SENATE BILL NO. 1082

November 07, 2024, Introduced by Senators MCMORROW, IRWIN, SINGH, HERTEL, CAMILLERI, MOSS, CAVANAGH, MCCANN, SANTANA, MCDONALD RIVET, CHERRY, ANTHONY, GEISS, POLEHANKI, SHINK, CHANG, BAYER, BRINKS and KLINEFELT and referred to the Committee on Housing and Human Services.

A bill to regulate the collection, processing, and selling of reproductive health data; to regulate the disclosure of reproductive health data; to require individual consent to collect, process, and sell reproductive health data; to prohibit the use of geofences around facilities that provide reproductive health services; to provide remedies and prescribe civil sanctions; and to provide for the powers and duties of certain state governmental officers and entities.

the people of the state of michigan enact:

Sec. 1. This act may be cited as the "reproductive health data privacy act".

Sec. 3. As used in this act:

(a) "Collect" means to buy, rent, gather, obtain, receive, or access any reproductive health data about an individual in any manner, including, but not limited to, by receiving data from the individual, actively or passively, or by observing or tracking the individual's online activity.

(b) "Consent" means a clear affirmative act that signifies an individual's freely given, specific, informed, opt-in, voluntary, and unambiguous agreement and is provided in response to a specific request from a covered entity or a service provider. Consent may be obtained by electronic means. Consent may not be obtained by any of the following:

(i) A general or broad terms-of-use agreement or a similar document that contains descriptions of reproductive health data processing along with other unrelated information.

(ii) An individual hovering over, muting, pausing, or closing a given piece of consent.

(iii) Through the use of a deceptive design.

(c) "Covered entity" means a public, private, operated for profit, or not operated for profit business or organization that provides reproductive health care, placement, or services and collects reproductive health data from an individual. Covered entity includes a business or organization that licenses or certifies other persons to provide reproductive health care, placement, or services.

(d) "Deceptive design" means an interface design or choice architecture to obtain required consent that has been designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice, or unfairly, fraudulently, or deceptively manipulating or coercing an individual into providing consent.

(e) "Geofence" means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate an individual within a virtual boundary, where the virtual boundary is not more than 1,850 feet from the perimeter of the physical location.

(f) "Person" means an individual or a partnership, corporation, limited liability company, association, governmental entity, or other legal entity.

(g) "Process" means any use of data provided under this act.

(h) "Reproductive health data" means information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future reproductive health status. Reproductive health data does not include information that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, including information described under 1967 PA 270, MCL 331.531 to 331.534, that adheres to all other applicable ethics and privacy laws and is approved, monitored, or governed by an institutional review board, human subjects research ethics board, or a similar independent oversight entity that determines that the covered entity has implemented reasonable safeguards to reduce privacy risks associated with research, including risks associated with reidentification.

(i) "Reproductive health services" means health care services or products that support or relate to an individual's reproductive system, pregnancy status, or sexual well-being, including, but not limited to, any of the following:

(i) Individual health conditions, status, diseases, or diagnoses.

(ii) Social, psychological, behavioral, and medical interventions.

(iii) Health-related surgeries or procedures, including, but not limited to, abortions.

(iv) Bodily functions, vital signs, symptoms, or measurements of the information described in this subdivision.

(v) Diagnoses or diagnostic testing, treatment, or medication.

(vi) Medical or nonmedical services related to and provided in conjunction with an abortion, including, but not limited to, associated diagnostics, counseling, supplies, and follow-up services.

(j) "Reproductive health status" includes, but is not limited to, all of the following as it relates to an individual's reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity:

(i) Individual health conditions, treatment, diseases, or diagnoses.

(ii) Social, psychological, behavioral, and medical interventions.

(iii) Health-related surgeries or procedures.

(iv) Use or purchase of medications.

(v) Bodily functions, vital signs, symptoms, or measurements of the information described in this subdivision.

(vi) Diagnoses or diagnostic testing, treatment, or medication.

(vii) Data concerning medical or nonmedical services related to and provided in conjunction with an abortion, including, but not limited to, associated diagnostics, counseling, supplies, and follow-up services.

(viii) Biometric data. As used in this subparagraph, "biometric data" means data generated by automatic measurements of an individual's biological characteristics, including, but not limited to, a fingerprint, a voiceprint, an eye retina, an iris, or any other biological pattern or characteristic used to identify a specific individual. Biometric data does not include any of the following:

(A) A physical or digital photograph.

