| 1 | 1 | | 25 LC 59 0137 |
|---|
| 2 | 2 | | House Bill 827 |
|---|
| 3 | 3 | | By: Representatives McQueen of the 61 |
|---|
| 4 | 4 | | st |
|---|
| 5 | 5 | | , Roberts of the 52 |
|---|
| 6 | 6 | | nd |
|---|
| 7 | 7 | | , Miller of the 62 |
|---|
| 8 | 8 | | nd |
|---|
| 9 | 9 | | , Evans of |
|---|
| 10 | 10 | | the 57 |
|---|
| 11 | 11 | | th |
|---|
| 12 | 12 | | , Willis of the 55 |
|---|
| 13 | 13 | | th |
|---|
| 14 | 14 | | , and others |
|---|
| 15 | 15 | | A BILL TO BE ENTITLED |
|---|
| 16 | 16 | | AN ACT |
|---|
| 17 | 17 | | To amend Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating to selling |
|---|
| 18 | 18 | | 1 |
|---|
| 19 | 19 | | and other trade practices, so as to enact the "Menstrual Data Privacy and Protection Act"; to2 |
|---|
| 20 | 20 | | provide for definitions; to require explicit consent; to provide for security, notification of data3 |
|---|
| 21 | 21 | | breaches, and deletion of data; to provide for violations; to provide for reporting; to provide4 |
|---|
| 22 | 22 | | for relief; to provide for related matters; to provide for legislative purpose; to repeal5 |
|---|
| 23 | 23 | | conflicting laws; and for other purposes.6 |
|---|
| 24 | 24 | | BE IT ENACTED BY THE GENERAL ASSEMBLY OF GEORGIA:7 |
|---|
| 25 | 25 | | SECTION 1.8 |
|---|
| 26 | 26 | | This Act shall be known and may be cited as the "Menstrual Data Privacy and Protection9 |
|---|
| 27 | 27 | | Act."10 |
|---|
| 28 | 28 | | SECTION 2.11 |
|---|
| 29 | 29 | | The purpose of this Act is to safeguard the privacy and security of menstrual and12 |
|---|
| 30 | 30 | | reproductive health data collected by applications, devices, pharmacies, healthcare providers,13 |
|---|
| 31 | 31 | | and other entities. This legislation ensures that individuals retain control over their sensitive14 |
|---|
| 32 | 32 | | H. B. 827 |
|---|
| 33 | 33 | | - 1 - 25 LC 59 0137 |
|---|
| 34 | 34 | | personal information and protects against misuse, unauthorized sharing, and data breaches |
|---|
| 35 | 35 | | 15 |
|---|
| 36 | 36 | | involving such information.16 |
|---|
| 37 | 37 | | SECTION 3.17 |
|---|
| 38 | 38 | | Chapter 1 of Title 10 of the Official Code of Georgia Annotated, relating to selling and other18 |
|---|
| 39 | 39 | | trade practices, is amended by enacting a new article to read as follows:19 |
|---|
| 40 | 40 | | "ARTICLE 37 |
|---|
| 41 | 41 | | 20 |
|---|
| 42 | 42 | | 10-1-960.21 |
|---|
| 43 | 43 | | As used in this article, the term:22 |
|---|
| 44 | 44 | | (1) 'Entity' means any organization, business, or individual collecting menstrual data,23 |
|---|
| 45 | 45 | | including, but not limited to, digital applications and platforms, pharmacies and retail24 |
|---|
| 46 | 46 | | establishments, healthcare providers, clinics, and hospitals.25 |
|---|
| 47 | 47 | | (2) 'Explicit consent' means a clear and affirmative agreement provided by an individual26 |
|---|
| 48 | 48 | | after being fully informed of the specific purpose for menstrual data collection and usage.27 |
|---|
| 49 | 49 | | (3) 'Menstrual data' means any information related to an individual's menstrual cycle,28 |
|---|
| 50 | 50 | | reproductive health, or related bodily functions collected by an entity, including, but not29 |
|---|
| 51 | 51 | | limited to, menstrual tracking applications and devices, pharmacies and healthcare30 |
|---|
| 52 | 52 | | providers, and online or in-person retail purchases of menstrual products.31 |
|---|
| 53 | 53 | | 10-1-961.32 |
|---|
| 54 | 54 | | (a) An entity shall obtain explicit consent from an individual before collecting, processing,33 |
|---|
| 55 | 55 | | or sharing menstrual data belonging to such individual.34 |
|---|
| 56 | 56 | | (b) Menstrual data may only be used by an entity for specific purposes provided in an35 |
|---|
| 57 | 57 | | explicit consent agreement. No entity shall use such menstrual data for unrelated purposes,36 |
|---|
| 58 | 58 | | H. B. 827 |
|---|
| 59 | 59 | | - 2 - 25 LC 59 0137 |
|---|
| 60 | 60 | | including marketing or targeted advertising, without obtaining explicit consent to such37 |
|---|
| 61 | 61 | | effect.38 |
|---|
| 62 | 62 | | (c) No entity shall sell menstrual data or reproductive health data to third parties under any39 |
|---|
| 63 | 63 | | circumstances.40 |
|---|
| 64 | 64 | | (d) Each instance of an entity collecting, processing, or sharing the menstrual data of an41 |
