The My Body, My Data Act of 2025 establishes strict limits on the collection, use, and sharing of personal reproductive and sexual health information, while granting individuals robust rights to access, correct, and delete their sensitive data.
Sara Jacobs
Representative
CA-51
The My Body, My Data Act of 2025 establishes strict federal protections for personal reproductive and sexual health information held by regulated entities. This law limits data collection and sharing to only what is strictly necessary for providing requested services. It grants individuals the rights to access, correct, and delete this sensitive data, and requires clear public privacy policies detailing data handling practices. Finally, the Act prohibits retaliation against individuals who exercise these new privacy rights and grants enforcement authority to the FTC while allowing individuals to sue violators.
New Federal Act Demands Businesses Delete Your Reproductive Health Data Within 15 Days of Request
If you’ve ever worried about your health app data—especially anything related to fertility tracking, periods, or clinic visits—getting sold or shared, this bill is for you. The “My Body, My Data Act of 2025” is a major new piece of federal legislation that creates a powerful, specific privacy shield around personal reproductive and sexual health information.
The "Need-to-Know" Rule for Your Health Data
Section 2 of this Act introduces a strict "data minimization" standard. For any company that falls under this new rule—called a “Regulated Entity”—they can only collect, keep, or use your reproductive or sexual health information if it is strictly necessary to provide you with the exact product or service you asked for. Think of it like this: if you’re using a period tracker app, it needs your cycle data to function, but it absolutely doesn't need to share that data with an ad tech company trying to sell you baby clothes. The law is clear: if you didn’t ask for it, they can’t have it, and they certainly can’t use it for anything else. This rule also restricts who inside the company can even look at the data; only employees who absolutely need it to do their job get access.
Your New Rights: Access, Fix, and Delete in 15 Days
Section 3 hands you three powerful new rights over your sensitive health data, and it comes with a tight deadline for companies. You can now demand to see all the reproductive health data they have on you, including data they inferred or bought from third parties (and they have to tell you where they got it). If you spot a mistake, you can demand they correct it. Most importantly, you get the right to deletion. If you want that data gone—whether it’s held by the company or their service providers—they must comply quickly, and no later than 15 days after your verified request. They cannot charge you a dime for exercising any of these rights.
No More Jargon: Mandatory, Clear Privacy Policies
Ever tried to read a privacy policy? It’s usually a confusing mess of legal speak. Section 4 aims to fix that. Regulated Entities must post a clear, easy-to-understand privacy policy prominently on their website. This policy must detail exactly what reproductive health data they collect, why they need it, and, crucially, list every specific third party they share it with and why. They also must provide a straightforward explanation and direct links for how you can exercise your new rights to control your data. This is a big win for transparency, cutting through the noise so you know exactly who has your sensitive information.
The Enforcement Hammer: Lawsuits and No Forced Arbitration
Compliance is backed by serious teeth in Section 6. The Federal Trade Commission (FTC) gains full authority to enforce this Act, treating violations just like unfair or deceptive business practices. Even bigger, the Act gives you, the individual, a private right of action. If a company violates this law, you can sue them directly and seek damages of between $100 and $1,000 per day of violation, plus attorney fees. This is a game-changer because the law specifically states that violating your privacy under this Act counts as a concrete injury, making it easier to bring a case. And here is the kicker: Section 6 also invalidates any pre-dispute forced arbitration clause or class action waiver related to disputes under this Act. This means companies can’t hide behind fine print to avoid facing you in court if they misuse your sensitive health data.
The Fine Print: Who Pays and Who’s Exempt
This bill places the burden of compliance squarely on “Regulated Entities,” which is a broad category covering most businesses that handle this data, even common carriers and non-profits that usually escape FTC oversight (Section 7). For businesses, especially those who rely on ad targeting or data sharing, this means significant new compliance costs and liability risks. However, the Act carves out exemptions for entities already covered by strict HIPAA rules, like hospitals and doctors, when they are acting in that capacity. The goal is to plug the privacy gap left by tech companies and data brokers who aren't covered by existing medical privacy laws. While the 15-day response window might be tough for some large companies to meet consistently, the trade-off is a much-needed increase in control over information that is extremely sensitive in today's digital world.