(B) A video or audio recording.

(C) Any data generated from a physical or digital photograph or a video or audio recording, unless the data is generated to identify a specific individual.

(ix) Genetic data.

(x) Precise location information that could reasonably indicate an individual's attempt to acquire or receive reproductive health services or supplies.

(xi) Data that identifies an individual seeking reproductive health services or supplies.

(xii) Any information that a covered entity, or a covered entity's respective service provider, processes to associate or identify an individual with the data described in subparagraphs (i) to (x) that is derived or extrapolated from nonhealth information, such as proxy, derivative, inferred, or emergent data, by any means, including algorithms and machine learning.

(k) "Sell" or "sale" means the exchange of reproductive health data for monetary or other valuable consideration, including the rent, trade, gift, or lease of data for valuable consideration or the expectation of valuable consideration. Sell or sale does not include the exchange of reproductive health data for monetary or other valuable consideration to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the covered entity's assets that complies with the requirements and obligations in this act.

(l) "Service provider" means a person that collects, processes, retains, transfers, or sells reproductive health data on behalf of, and at the direction of, a covered entity.

(m) "Third party" means a person that is not party to a transaction or party's representative for the purposes specified under this act.

Sec. 5. (1) A covered entity or service provider shall not collect or process reproductive health data unless the covered entity or service provider does all of the following:

(a) Provides the individual whose reproductive health data is being collected with a copy of the covered entity or service provider's privacy policy.

(b) Obtains clear consent from the individual to whom the reproductive health data pertains, or the individual's authorized representative.

(c) Collects or processes the reproductive health data only for 1 or more purposes described under subsection (2).

(2) A covered entity or service provider may collect or process reproductive health data only for the following purposes:

(a) To provide a product, service, or service feature to the individual to whom the reproductive health data pertains when that individual requested the product, service, or service feature by subscribing to, creating an account with, or otherwise contracting with the covered entity or service provider.

(b) To initiate, manage, execute, or complete a financial or commercial transaction or to fulfill an order for a specific product or service requested by an individual to whom the reproductive health data pertains, including, but not limited to, associated routine administrative, operational, and account servicing activity such as billing, shipping, storage, and accounting.

(c) To comply with an obligation under a law of this state or federal law.

(d) To protect public safety or public health.

(3) A covered entity or service provider that collects or processes reproductive health data shall not do any of the following:

(a) Collect more precise reproductive health data than is necessary to perform a purpose described in subsection (2).

(b) Retain reproductive health data for longer than is necessary to perform a purpose described in subsection (2).

(c) Derive or infer from reproductive health data any information that is not necessary to perform a purpose described in subsection (2).

(d) Disclose, cause to disclose, assist with the disclosure of, or facilitate the disclosure of an individual's reproductive health data to a third party, unless the disclosure is either of the following:

(i) Necessary to perform a purpose described under subsection (2).

(ii) Performed with valid consent obtained from the individual to whom the reproductive health data pertains.

(4) A covered entity or service provider that collects or processes reproductive health data shall provide a clear and conspicuous link on the covered entity or service provider's internet homepage that enables an individual, or a person authorized by the individual, to request access to and deletion of the individual's reproductive health data.

(5) This section does not apply to a covered entity or a business associate regarding protected health information under the health insurance portability and accountability act of 1996, Public Law 104-191, and the regulations promulgated under that act, 45 CFR parts 160 and 164.

(6) As used in this section, "business associate" means that term as defined in 45 CFR 160.103.

Sec. 7. A covered entity or service provider shall not disclose an individual's reproductive health data to a federal, state, or local governmental agency or official unless 1 or more of the following applies:

(a) The governmental agency or official serves the covered entity or service provider with a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant.

(b) Disclosure is mandated under the laws of this state or federal law.

(c) Disclosure is requested by the individual to whom the reproductive health data pertains.

Sec. 9. (1) Beginning on June 30, 2025, a covered entity or service provider shall not sell or offer to sell reproductive health data unless the covered entity or service provider obtains valid consent in accordance with subsection (4) from the individual to whom the reproductive health data pertains before selling or offering to sell the reproductive health data.

(2) A covered entity or service provider shall not sell or offer to sell reproductive health data in a manner that is inconsistent with valid consent obtained under this section.

(3) Valid consent under this section is separate and distinct from consent obtained under section 5.

(4) To be valid, consent under this section must be in writing, in plain language, and contain all of the following:

(a) The specific reproductive health data concerning the individual that the covered entity or service provider intends to sell.

