The Menstrual Data Privacy and Protection Act ensures that menstrual and reproductive health data collected by applications, healthcare providers, pharmacies, and other entities is protected. The Act requires explicit consent for data collection, prohibits the sale of such data, mandates strong security measures, and grants individuals the right to request data deletion. Transparency and accountability are reinforced through annual reporting requirements and enforcement measures, including fines and a private right of action.

Key Provisions

• Data Collection and Usage Restrictions: Requires explicit consent before collecting or using menstrual data and limits its use to agreed purposes.

• Prohibition on Sale of Data: Bans the sale of menstrual and reproductive health data to third parties under any circumstances.

• Data Security Requirements: Mandates encryption, regular audits, and breach notification within 72 hours of an incident.

• Right to Data Deletion: Grants individuals the right to request deletion of their data, with entities required to comply within 30 days.

• Transparency Requirements: Requires entities to provide clear privacy policies and submit annual compliance reports.

• Enforcement and Penalties: Establishes fines, suspension of operations for repeat violations, and a private right of action for affected individuals.

Model Language

Section 1. Short Title: This Act shall be known as the "Menstrual Data Privacy and Protection Act."

Section 2. Purpose: The purpose of this Act is to safeguard the privacy and security of menstrual and reproductive health data collected by applications, devices, pharmacies, healthcare providers, and other entities. This legislation ensures that individuals retain control over their sensitive personal information and protects against misuse, unauthorized sharing, and data breaches.

Section 3. Definitions:

(a) Menstrual Data means any information related to an individual’s menstrual cycle, reproductive health, or related bodily functions collected by an entity, including but not limited to:

(i) Menstrual tracking applications and devices(ii) Pharmacies and healthcare providers

(iii) Online or in-person retail purchases of menstrual products(b) Entity refers to any organization, business, or individual collecting menstrual data, including but not limited to:

(i) Digital applications and platforms(ii) Pharmacies and retail establishments(iii) Healthcare providers, clinics, and hospitals

(c) Explicit Consent means a clear and affirmative agreement provided by the individual after being fully informed of the specific purpose for data collection and usage.

Section 4. Data Collection and Usage Restrictions

(a) Consent Requirement:Entities collecting menstrual data must obtain explicit, informed consent from individuals before collecting, processing, or sharing such data.

(b) Purpose Limitation:Collected menstrual data may only be used for the purposes explicitly agreed to by the individual. Entities are prohibited from using the data for unrelated purposes, including marketing or targeted advertising, without obtaining additional explicit consent.

Section 5. Prohibition on Sale of Data
Entities are prohibited from selling menstrual or reproductive health data to third parties under any circumstances.

Section 6. Data Security Requirements:

(a) Entities collecting menstrual data must implement industry-standard security measures, including but not limited to:

(i) Data encryption during storage and transmission
(ii) Regular security audits and vulnerability assessments

(b) Entities must notify affected individuals and the state’s data protection authority within

72 hours of any data breach involving menstrual data.

Section 7. Right to Data Deletion
(a) Individuals shall have the right to request deletion of their menstrual data at any time.

(b) Entities must comply with data deletion requests within 30 days and confirm the deletion to the individual.

(c) Deleted data must not be retained in any form by the entity or its partners, including backups or archives.

Section 8. Transparency Requirements(a) Privacy Policy Disclosure:

Entities must provide a clear and accessible privacy policy detailing:

(i) The types of menstrual data collected(ii) The purposes for which the data is used(iii) Any third parties with whom the data may be shared(b) Annual Reporting:Entities must submit an annual report to the state’s data protection authority summarizing:

(i) Data protection measures implemented(ii) Any data breaches or incidents reported during the year(iii) Compliance efforts with this Act

Section 9. Enforcement and Penalties(a) Fines:
Entities found in violation of this Act may be subject to fines of up to $50,000 per incident or $500 per affected individual, whichever is greater.

(b) Suspension of Operations:Repeat violations may result in the suspension of the entity’s ability to operate within the state until compliance is demonstrated.

(c) Legal Action:The state Attorney General may pursue civil actions against entities violating this Act to ensure compliance and protect individuals' rights.

Section 10. Private Right of Action
(a)Individuals whose menstrual data is misused, improperly shared, or breached may bring a civil action against the violating entity for:

(i) Actual damages
(ii) Statutory damages of up to $2,500 per violation

(iii) Reasonable attorney’s fees and costs

Section 11. Severability
If any provision of this Act is found to be invalid or unconstitutional, the remaining provisions shall remain in full force and effect.

Section 12. This Act shall take effect 180 days after enactment.

Download Model Bill Language