transactions/fulfill orders for “specific” products/services requested by the data subject, including for routine billing and accounting purposes,  

  3. to comply with Michigan or federal law, or  

  4. “to protect public safety or public health.”  

The act contains additional data minimization provisions. Specifically, it prohibits covered entities from collecting more reproductive health data than necessary to perform these purposes. Covered entities may not infer any information from reproductive health data beyond what necessary to for those purposes. Nor can they retain reproductive health data longer than necessary to achieve those permitted purposes.  

Strict Limits on Data Disclosure 

Under the RDPA, covered entities can disclose reproductive health data to third parties only as necessary to perform the previous stated purposes or with the consent of the data subject. 

Additionally, unlike MHMDA, the RDPA contains unique government access provisions, which would establish that neither covered entities nor their service providers are authorized to provide reproductive health data to government agencies or officials unless: 

  1. that agency or official has a valid warrant (or establishes circumstances making a warrant impossible to obtain),  

  2. the disclosure is mandated by Michigan or federal law, or  

  3. the data subject consents to the disclosure.  

As currently written, the general limitations on data disclosure as noted above would also apply to government access requests. For example, if a law enforcement agency from a state other than Michigan were to present a warrant to a covered entity, the disclosure could still be prohibited unless it also fell into one of the four permitted purposes (of the data subject consented). And the “comply with law” permitted purpose applies only to Michigan or federal law.   

As with similar government access, bills that have passed in other states in the wake of the Dobbs v Jackson Women’s Health Organization decision, this provision appears to be designed to protect individuals from unwanted government interventions into their reproductive health care. 

Finally, like MHMDA, the RDPA would establish that covered entities and their service providers may not “sell” reproductive health data without first obtaining a HIPAA-style valid authorization from individuals. “Sale” is defined broadly, using the California Consumer Privacy Act (CCPA) definition. Such authorization is valid for one year and revocable at any time, and entities would be required to retain records of sale authorizations for at least six years. Such sales could only be conducted according to a prescriptive contract which requires the data purchaser to “adhere to the instructions of the covered entity or service provider [and s]et out the extent to which the purchaser may process the reproductive health data.” As with MHMDA, this authorization requirement is tailored to be an effective prohibition on the “sale” of reproductive health data. 

Data Subject Rights 

The RDPA contains strict obligations regarding data subject rights. The act provides individuals with rights of access and deletion over their reproductive health data. Additionally, it gives data subjects the right to revoke consent for the sale of reproductive health data at any time. In a unique requirement that goes beyond what is required by MHMDA, the act also requires covered entities to provide a “clear and conspicuous” link on their homepage through which individuals could exercise these rights. It is not clear whether this requirement could be satisfied through a link to a privacy center or whether the RDPA would require that these rights be able to be exercised directly through this link. 

Notice 

While the RDPA contains privacy notice obligations, it does not require a specific and separate privacy notice for reproductive health data. This is another departure from the MHMDA which requires a separate Consumer Health Data Privacy Notice.  

Geofencing Prohibition 

The RDPA strictly limits geofencing of entities that provide “in-person reproductive health care services.” Defined broadly, this includes abortion-related services as well as “services or products that support or relate to an individual's reproductive system, pregnancy status, or sexual well-being.” Specifically, the act prohibits the use of such geofences for identifying and/or tracking individuals, collecting reproductive health data, or sending individuals messages related to their reproductive health data or services. 

Enforcement 

The RDPA would be enforceable by the Michigan Attorney General as well as and through a private right of action (“PRA”). This PRA would allow private plaintiffs to seek damages between the amounts of $100.00 - $750.00 (USD) per violation and actual damages, as well as injunctive, declaratory, and other appropriate relief. 

While the RDPA as currently drafted is significantly narrower in scope than MHMDA, its broad definitions and strict requirements suggest that, if the act were to be enforceable by private plaintiffs, it could have a significant impact on companies operating throughout the health and wellness spaces. We will be watching closely for new versions of the bill and to see whether Michigan’s Legislature passes the RDPA into law during the final weeks of the 2024 lame duck session. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Mike Hintze is a Member Partner at Hintze Law PLLC and a recognized leader with over 25 years of experience in privacy and data protection law, policy, and strategy.

 

Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others 

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others 

By Emily Litka

In September 2024, California Governor Gavin Newsome signed a number of new generative AI (“genAI”) bills into law. These laws address risks associated with deepfakes, training dataset transparency, use of genAI in healthcare settings, privacy, and AI literacy in schools. California is the first US state to enact such sweeping genAI regulations.

Read More

Washington My Health My Data Act - Part 4: Effective Dates

By Mike Hintze

Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023. 

Read More

Washington My Health My Data Act - Part 3: The Scope of Entities and Consumers Captured by the Act

By Mike Hintze

The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact. 

Read More

Washington My Health My Data Act - Part 2: The Scope of “Consumer Health Data”

By Mike Hintze

The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law. 

Read More

The Washington My Health My Data Act - Part 1: An Overview

By Mike Hintze

The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.

Read More

Direct-to-Consumer Genetic Testing Privacy Laws: California Joins the Party

By Sheila Sokolowski

On October 6, 2021, California’s governor signed the  Genetic Information Privacy Act (the “Act”), adding the state to the growing number enacting laws requiring direct-to-consumer genetic testing companies to protect the privacy and security of their customers’ genetic data. 

Read More

EU-U.S. Privacy Shield Details Released

On February 29, 2016, the European Commission issued a draft “adequacy decision” introducing the EU-U.S. Privacy Shield (“Privacy Shield”). The Privacy Shield replaces the U.S.-EU Safe Harbor Framework (“Safe Harbor”) as the new data transfer agreement legitimizing transfer of EU personal data to the U.S. by certifying participants. As described and linked to in the Commission’s press release, several U.S. government agencies have provided written commitments to enforce the Privacy Shield. These commitments will be published in the U.S. Federal Register.

Read More