The "My Body, My Data Act of 2025" establishes comprehensive protections for personal reproductive or sexual health information . It defines this information broadly to include data related to researching or obtaining services, health conditions, procedures, contraceptive use, bodily functions, and any derived or inferred health data. The Act applies to "regulated entities," which are broadly defined to include most commercial entities, with specific exclusions for HIPAA-covered entities and business associates when acting in those capacities. A core provision is data minimization , requiring regulated entities to collect, retain, use, or disclose personal reproductive or sexual health information only as strictly necessary to provide a requested product or service. Employee access to this sensitive data must also be restricted to those for whom it is essential. This ensures that data collection and handling are limited to specific, user-initiated purposes. The bill grants individuals significant rights over their data, including the right of access to their information, how it was collected, and to whom it was disclosed, in both human-readable and machine-readable formats. Individuals also have the right of correction for inaccurate information and the right of deletion for any retained data. Regulated entities must provide easy-to-use mechanisms for these requests, respond within 15 days, and cannot charge fees. To ensure transparency, regulated entities must maintain and prominently publish a clear privacy policy detailing their practices regarding reproductive or sexual health information. This policy must include categories of data collected, purposes for collection and disclosure, lists of third parties involved, and how individuals can control their data. The Act also prohibits retaliation against individuals for exercising their rights, such as denying services or charging different prices. Enforcement of the Act falls under the Federal Trade Commission (FTC) , treating violations as unfair or deceptive acts or practices. Additionally, individuals can bring civil actions for violations, potentially recovering actual damages or statutory damages between $100 and $1,000 per violation per day, punitive damages, and attorney's fees. The bill explicitly states that a violation constitutes a concrete injury in fact and invalidates pre-dispute arbitration agreements and joint-action waivers for disputes arising under the Act. The legislation preserves existing federal laws and allows for stronger state privacy protections.