WeVote

Bill

Bill

SB 1082

Commonwealth Transportation Special Structures Program Revenue Bond Act of 2025; created.

2025 Regular Session Introduced by Luther Cifers and 2 co-sponsors

SB 1082 shields reproductive health data by requiring explicit consent for collection/processing, banning unconsented data sales (from 2027), and prohibiting geofence tracking.

Acts of Assembly Chapter text (CHAP0327)
0
WeVote Research Nonpartisan
Bill Summary · SB 1082

SB 1082 — Reproductive Health Data Privacy Act (summary)

Status & timeline
- Bill number: SB 1082 — titled “Consumer protection: privacy; reproductive health data privacy act; create.”
- Introduced: February 4, 2025 (referred to Committee on Government Operations per bill information provided).
- Committee-reported substitute (S‑1) text and analysis prepared in late 2024; committee report notes the act would take effect two years after enactment.
- Fiscal note (committee): minor negative fiscal impact for State/local governments, the Attorney General (AG), and local courts.

Purpose / intent
- Establish statewide protections for “reproductive health data” by restricting collection, processing, sale, disclosure, and certain types of location tracking without valid, informed consent. The stated rationale is to protect individuals’ sensitive reproductive health information (from apps, wearables, clinics, etc.) and limit unauthorized sharing that could expose people to harms.

Key definitions (high level)
- Regulated/covered entity: businesses or organizations providing reproductive health care or services and collecting reproductive health data (includes license/certifying bodies).
- Service provider / affiliate: entities that process data on behalf of covered entities.
- Reproductive health data: information linked or reasonably linkable to an individual that identifies past, present, or future reproductive health status — broadly defined to include menstrual/fertility/pregnancy status, treatments, abortions-related services, biometric and genetic data, precise location indicating attempts to obtain reproductive services, and inferences derived from nonhealth data.
- Exceptions: aggregated/de‑identified data and certain IRB‑approved research that meets safeguards.

Main requirements and prohibitions
- Consent and notice: A covered/regulating entity may not collect or process reproductive health data unless it provides privacy information and obtains valid consent. “Consent” must be an explicit, freely given, specific, opt‑in act (not buried in broad terms of service, not obtained by deceptive design or passive actions).
- Purpose & minimization: Data may be collected/processed only for specified purposes (e.g., to provide requested products/services, financial transactions, public health), and entities may not collect, disclose, or retain more data or for longer than necessary.
- Sale restrictions: Beginning per committee report June 30, 2027, entities may not sell (or offer for sale) reproductive health data without specific, distinct, written consent that discloses terms of the sale and use. Entities must provide a clear, conspicuous website link allowing individuals to revoke consent to sale/processing.
- Geofencing/location tracking: Prohibits implementing geofencing that tracks or collects information about individuals seeking reproductive health services (geofence defined as virtual boundary up to 1,850 feet from a facility).
- Government disclosure: Prohibits disclosure of an individual’s reproductive health data to government agencies or officials except when presented with a warrant, when disclosure is mandated by law, or when the individual requests it.
- Data subject rights & timelines: Entities must respond to access and deletion requests within 45 days.
- Contracts & safeguards: Sellers and purchasers of reproductive health data must enter a written agreement specifying permitted uses and processing terms; service providers are restricted to acting at direction of covered entity.

Enforcement & remedies
- Attorney General: AG may bring actions for injunctive relief and promulgate implementing rules; AG can recover reasonable attorney fees in successful injunctive actions.
- Private right of action: Individuals harmed by violations may recover statutory damages (up to $750 per incident) or actual damages, whichever is greater, and seek other relief permitted by the act.
- Criminal or other penalties are not described in the committee summary aside from civil remedies and injunctive authority.

Who would be affected
- Covered entities and service providers handling reproductive health data — e.g., reproductive health clinics and providers, health‑related apps (menstrual trackers, telehealth), wearable device companies, data brokers, analytics firms, and potentially organizations that license/certify providers.
- State/local agencies: If classified as “covered entities” or service providers (e.g., Medicaid program, local health departments), they could incur minor compliance costs.
- Consumers: Individuals would gain specified privacy rights, affirmative consent protections, and remedies for violations.

Fiscal impact (committee summary)
- Minor negative fiscal impact on State/local governments for compliance if they fall within the bill’s definitions.
- Minor administrative costs for the AG (rulemaking) and likely an increase in court hearings for injunctive relief.

Notes / uncertainties
- Multiple introduced and substituted versions exist in the record; some timing details (e.g., effective dates for sale prohibition) vary across versions. The committee report indicates the law would take effect two years after enactment and references a June 30, 2027 start date for sale prohibitions in the reported substitute. Confirm the final enacted text and effective dates if relying on this for compliance planning.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.