The "Reproductive Freedom and Gender-Affirming Care Health Data Privacy Act" establishes a new chapter in Title 23 of the General Laws, focusing on the privacy protections for consumer health data specifically related to reproductive and gender-affirming care. The act defines key terms such as "abortion," "consumer health data," and "gender-affirming care information."

The act mandates that regulated entities and small businesses obtain clear and informed consent from consumers before collecting, processing, or sharing their health data. It prohibits the sale of consumer health data without explicit consent and requires transparency regarding data usage, including the categories of data collected, the purposes for which it is used, and any third-party sharing.

Regulated entities and small businesses are required to maintain a consumer health data privacy policy that clearly discloses the categories of consumer health data collected, the sources of that data, and how consumers can exercise their rights regarding their data. Consumers are granted rights to access their data, request deletion, and withdraw consent for its collection and sharing.

The legislation also outlines the responsibilities of processors handling consumer health data, requiring them to operate under binding contracts that specify processing instructions. It establishes penalties for violations, allowing individuals to bring civil actions for injunctive relief and damages, and classifies breaches as deceptive trade practices. The act aims to enhance consumer control over personal health information and improve data security practices in the context of reproductive and gender-affirming care.