The bill creates a framework to protect personal reproductive or sexual health information by limiting how such data can be collected, retained, used, or disclosed. It applies to a class of regulated entities and requires strict access controls for employees and service providers.
The act also establishes a formal right for individuals to access, correct, and delete their data, with defined timelines, formats, and no fees. Finally, it lays out mandatory privacy disclosures, anti-retaliation protections, and enforcement mechanisms, including a private right of action and FTC oversight.
The goal is to give individuals meaningful control over their sensitive health data while providing clear expectations and remedies for misuse.
At a Glance
What It Does
Imposes data minimization on collection, retention, use, and disclosure of personal reproductive or sexual health information. Requires restricted employee access and a formal rights framework for access, correction, and deletion.
Who It Affects
Regulated entities like digital health apps, clinics, telemedicine providers, and other businesses under FTC jurisdiction, plus their service providers and the individuals whose data is collected.
Why It Matters
This bill sets a national baseline for handling highly sensitive health data, creating enforceable rights and protections that address gaps not fully covered by HIPAA or other privacy regimes.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The My Body, My Data Act of 2025 introduces a privacy regime focused on reproductive and sexual health information. It defines what counts as personal reproductive health information and who is a regulated entity for the purposes of the act.
Importantly, the bill requires that data collection be strictly limited to what is necessary to deliver a product or service requested by the individual, and it extends minimization principles to who may access the data within a regulated entity and its service providers.
The Five Things You Need to Know
The bill prohibits collecting, retaining, using, or disclosing personal reproductive or sexual health information beyond what is strictly necessary to provide a requested product or service.
Regulated entities must provide a mechanism for verified requests to access, correct, or delete data, with a 15-day deadlines for compliance and no fees.
A required privacy policy must be published on the entity’s website, detailing data practices, third-party disclosures, and user controls.
The act prohibits retaliation against individuals exercising their rights, including through price discrimination or denial of goods and services.
Enforcement is dual: FTC enforcement of unfair or deceptive practices and a private civil action with damages, plus no pre-dispute arbitration for disputes under the act.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Minimization of collection and disclosure
Section 2 restricts how a regulated entity may collect, retain, use, or disclose personal reproductive or sexual health information. Information may only be collected to provide a product or service requested by the individual, and access to such data within the entity or its service providers must be strictly limited to those who need it to fulfill the request. This creates a baseline for data minimization and tight access controls within the processing chain.
Right of access, correction, and deletion
Section 3 establishes a verified-rights framework. Individuals can request access to their data, including how it was collected and disclosed, and a list of third parties to which their data has been disclosed. They may direct corrections and deletions, with the regulator required to respond within 15 days. The protections extend to data inferred or derived from other information and prohibit charging fees for these requests.
Privacy policy requirements
Section 4 requires a public, clear, and comprehensive privacy policy describing collection, retention, use, and disclosure practices. The policy must list data categories, purposes, third-party disclosures and their uses, data sources, user controls, and the steps to exercise those controls, along with security measures. The publication on the entity’s website ensures visibility and accessibility for consumers.
Prohibition against retaliation
Section 5 prohibits retaliation against individuals exercising rights under the act. Prohibited actions include denying goods or services, charging different prices, providing lower levels of service, or signaling that such protections will impact pricing or quality. The provision aims to prevent misuse of privacy rights to deter individuals from exercising their protections.
Enforcement and remedies
Section 6 makes violations enforceable as unfair or deceptive practices under the FTC Act. It grants the FTC broad enforcement authority and preserves the Commission’s general powers. It also allows private civil actions, with damages, including attorney’s fees, and provides equitable relief. It explicitly prohibits pre-dispute arbitration for disputes related to this Act.
Definitions
Section 7 defines key terms: regulation, collect, disclose, personal information, personal reproductive or sexual health information, regulated entity, service provider, and third party. The definitions collectively determine who is covered, what data qualifies, and how data flows are interpreted under the Act.
Relationship to federal and state laws
Section 9 preserves federal law and acknowledges state laws, allowing greater protection where state privacy regimes exceed the Act’s protections. It clarifies that the Act does not preempt stricter state standards and aligns with existing privacy and health-data frameworks.
Savings clause
Section 10 clarifies that the Act does not diminish the FTC’s authority under other laws. It also permits regulated entities to disclose data as required by law, in court orders, or similar processes, ensuring compliance while safeguarding users’ rights.
Severability
Section 11 provides that if any provision is held invalid, the remainder remains in effect. This prevents a single faulty clause from collapsing the entire framework and ensures the continuity of protections where possible.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Individuals who own or control personal reproductive or sexual health information gain stronger rights to access, correct, and delete data and clearer paths to control how their information is used.
- Users of digital health apps and telehealth services benefit from minimized data collection and transparent disclosures that help prevent misuse of sensitive information.
- Healthcare providers and clinics that implement clear privacy policies and robust access-control practices can reduce risk and build patient trust.
- Privacy advocates and consumer-rights organizations gain a stronger enforcement mechanism and verifiable standards for handling sensitive data.
- Regulated entities that invest in compliant data practices may reduce exposure to deceptive-practices claims by aligning with FTC expectations.
Who Bears the Cost
- Regulated entities (e.g., digital health apps, telehealth platforms, clinics) incur costs to implement data minimization, build user-access interfaces, publish privacy policies, and train staff.
- Service providers contracted to process data must meet compliance expectations and data-processing terms, increasing contractual and security requirements.
- Small businesses and startups may face higher compliance burdens, ongoing monitoring, and costs associated with maintaining interoperable data formats and user-control mechanisms.
- Legal and compliance teams must interpret evolving requirements and implement changes across products and services, increasing personnel and operational costs.
Key Issues
The Core Tension
balancing robust privacy protections with the regulatory burden on entities and the potential for over- or under-inclusion of data types, while ensuring enforceability and alignment with existing health-data regimes.
The bill’s broad definition of personal reproductive or sexual health information—including inferred or derived data—creates a wide scope for privacy protections but also raises practical questions for implementation. Interplay with HIPAA, state privacy laws, and the vast landscape of health-tech vendors could complicate compliance.
While the act seeks to harmonize rights with a strong enforcement posture, there may be ambiguity in how third-party disclosures are tracked and how data inferred from non-health data is treated. The absence of pre-dispute arbitration in disputes is a notable shift toward access to adjudication, but could raise questions about the speed and cost of private actions.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.