|---|
| 65 | 65 | | individual without obtaining such individual's explicit consent, using an individual's42 |
|---|
| 66 | 66 | | menstrual data for purposes not provided in an explicit consent agreement with such43 |
|---|
| 67 | 67 | | individual, or selling menstrual data belonging to an individual shall constitute a separate44 |
|---|
| 68 | 68 | | violation.45 |
|---|
| 69 | 69 | | 10-1-962.46 |
|---|
| 70 | 70 | | (a) An entity shall implement industry standard security measures, including, but not47 |
|---|
| 71 | 71 | | limited to, data encryption during storage and transmission, regular security audits, and48 |
|---|
| 72 | 72 | | vulnerability assessments.49 |
|---|
| 73 | 73 | | (b) An entity shall notify affected individuals and the Attorney General within 72 hours50 |
|---|
| 74 | 74 | | of any data breach involving menstrual data.51 |
|---|
| 75 | 75 | | (c) Every individual shall have the right to request that any entity in possession of52 |
|---|
| 76 | 76 | | menstrual data belonging to such individual delete such menstrual data at any time. An53 |
|---|
| 77 | 77 | | entity shall comply with menstrual data deletion requests within 30 days and notify the54 |
|---|
| 78 | 78 | | requesting individual when the data at issue has been deleted. Deleted menstrual data shall55 |
|---|
| 79 | 79 | | not be retained in any form by the entity or its partners.56 |
|---|
| 80 | 80 | | (d) Each instance of an entity failing to implement the security measures provided in57 |
|---|
| 81 | 81 | | subsection (a) of this Code section, to notify an individual affected by a data breach58 |
|---|
| 82 | 82 | | involving such individual's menstrual data as provided in subsection (b) of this Code59 |
|---|
| 83 | 83 | | section, or to delete menstrual data following the procedures provided in subsection (c) of60 |
|---|
| 84 | 84 | | this Code section shall constitute a separate violation.61 |
|---|
| 85 | 85 | | H. B. 827 |
|---|
| 86 | 86 | | - 3 - 25 LC 59 0137 |
|---|
| 87 | 87 | | 10-1-963.62 |
|---|
| 88 | 88 | | (a) Each entity shall publish on a website accessible to the public a privacy policy detailing63 |
|---|
| 89 | 89 | | the types of menstrual data it collects, the purposes for which such data is used, and any64 |
|---|
| 90 | 90 | | third parties with whom such data may be shared.65 |
|---|
| 91 | 91 | | (b) Each entity shall publish on a website accessible to the public an annual report66 |
|---|
| 92 | 92 | | summarizing data protection measures it has implemented, any data breaches or incidents67 |
|---|
| 93 | 93 | | it has reported during the year, and any efforts it has made to comply with the provisions68 |
|---|
| 94 | 94 | | of this article.69 |
|---|
| 95 | 95 | | 10-1-964.70 |
|---|
| 96 | 96 | | (a) Whenever it may appear to the Attorney General that an entity has violated the71 |
|---|
| 97 | 97 | | provisions of this article, the Attorney General may seek, and any superior court of72 |
|---|
| 98 | 98 | | competent jurisdiction may grant, any or all of the following relief:73 |
|---|
| 99 | 99 | | (1) A temporary restraining order or temporary or permanent injunction;74 |
|---|
| 100 | 100 | | (2) A civil penalty of up to $50,000.00 per violation or $500.00 per affected individual,75 |
|---|
| 101 | 101 | | whichever is greater;76 |
|---|
| 102 | 102 | | (3) A declaratory judgment; or77 |
|---|
| 103 | 103 | | (4) Other relief as the court deems just and equitable, including, but not limited to,78 |
|---|
| 104 | 104 | | reasonable attorney's fees and costs.79 |
|---|
| 105 | 105 | | (b) Any individual whose menstrual data is collected, processed, shared, or sold in80 |
|---|
| 106 | 106 | | violation of the provisions of this article may bring a civil action against the violating entity81 |
|---|
| 107 | 107 | | in any court having jurisdiction over such entity seeking any or all of the following relief:82 |
|---|
| 108 | 108 | | (1) Actual damages;83 |
|---|
| 109 | 109 | | (2) Statutory damages of up to $2,500 per violation; or84 |
|---|
| 110 | 110 | | (3) Reasonable attorney's fees and costs."85 |
|---|
| 111 | 111 | | H. B. 827 |
|---|
| 112 | 112 | | - 4 - 25 LC 59 0137 |
|---|
| 113 | 113 | | SECTION 4. |
|---|
| 114 | 114 | | 86 |
|---|
| 115 | 115 | | All laws and parts of laws in conflict with this Act are repealed.87 |
|---|
| 116 | 116 | | H. B. 827 |
|---|
| 117 | 117 | | - 5 - |
|---|