Data privacy, abortion limits set to collide post-Roe
In wake of Dobbs decision, patchwork of state laws on privacy and abortion create worries about weaponization of health data collected online
The Supreme Court’s decision to overturn the federal right to abortion is likely to create a clash between state-by-state abortion restrictions and the patchwork of data privacy laws that are being legislated in the absence of a federal privacy law.
Even before the June 24 ruling in Dobbs v. Jackson Women’s Health Organization, privacy advocates, concerned that data on women seeking abortions could be used to target them, sounded alarms that women should be vigilant in the types of data and content they share with fertility and health apps and through social media. They also warned against bringing a phone or other device with location-tracking services to an abortion provider.
Although a handful of states including California, Colorado, Connecticut, Utah and Virginia have passed data privacy laws, and five others are considering similar measures, experts say it’s not clear how or whether such laws would protect women seeking abortions across state lines.
“I think it's going to be an interesting conflict between various state interests, because it's going to be such a patchwork,” said Carmel Shachar, executive director of the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School. “I am very worried about how data is going to be packaged and used.”
Among the states that have privacy laws on the books, California and Colorado protect abortion rights. Connecticut imposes a ban after 24 weeks of pregnancy. Virginia permits most abortions, but Republican Gov. Glenn Youngkin is seeking a 15-week ban.
Utah's trigger ban — which would block all abortions, with limited exceptions — is blocked in court temporarily. For now, the state is enforcing the 18-week ban enacted in 2019.
In states that have various levels of abortion restrictions, it’s unclear how and whether local law enforcement agencies and prosecutors would use data to identify women seeking abortion services both within and out of state.
The problem could be worse in states such as Texas and Oklahoma that have enacted bounty-style laws, which reward those who bring successful lawsuits against anyone aiding an abortion. Those laws have been paused because of ongoing litigation but could be reinstated in the future in those and other states.
Such laws may encourage broader efforts to single out individuals near clinics or facilities focused on family planning or fertility, Shachar said.
“It can be a mob mentality,” said Shachar. “So I would worry about, OK, what happens when some keyboard warriors decide we are going to take a close look at this physician who we think is performing abortion when it’s illegal in their state? Or, we’ve identified this physician as being abortion-friendly — who are the women who are going to this physician? They may be able to piece together that information from what’s available online.”
People who have information about another person’s health and abortion needs pose the greatest risk, said Farah Diaz-Tello, senior counsel at If/When/How, a reproductive health advocacy group.
“People’s private information, like what they have searched for on the internet or text messages they have sent to others about their intent to end a pregnancy, have come into evidence in cases where people have been charged with a crime for self-managing an abortion,” Diaz-Tello said in an email. “But the precipitating factor is always someone else reporting them to law enforcement, who then have the power to seize people’s devices.”
In light of the Supreme Court’s decision, women have to remember that “to reduce one’s digital footprint is important, but the first line of defense is not sharing information unless absolutely necessary,” Diaz-Tello said.
The Federal Trade Commission recently warned about multiple ways in which users willingly and unwillingly generate data on their health and whereabouts that could be used to target them.
“Beyond location information generated automatically by consumers’ connected devices, millions of people also actively generate their own sensitive data, including by using apps to test their blood sugar, record their sleep patterns, monitor their blood pressure, or track their fitness, or sharing face and other biometric information to use app or device features,” the FTC said in a July 11 statement. “The potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers.”
More specifically, the FTC said, data relating to women’s reproductive issues could be weaponized, with “products that track women’s periods, monitor their fertility, oversee their contraceptive use or even target women considering abortion.”
Congress is considering a federal data privacy bill that has bipartisan backing from House Energy and Commerce Committee leaders Frank Pallone Jr., D-N.J., and Cathy McMorris Rodgers, R-Wash., and Sen. Roger Wicker, R-Miss., but some experts say the measure as it stands would not protect data on women’s reproductive choices.
Kirk J. Nahra, a privacy attorney at WilmerHale and co-chair of the firm’s Big Data and Cybersecurity and Privacy practices, said no law would be an easy fix to the situation.
Nahra said the compromise bill, if passed in its current form, "will make some of the risks better," but would not eliminate the Dobbs-related risks. "I'm not sure how you would revise that law to eliminate the Dobbs risks," he said.
“The federal legislation on the table right now wouldn’t be sufficient to protect anyone against the harms we’re worried about, including people seeking reproductive care,” said Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation, which is backing legislation from Rep. Sara Jacobs, D-Calif., and Sen. Mazie K. Hirono, D-Hawaii, that focuses on protections specific to reproductive and sexual health information.
“Right now, there is a very limited legal framework for protecting the types of information” that Jacobs’ bill seeks to address, said Katie Heller, deputy chief of staff for Jacobs. Although California’s privacy bill “does some data minimization, this bill would increase the level of protection for reproductive health information specifically,” she said.
The Jacobs-Hirono bill would specify that no entity may “collect, retain, use, or disclose personal reproductive or sexual health information” without an express permission from an individual or to provide services to the individual.
Heller said Jacobs and other lawmakers are in touch with House Speaker Nancy Pelosi, D-Calif., about including their proposal in the speaker’s response to the Supreme Court’s decision to end abortion rights.
Lawmakers are unlikely to add any abortion-related provisions to the Pallone-Wicker bill for fear of losing Republican support for the broader bill.
But Nahra cautions that even more tailored bills — like one from Sen. Elizabeth Warren, D-Mass., that would block brokers from selling sensitive data — would not solve the issue.
“I think they're useful and important tweaks,” he said. “They're not eliminating this issue, because you're never going to have a law that says that a law enforcement person can't get data to enforce a law.”
Law enforcement can seek a subpoena or court order that would require any company to submit specific data. Even health providers and plans, who otherwise cannot disclose private health information under the Health Insurance Portability and Accountability Act, or HIPAA, must adhere to a court order or subpoena.
The Pallone-Wicker bill also lacks crucial support from key Democrats in the Senate, including Commerce Chair Maria Cantwell, D-Wash., and Sen. Brian Schatz, D-Hawaii. Both lawmakers have said they oppose the measure’s provision that would prohibit individuals from suing companies for privacy violations for a period of four years after the law takes effect.
Ideally, Congress should be able to close the gaps between various state laws on privacy and protect all classes of citizens including women seeking abortions, said Deven McGraw, head of data stewardship at Invitae, a California-based genetic health care company.
“Asking Congress to fix this brings up all the same sensitive issues that have kind of placed a stranglehold on Congress' ability to address the overturning of Roe v. Wade directly,” said McGraw, who previously served as the deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights.
“The fact that, you know, that information about someone seeking a health procedure or the status of someone's pregnancy, or the status of someone's menstrual cycle, or anything sort of related to reproductive health could be essentially gathered and used to target women, to surveil, to harass them, or worse, of course, to throw them in jail is deeply concerning,” McGraw said.