The My Body, My Data Act of 2025 grants individuals new rights to control, access, correct, and delete their personal reproductive and sexual health information held by regulated entities, while strictly limiting what data those entities can collect and share.
Mazie Hirono
Senator
HI
The My Body, My Data Act of 2025 establishes strict rules for how businesses (regulated entities) can collect, use, and share sensitive reproductive and sexual health information. This Act grants individuals the rights to access, correct, and delete their personal health data held by these entities. Furthermore, it mandates transparent privacy policies and explicitly prohibits entities from retaliating against individuals who exercise their new privacy rights.
New Privacy Bill Gives You 15 Days to Demand Deletion of Reproductive Health Data from Apps and Businesses
The “My Body, My Data Act of 2025” is a big deal for anyone who uses apps, websites, or services that track health information related to reproduction—think period trackers, fertility monitors, or even retail sites that infer your pregnancy status based on purchases. This bill steps in to create strong federal privacy standards for that highly sensitive data, specifically targeting companies not already covered by HIPAA (like your hospital or doctor’s office). The core goal is simple: You get control over your reproductive and sexual health data, and businesses have to stop hoarding it.
The Data Diet: Only What’s Essential
Section 2 introduces a principle called minimization. This means that regulated entities—which include most businesses the Federal Trade Commission (FTC) can touch, like apps and tech companies—can only collect, keep, use, or share your personal reproductive or sexual health details if it is absolutely essential for providing the specific service you requested. They can’t just vacuum up data “just in case” they need it later. If you sign up for a service, they must limit access to your sensitive data only to the employees or service providers who need it to deliver that specific thing. This is a massive shift away from the current “collect everything” model favored by many apps and data brokers.
Your New Rights: Access, Fix, and Delete
Section 3 hands you three powerful new tools. First, you get the right to access your data. If you ask, the company has to show you all the reproductive or sexual health information they have on you, where they got it (especially if it was inferred or from a third party), and every specific company they shared it with. Second, you have the right to correct any mistakes in that data. Third, and perhaps most importantly, you have the right to delete it completely. This applies even to data they inferred about you based on other information they collected.
The real punchline here is the timeline: once you make a verified request, the company has to comply without delay, and no later than 15 days. They also cannot charge you a fee for any of these requests. This 15-day window is a tight turnaround for businesses and signals that the law takes these rights seriously. For the busy person, this means if you use a period tracking app and decide you want your data gone, the company has two weeks to wipe it.
Transparency is Mandatory
If a company is going to handle your sensitive data, Section 4 requires them to be completely transparent about it. They must post a clear, public privacy policy—prominently displayed on their website—that spells out exactly what they collect, why they collect it, who they share it with, and who they got it from. Crucially, the policy must also detail exactly how you can exercise your control rights (access, correction, deletion) and provide direct links to the settings or mechanisms to do so. This is designed to eliminate the blurry, jargon-filled privacy policies we usually click through without reading.
The Enforcement Hammer: No Arbitration, Real Damages
This bill has teeth, thanks to Section 6. The FTC gets full authority to enforce the law, but individuals also gain a private right of action. This means if a company violates your rights under this Act, you can sue them directly. If you win, you can receive your actual damages or statutory damages ranging from $100 to $1,000 per day the violation occurred—whichever is greater. This makes violations very expensive for companies.
Even more critical is the ban on pre-dispute arbitration agreements and class action waivers when it comes to violations of this law. If you signed a user agreement that forced you into arbitration, that clause is invalid when suing over your reproductive health data. This removes a major shield companies often use to avoid accountability, making it much easier for consumers to seek justice.
Who This Affects and Why It Matters
This legislation focuses on non-HIPAA entities, meaning it directly impacts the tech companies and data brokers that often fly under the radar of traditional health privacy laws. If you use any digital tool that collects information about your menstrual cycle, fertility, or sexual health, this bill gives you unprecedented power over that data. The fact that the law explicitly defines inferred data (like an algorithm figuring out you’re pregnant based on your purchase history) as protected means the scope is wide.
For businesses, especially smaller tech firms or start-ups, the compliance burden is real. They face significant costs to implement the 15-day deletion mechanism and overhaul their privacy policies. However, the biggest impact falls on data brokers who profit from sharing or inferring this sensitive information, as the minimization and deletion requirements essentially gut their business model concerning reproductive health data. While the law carves out hospitals and health plans (which are already covered by HIPAA), it closes a major privacy gap left open by the rise of consumer health technology.