On December 5, 2024, Senate Bill 1082 for the Reproductive Health Data Privacy Act passed its third reading in the Michigan State Senate following its introduction on November 7, 2024, and favorable reporting from the Senate Committee on Housing and Human Services.  

What is the scope of the bill?

Specifically, 'reproductive health data' is defined  as 'information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future reproductive health status.' The bill also provides definitions for 'reproductive health services,' and 'reproductive health status,' alongside clarifying what data is considered 'publicly available information.'

A 'regulated entity' is defined as 'a public, private, operated for profit, or not operated for profit business or organization that provides reproductive health care or services and collects reproductive health data from an individual. Regulated entity includes a business or organization that licenses or certifies other persons to provide reproductive health care or services.'

The bill clarifies that requirements on consent to collection and provision of privacy notices do not apply to reproductive health data considered protected health information or information originating from, and intermingled to be indistinguishable with, protected health information maintained by a covered entity or business associates as defined under the Health Insurance Portability and Accountability Act (HIPAA).

What are the prohibitions under the bill?

In particular, the bill prohibits a regulated entity, service provider, or affiliate entity from collecting or processing an individual's reproductive health data unless the entity provided the individual with the entity's privacy policy, has obtained consent, and uses the data only for specified purposes.

Entities processing reproductive health data must not:

• collect more precise data than is necessary for the intended purpose;
• retain data for longer than necessary to perform the stated purpose;
• derive or infer any information from reproductive data not necessary to perform the stated purpose; and
• disclosure, cause to disclose, or assist or facilitate disclosure of data to a third party, unless for a valid legal basis.

The bill states that entities may only process reproductive health data to:

• provide a product, service, or service feature to the individual to whom the reproductive health data pertains when requested;
• initiate, manage, execute, or complete a financial or commercial transaction or to fulfill an order for a specific product or service requested by an individual to whom the reproductive health data pertains;
• comply with legal obligations;
• protect public safety or public health;
• prevent, detect, protect against, or respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activities, or activities that are illegal;
• preserve the integrity or security of systems; or
• investigate, report, or prosecute persons.

Service providers are also subject to restrictions on processing reproductive health data. Service providers must only process reproductive health data under a contract, which sets out instructions for processing and limits to actions the service provider may take.

Prohibitions on geofencing are also included under the bill.

What are the consent requirements under the bill?

Notably, alongside the requirement to obtain consent to process reproductive health data, the bill stipulates that beginning June 30, 2027, entities are prohibited from selling or offering for sale an individual's reproductive health data without specific consent. Consent to the sale of reproductive health data is separate and distinct from the consent to process reproductive health data.

For consent to the sale of reproductive health data to be valid, it must be in writing, in plain language, containing:

• the specific reproductive health data intended to be sold;
• the name and contact information of the entity the data will be selling to and entity data will be purchased by;
• a description of the purpose for the sale, including how data will be gathered and how it will be used;
• a statement that the provision of goods and services is not conditioned on the individual signing the consent;
• a statement the individual has the right to revoke consent at any time and instructions on how to revoke consent;
• a statement that reproductive health data may subsequently be redisclosed by the purchasing entity and no longer protected;
• the signature of the individual providing consent and date of consent; and
• an expiration date for the consent, which must expire within one year.

What data subject rights are provided under the bill?

The bill details that individuals have the right to request access and the deletion of their reproductive health data. The right to access must not require the disclosure of trade secrets.

Entities must respond to data subject requests within 45 days of receiving a request, though may delay responding to a request by an additional 45 days if reasonably necessary. Individuals however must be informed of the delay and reason for the extension.

Enforcement

The Michigan Attorney General is responsible for the enforcement of the bill. No private right of action is provided for under the bill.

You can read the bill here and track its progress here.