In a country where your ride-share history or Google searches could land you in an abortion investigation, the United States Bill, My Body, My Data Act aims to establish strong federal protections for reproductive health data, reintroduced in the U.S. House on June 11,2025, by Representative Sara Jacobs (D-CA), Senator Mazie Hirono (D-HI), and Senator Ron Wyden (D-OR), MBMD proposes the strongest federal protections to date for reproductive and sexual health information.
The Bill zeroes in on an increasingly urgent issue in the post-Dobbs v. Jackson Women’s Health Organization era, the weaponization of personal digital data in reproductive health investigations. Since the Supreme Court overturned Roe v. Wade in 2022, many states have enacted strict abortion bans or heavily restricted access, creating a chilling landscape in which ordinary online activity can be interpreted as evidence of criminal conduct. Data that once felt personal, such as period-tracking logs, fertility app entries, Google searches, private Facebook messages, GPS location trails, and license-plate scans have become a treasure trove for prosecutors, police, and even private actors pursuing abortion-related claims.
These are not theoretical risks, they’ve already materialized in real-world cases:
- In Mississippi (2017), Latice Fisher was indicted for second-degree murder after suffering a stillbirth. Prosecutors used her internet search history and text messages, including searches for “buy abortion pills online” to build their case.
- In Nebraska (2022), law enforcement obtained a young woman’s Facebook direct messages, where she and her mother discussed self-managed abortion methods. Those messages became central to felony prosecution. Although pivotal, the charges were not based solely on them.
- In 2023, anti-abortion groups were found to have purchased cellphone location data from data brokers, which revealed visits to Planned Parenthood clinics and was used to target individuals for surveillance or protest.
- In May 2025, Texas authorities reportedly used automated license plate recognition (ALPR) systems across state lines to track the movements of a woman suspected of ending her pregnancy outside the legal framework.
Together, these cases show a disturbing trend, digital breadcrumbs are now routinely used to police reproductive choices, often without individuals realizing their data has been captured or repurposed. What was once private, searches for missed periods, GPS routes near clinics, or app logs about menstrual cycles is now potentially admissible in court. The MBMD Act confronts this reality head-on, seeking to create legal boundaries where none currently exist for this highly sensitive and politically charged category of personal data.
The My Body, My Data Act introduces a transformative “strict necessity” threshold for reproductive and sexual health information, stipulating that companies may only collect, retain, share, or sell this data if it is essential to perform a service explicitly requested by the user echoing the GDPR’s data minimization principle while tailored to the U.S. landscape. It mandates clear, accessible privacy notices and empowers individuals with rights to access, delete, and transfer their data, with deletion requests fulfilled within 30 days. Enforcement lies with the Federal Trade Commission, which may impose penalties exceeding $50,000 per violation, while individuals can bring private lawsuits seeking $100 to $1,000 per day or up to $10,000 per violation. The Bill prohibits mandatory arbitration and preserves state authority to enact more robust protections, complementing laws such as Washington’s My Health, My Data Act and pending efforts in Michigan, Illinois, and California
The Bill has garnered support from a broad coalition of advocacy groups, including Planned Parenthood, NARAL Pro-Choice America, the Electronic Frontier Foundation (EFF), the National Women’s Law Center, and over 40 other civil and digital rights organizations. Their unified message: HIPAA was never designed to cover most modern data sources, including apps, searches, or GPS location feeds.
Despite this support, the Bill faces steep odds in the current Congress, where the House remains under GOP control, and some Republicans have already condemned MBMD as an “abortion shield.” Still, proponents view the Bill as strategically valuable for shaping both state-level legislation and private-sector compliance standards.
What This Means for Companies
Regardless of whether MBMD passes this term, companies should prepare now. Practical steps include:
- Inventory all reproductive and sexual health signals you collect (e.g., cycle dates, fertility scores, clinic visits, pharmacy records).
- Map data flows, including downstream sharing with analytics or ad partners.
- Implement short retention periods of six months is emerging as a defensible industry standard.
- Remove third-party SDKs that send app-level data to brokers, anonymous advertising IDs tied to health data still qualify as personal data.
- Apply GDPR-style user rights across all U.S. users instead of navigating a patchwork of state laws.
- Adopt a “warrant or court order” policy for law enforcement access to reproductive health data, akin to Apple’s stance on iCloud and WhatsApp backups.
At its core, MBMD responds to a stark new reality. Reproductive autonomy now exists within a commercial surveillance ecosystem. A late-night search for a pregnancy calculator, a quick detour past a clinic, or a single in-app note about cramps can be subpoenaed.
While the Bill doesn’t resolve the broader legal battle over abortion rights in the U.S., it affirms a critical principle.
Whether Congress enacts MBMD this term or not, the framework it proposes is already reshaping how lawmakers and corporations approach reproductive data privacy. For organizations, aligning with this standard now is not just smart compliance, it’s a step toward ethical stewardship in an era when personal data is as intimate as a medical chart or a handwritten diary
If your organization handles sensitive health or location data, now is the time to audit your practices. Visit www.tsaaro.com
News of the Week
1. UK Cracks Down on Smart Device Surveillance
The UK’s Information Commissioner’s Office (ICO) has released new guidelines targeting the data practices of smart devices, everything from air fryers and smart speakers to fitness bands and fertility trackers. The ICO is urging manufacturers to be clear about what data they collect, why they collect it, and how long they keep it. Consumers must be given easy to understand privacy options, and data collection should be limited to what is truly necessary. This move reflects growing concern over how much personal information these everyday devices silently gather in our homes.
2. Zoomcar Data Breach Exposes Millions of Users
Popular Indian car-sharing platform Zoomcar confirmed that personal data belonging to over 8.4 million users was compromised in a recent cyberattack. The breach exposed names, mobile numbers, email addresses, vehicle details, and location information. While the company has notified regulatory authorities, including the U.S. SEC, and initiated an internal investigation, users are now left wondering how their data may be misused. The incident adds to rising concerns about data security in India’s expanding app ecosystem.
3. WestJet Cyberattack Hits Internal Systems
Canadian airline WestJet experienced a cyberattack that disrupted some of its internal IT systems, affecting its mobile app and website booking functions. While flight operations remained unaffected and no customer data breach has been confirmed, the airline is still working to fully restore its systems. This incident highlights ongoing risks to critical infrastructure like transportation, and it serves as another reminder of how essential digital resilience has become in the aviation sector.
https://calgaryherald.com/business/westjet-cybersecurity-incident-june-2025
