By Kewa Jiang
In the wake of the Dobbs decision, there were a range of responses from government agencies and tech companies. Each party attempted to address public concerns about the potential data privacy repercussions of a post-Roe world and the stark reality women seeking abortions are facing across the country. Provided below is a round-up of responses.
White House Executive Order
Even prior to official announcement of the Dobbs decision, there were calls for the White House to protect abortion rights and the health information of women seeking abortions. On July 8, 2022, President Biden signed an executive order addressing abortion rights, protection of sensitive health information, and protection of consumer data privacy. In the executive order, President Biden specifically called upon the Federal Trade Commission and Department of Health and Human Services to protect consumer health data and to address concerns of “digital surveillance related to reproductive healthcare services.”
Federal Trade Commission Response
On July 11, 2022, the FTC released a public statement providing assurances that the agency will continue to “vigorously enforce the law if
we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.” The FTC warns consumers against believing companies that claim they truly anonymize collected data. They highlight research that shows with four location points “95% of a data set of 1.5 million individuals” can be uniquely identified. The FTC also warns if companies are not truthful about their claims of data anonymization they should “expect to hear from the FTC.” However, as former Director of the FTC’s Bureau of Consumer Protection Jessica Rich noted, at a recent American Bar Association panel on the effects of the Dobbs decision, the FTC does not have the capacity or resources to police the entire marketplace nor can they prevent legal state subpoenas for health data information.
Department of Health and Human Services Response
The other agency tasked with health data protection is the Office of Civil Rights (OCR) within the Department of Health and Human Resources (HHS) which enforces the Health Insurance Portability and Accountability Act (HIPAA). On June 29th, OCR released a statement providing guidance to patients and providers on the protection health and reproductive information are afforded under HIPAA. The OCR states that disclosures of health information to law enforcement officials are “permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care.” However, it is important to note that HIPAA only applies to covered entities, such as healthcare providers and business associates. In terms of mobile health apps (mHealth apps), most are not considered covered entities per HIPAA definition. Thus, as the OCR states, “the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets.”
Data Brokers and Circumvention of Legal Procedures
Neither HHS nor FTC can guarantee protection against state law enforcement access to health data information if law enforcement has a legal subpoena. Nor are there protections that prevent law enforcement departments from circumventing the subpoena process by purchasing bulk data from data brokers. While some data brokers have stated they will no longer sell information related to pregnancy or abortion providers, there are others that have refused. In fact, the use of bulk data has proven to be a highly effective surveillance practice that is used by ICE to track immigrant communities. As the FTC stated, most companies do not truly anonymize their data and, with additional data points, “anonymous” data may become identifiable.
Google’s Deletion of Location Data
After the Dobbs decision, tech companies also responded to renewed consumer and legislative scrutiny of their data handling procedures. But, companies may still have to comply with law enforcement requests for data information despite any measures the companies may implement.
One way for companies to prevent disclosure of certain data is to not collect, retain, or to delete sensitive consumer information. On July 1st, Google announced it will delete consumer location data, such as information about visits to an abortion clinic, domestic violence shelter, or fertility clinic. Google assured consumers that the company “prohibit[s] [mobile app] developers from selling personal and sensitive user data” and location settings will be turned off by default. The company also affirmed their commitment to protecting consumer data from law enforcement demands, stating that they push back on broad requests, usually notify users of information requests, and publish a transparency report of requests received.
Meta and Improper Health Data Sharing
Prior to the official announcement of the Dobbs decision, The Markup and Reveal from the Center for Investigative Reporting revealed that Meta, the parent company of Facebook, was receiving sensitive medical data without patients’ consent. The health information was collected from hospital web portals and web pages via Meta’s Pixel, a code that can be added to any website to “aid with visitor profiling, data collection, and targeted advertising” after patients logged into their medical accounts. Meta and several hospitals were recently sued by plaintiffs alleging federal and state violation of their health privacy. Plaintiffs allege they were targeted with advertisements about their medical conditions because their medical information was shared with Facebook and subsequent advertisers.
In the context of reproductive health privacy, the Markup and Reveal found that Meta’s Pixel is also present in numerous crisis pregnancy centers’ websites that send consumer data to Facebook. The report uncovered that sensitive data, such as user name, email addresses, website interactions, and location, were shared with Facebook. In fact, several anti-abortion organizations use the collected data about abortion website visits and abortion procedure searches to target users with anti-abortion messaging.
The current health and reproductive data protection landscape remains patchy and piecemeal, leaving swaths of such data ripe for exploitation. As the battle for abortion access is fought state by state and pending legislative protections remain in limbo, anxiety and uncertainty remains for individuals seeking abortion information or procedures.