(b) The name and contact information of the covered entity or service provider collecting and selling the reproductive health data described in subdivision (a).

(c) The name and contact information of the person purchasing the reproductive health data described in subdivision (a).

(d) A description of the purpose for the sale, including how the reproductive health data will be gathered by the covered entity or service provider and how the reproductive health data will be used by the person purchasing the reproductive health data.

(e) A statement that the provision of goods and services is not conditioned on the individual signing the consent.

(f) A statement that the individual has a right to revoke the individual's consent at any time, and a description of how to submit a revocation of the consent.

(g) A statement that the reproductive health data sold in accordance with valid consent may be subject to redisclosure by the person purchasing the reproductive health data and may no longer be protected under this section.

(h) The signature of the individual providing consent and the date on which the consent was signed by the individual.

(i) An expiration date for the consent, which must expire within 1 year after the individual's signature.

(5) Consent is not valid if it has any of the following defects:

(a) The expiration date has passed.

(b) The consent does not contain all of the information required under subsection (4).

(c) The consent has been revoked by the individual.

(d) The consent has been combined with other documents to create a compound authorization.

(e) The provision of goods or services is conditioned on the individual signing the consent document.

(6) A copy of the valid consent must be provided to the individual by the covered entity or service provider selling or offering to sell the reproductive health data.

(7) The covered entity or service provider selling or offering to sell the reproductive health data and the purchaser of the reproductive health data shall retain a copy of the valid consent for not less than 6 years after the date that the consent is signed by the individual or the date when the consent was last in effect, whichever is later.

(8) A covered entity or service provider that sells reproductive health data shall provide a clear and conspicuous link on the covered entity or service provider's internet homepage that enables an individual, or a person authorized by the individual, to revoke the individual's consent to sell reproductive health data at any time.

(9) A covered entity or service provider selling an individual's reproductive health data and the purchaser of the reproductive health data shall enter into a written agreement governing the purchaser's processing of the individual's reproductive health data. The written agreement must do all of the following:

(a) Legally bind the purchaser and the covered entity or service provider selling the reproductive health data.

(b) Clearly set forth the nature and purpose of the sale, the type of reproductive health data subject to the sale, the duration of processing, and the rights and obligations of both parties.

(c) Require the purchaser to adhere to the instructions of the covered entity or service provider.

(d) Set out the extent to which the purchaser may process the reproductive health data.

(e) Require the purchaser to process the reproductive health data that the purchaser receives from the covered entity or service provider only to the extent provided for under subdivision (d).

(f) Require the purchaser to delete or return all reproductive health data to the covered entity or service provider at the end of the provision of services or on revocation of consent by the individual, unless retention of the reproductive health data is required by law.

Sec. 11. A covered entity or service provider shall not implement a geofence around an entity that provides in-person reproductive health services if the geofence is used to do any of the following:

(a) Identify or track individuals seeking reproductive health services.

(b) Collect reproductive health data from individuals.

(c) Send notifications, messages, or advertisements to individuals related to the individual's reproductive health data or reproductive health services.

Sec. 13. (1) The attorney general may bring an action to enjoin any person from violating this act. Upon proper showing, a court may grant a permanent or temporary injunction, restraining order, writ of mandamus, or any other order or judgment necessary to enjoin a person from violating this act. For any action in which the attorney general prevails, the attorney general may recover the costs of the action, including reasonable attorney fees.

(2) An individual who suffers a loss as a result of a violation of this act may bring a civil action against the person that committed the violation to recover any of the following:

(a) Damages in an amount of not less than $100.00 and not more than $750.00 per incident or actual damages, whichever is greater.

(b) Injunctive or declaratory relief.

(c) Any other appropriate relief.

(3) The court may consider any relevant circumstances in determining the amount of damages, including, but not limited to, all of the following:

(a) The nature and seriousness of the misconduct.

(b) The number of violations.

(c) The persistence of the misconduct.

(d) The length of time over which the misconduct occurred.

(e) The willfulness of the defendant's misconduct.

(f) The defendant's assets, liabilities, and net worth.

(4) This act does not serve as a basis for a private right of action under any other law. This subsection does not deprive or relieve a person from any rights, duties, or obligations imposed under other laws of this state or federal law.

Sec. 15. The attorney general shall promulgate rules to implement this act under the administrative procedures act of 1969, 1969 PA 306, MCL 24.201 to 24.328.