My Body, My Data Act would lock down reproductive and sexual health data

My Body, My Data Act would lock down reproductive and sexual health data

A new bill entered into both the House of Representatives and the Senate proposes the strongest Federal data privacy protections yet for an increasingly scrutinized form of data in the United States—reproductive and sexual health data.

The “My Body, My Data Act of 2022” was announced in early June in response to a leaked draft of a Supreme Court opinion that reported to show the Court’s intentions to overturn a seminal decision from 1973 that guaranteed a Constitutional right to have a choice to an abortion. Congresswoman Sara Jacobs (D-CA), sponsor of the bill in the House of Representatives, said in a press release that she was focused on protecting reproductive health data in light of the new,  judicial threat.

“Since the Supreme Court leak, I’ve heard from so many people who are panicked about their personal reproductive health data falling into the wrong hands,” Jacobs said. “The My Body, My Data Act will protect that information, protect our privacy, and reaffirm our rights to make our own decisions about our bodies.”

The bill, which has 46 cosponsors in the House and 11 cosponsors in the Senate, would stop companies from collecting, using, retaining, and disclosing “personal reproductive or sexual health information” unless a company first receives express consent from a user or if a company is using such information to specifically deliver a service that a user has requested. The bill’s definition of “personal reproductive or sexual health information” is broad, including any information that could reveal a person’s attempts to “research or obtain” reproductive health services, any reproductive or sexual health conditions, such as pregnancy, menstruation, and whether a person is sexually active, and any information about procedures that a person has undergone related to reproductive or sexual health.

If passed, the bill would also extend new rights to consumers to access and delete personal reproductive or sexual health information from the companies that collect it.

Since the bill’s announcement last month, it has only gained more attention.

On June 24, the Supreme Court decided in the case Dobbs v. Jackson Women’s Health Organization that the right to an abortion, which was guaranteed under a right to privacy as decided in 1973, was not “deeply rooted in this Nation’s history or tradition.” Voting 6 – 3, the Court overturned Roe v. Wade.

With the Court’s decision, immediate fear arose that reproductive health data could be requested by law enforcement only to be used as evidence to prosecute individuals seeking abortions—or even those who miscarried. The Digital Defense Fund responded to the Court’s decision by updating its resources on how individuals can keep their reproductive health decisions both private and secure. The group’s resources include a section on keeping reproductive health data out of the hands of “Big Tech.”

Further, several period-tracking apps independently announced efforts to anonymize user data so that even if law enforcement requested data about certain users, those companies could not respond in a meaningful way. Users have reportedly flocked to period-tracking apps that are making these promises, but as TechCrunch recently uncovered, one such company that announced new, pro-user plans last week—Stardust—was still sharing users’ phone numbers with third parties.

“TechCrunch ran a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. The network traffic showed that if a user logs into the app using their phone number (rather than through a login service provided by Apple or Google), Stardust will periodically share the user’s phone number with a third-party analytics service called Mixpanel.”

TechCrunch also reported that Stardust’s efforts to bring “end-to-end encryption” were potentially faulty, as the company’s founder described a data transfer process that may only provide encryption for data in transit and for data that is stored on Amazon’s web servers.  

The period-tracking app morass is familiar, then: Once again, users in America of any number of services are left to independently manage their interactions with companies that could be sharing their data with an immeasurable number of third parties which, to most consumers, are entirely unknown.

The My Body, My Data Act could change that, requiring new restrictions not on how data is technologically stored, but on whether such data is ever collected in the first place.

The bill also includes what is called a “private right of action,” meaning that consumers who have had their privacy rights violated under the law could be able to sue individual companies for those violations. The inclusion of a private right of action is exceedingly rare in nearly any data privacy law that has been introduced in both statewide legislation and before the Federal government.

The bill is currently supported by Planned Parenthood, NARAL, National Abortion Federation, URGE, National Partnership for Women & Families, and Feminist Majority.

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.