By Cameron F. Kerry
The Supreme Court’s Dobbs decision overruling Roe v. Wade has raised unsettling questions about the status of the Court’s right to privacy jurisprudence. On a more immediate level, though, the decision has also triggered deep concern about its impact on the information privacy of women who have abortions while living in states that ban abortion, as well as others who help them, promote travel to other states, or sell abortion medications.
With abortion bans in several states taking immediate effect, state prosecutors—or anti-abortion activists—can begin to investigate and prosecute. As they do, they may seek evidence not only from devices and accounts of targets but also from the wide array of app providers, communications services, advertisers, and data brokers able to collect unlimited information today. This kind of evidence can include geolocation data that reveals visits to places where abortions are performed and the duration of visits; data from “femtech” apps and devices that show interruptions in menstrual cycles; web searches for abortion services or help; data or communications with providers or family about obtaining an abortion; and payments data reflecting purchases of abortion services or medications, among many sources of digital evidence. For example, Fitbit data has already been used to discredit a rape allegation, so it could be used to discredit a similar exception to abortion restrictions.
In response to the Dobbs decision, House Speaker Nancy Pelosi (D-Calif.) to write House members flagging work on legislation to “[p]rotect women’s most intimate and personal data stored in reproductive health apps.” In anticipation of the decision, Sens. Elizabeth Warren (D-Mass.) and Ron Wyden (D-Ore.) introduced a bill to prevent data brokers from selling health and location data and Rep. Sara Jacobs (D-Calif.) filed a My Body, My Data Act to establish privacy protections for “personal reproductive or sexual health information.” Advice to women about covering digital tracks has been abundant.
In this light, it is worth examining how pending comprehensive privacy legislation would protect these kinds of information. The bipartisan American Privacy and Data Protection Act (ADPPA) is the most likely vehicle for such legislation since it was reported out unanimously by the Consumer Protection and Commerce Subcommittee of the House Energy and Commerce Committee on June 23, 2022, and is expected to go to full committee for a markup after the July 4 recess. Thus, the bipartisan ADPPA is the bill with by far the best prospect of passage in this Congress—and the first comprehensive information privacy legislation ever with any real prospect of passage.
The ADPPA would provide material boundaries for more focused data collection, use, and sharing in place of today’s anything-goes system, and provide rights that give individuals greater control over information that can be linked to them. Women’s health information is a subset of the bill’s “covered data” and would be subject to additional protections as “sensitive data” (as in some other comprehensive privacy bills, including the Comprehensive Online Privacy Rights Act filed by Sen. Maria Cantwell (D-Wash.)). The ADPPA would accomplish the essence of the Warren-Wyden and Jacobs bills—and then some.
Under the heading of “sensitive data,” the ADPPA includes information about “the past, present or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment.” Unlike HIPAA, the health information statute many people are familiar with in the healthcare context, this coverage applies to all such information regardless of whether is in the hands of a covered provider. That would encompass most of the data of concern as a result of Dobbs, including from femtech apps, smart watches, and web searches, as well as the health information and sexual and reproductive health information targeted by the Warren-Wyden and Jacobs bills.
In addition to this important category, the definition of “sensitive data” includes genetic information and biometric information, which can be used as identifiers, and any and all data about anyone under the age of 17. The latter category would add protection for younger teens who may be subject to unwanted pregnancies. Sensitive data under ADPPA also includes precise geolocation information, which is a subject of the Warren-Wyden bill.
The definition of covered information includes “derived data,” personal information obtained from analysis, inferences, and predictions based on covered personal data. This would cover instances like Target’s famous targeting of ads for pregnancy and infant products to a pregnant teenager whose family did not know about her pregnancy.
The ADPPA protects all personal information by requiring that collection, use, and sharing be “limited, necessary, and proportionate” for the provision of services and products requested by, or communication reasonably expected by individuals, and allows for specified uses such as fulfilling orders, billing, security, and maintaining and improving services. For sensitive data, it also prohibits sharing personal information with third parties such as advertisers and data brokers without affirmative express consent from individuals. And if such data is shared, it may not be processed beyond the purposes for which consent was given.
Some have advocated that women should get rid of apps or devices that monitor menstrual cycles and all their data. The ADPPA proposes some means to control such information. It would give individuals rights to get access to data linked or linkable to them (at no cost at least two times per year) and to have it deleted. It also requires a means for individuals to withdraw consent previously provided and to opt out of targeted advertising and transfers of data to third parties, providing some control over online tracking or data aggregation that could be revealing, as in the Target case.
The protections covering the collection, use, and sharing of personal information in the ADPPA would allow compliance with federal, state, local, and tribal legal requirements. This means that even sensitive information is not immune from lawful processes by law enforcement. The Electronic Communications Privacy Act (ECPA) does provide significant constraints, particularly for the stored contents of electronic communications, although a widely-followed judicial decision imposing a warrant requirement has never been codified as law or adopted by the Supreme Court. Law enforcement access involves a different legal regime and privacy debate about what constraints should be placed on such processes, either in general or for health information.
The protection proposed in the ADPPA nevertheless should reduce the volume of data in private hands available by lawful process as well as freely available to law enforcement (or vigilante bounty hunters) through commercial sources, on the web, or by tracking devices and behavior online. It also would give covered entities a legal basis to decline providing information simply because a police officer or prosecutor asks for it and, as the later-enacted law, should override the latitude in ECPA for non-governmental entities to obtain non-content data, or metadata, about electronic communications.
The ADPPA also extends civil rights protections to processing of personal information that discriminates on the basis of protected classes, which includes discrimination “on the basis of sex.” Coupled with provisions obligating companies to assess and mitigate “privacy risks” and to evaluate algorithms, these protections should increase mindfulness about the impact of data use on women.
Sen. Maria Cantwell’s majority staff on the Senate Commerce, Science, and Transportation Committee sent a memo to members arguing the ADPPA does not adequately protect women’s reproductive information because constraints on private lawsuits will make it harder for women to sue for violations. The basic scope of private rights of action in the ADPPA and a Cantwell draft are similar, but the ADPPA’s right would not be available until four years after the law’s effective date and subject to very specific notice and pleading requirements that could throw out some claims. The ADPPA also does less to limit mandatory arbitration clauses and class action waivers in privacy claims.
These constraints on litigation do not alter the significant changes that the ADPPA would make to existing information ecosystems. If House passes the ADPPA, Sen. Cantwell and Senate Democrats should think long and hard about whether they want to stand in the way of enacting far-reaching privacy protections encompassing reproductive and sexual health information over the limits on lawsuits. There are aspects of the ADPAA that can be improved, but the major differences among the negotiators have space for compromise. Four years leaves room to move up the date when lawsuits can begin while allowing ample time to adapt to compliance. There are many different ways to limit lawsuits (some suggested in our 2020 report on ways to bridge gaps in privacy bills). And both bills provide for some limits on pre-dispute arbitration waivers, having moved off polar all-or-nothing positions in 2019.
At the end of the day, as with gun legislation, it will be better to do something than to leave in place an unfettered system—and the ADPPA would accomplish far more for information privacy than the new gun law does for gun safety. And rather than requiring specific legislation, the risk to information about women’s health and health care adds urgency to the opportunity for a baseline of protection for the personal information of every woman, man, and child in America.