Kristen Salas Mationg
Loyola University Chicago School of Law, JD 2024
In Dobbs v. Jackson Women’s Health Organization (Dobbs), the US Supreme Court ruled that abortion is not a fundamental right protected by the Constitution. This decision resulted in additional abortion protections in California, Michigan, and Vermont, and prompted many patients, providers, regulators, and tech companies to rethink data privacy. However, because most abortions are still banned in at least 13 states, this patchwork of state abortion laws, combined with the lack of any sufficient national privacy law, puts patient privacy at risk.
The data at risk
The Supreme Court’s decision in Dobbs sheds light on the large amount of data that tech companies collect. Data that could potentially implicate abortion-seeking patients, providers, and businesses in states where abortion is illegal. Because consumers use their phones for almost everything, including searching for the nearest abortion center or using apps to track their period cycles, this sensitive data poses privacy threats to both providers and women seeking reproductive care.
Further, since Dobbs was decided in June, privacy experts have warned that law enforcement agents in states that have banned or heavily restricted abortion could serve warrants on businesses that collect user data, including tech companies. Shortly after the Dobbs decision, Google announced that it would provide certain privacy protections to consumers, such as deleting location data soon after a user visits an abortion center, allowing users to more quickly delete menstruation data from their Fitbit, and protecting users from inappropriate government demands.
The impact of new California legislation
A national leader in consumer protection legislation, California recognized the need for additional privacy protections in a post-Roe world. Consequently, California Governor Gavin Newsom signed AB 1242 and AB 2091 into law on September 27, 2022.
AB 1242 forbids law enforcement or California-based businesses from cooperating with any out-of-state entities request for information about a lawful abortion conducted in California. The bill also prevents law enforcement from knowingly arresting someone for aiding in a lawful abortion in the state. In order to receive records from California-based companies, AB 1242 requires that out-of-state law enforcement agencies provide an attestation that their investigation doesn’t involve a crime related to an abortion that is lawful in California.
AB 1242 is the first law in the nation to explicitly block out-of-state investigators from requesting digital information about abortion-related actions that are legal in-state. Notably, this law protects the many tech companies that are based in California that collect sensitive data, such as Google, Meta, and Uber.
Additionally, AB 2091 prohibits health care providers, health care plans, contractors or employers from releasing medical information that would identify an individual, or any information that related to an individual seeking or obtaining an abortion, in response to a subpoena or law enforcement request, if the subpoena or request is for the purpose of enforcing another state’s laws interfering with a person’s right to choose or obtain an abortion. The law authorizes the California Insurance Commissioner to impose a civil penalty of up to $10,000 on insurers that violate these prohibitions.
While the federal law known as the Health Insurance Portability and Accountability Act (HIPAA) helps to protect patient privacy, this law only extends to medical records and other personal health information. Notably, consumers generate so much data, such as text messages and location information, that is not covered by HIPAA and could be used to identify abortion providers and those seeking an abortion. Together, AB 1242 and AB 2091 aim to preserve abortion access to individuals that both provide and receive abortion services in California, and work to protect sensitive information not otherwise covered by HIPAA.
The impact of California’s laws within a national framework
Because the United States has yet to pass a national data privacy law, individuals are relying on the states and tech companies to safeguard their sensitive data. Additionally, the White House acknowledged the importance of patient privacy and encouraged regulatory agencies to take action in President Biden’s Executive Order on Securing Access to Reproductive and Other Healthcare Services. The Executive Order recognized the Federal Trade Commission’s (FTC) commitment to take action against illegal use and sharing of sensitive data, as well as the FTC’s probe of over 15 mobile carriers on their data privacy practices, as important steps to protecting Americans’ access to reproductive health services.
It is still unclear how California’s AB 1242 and AB 2091 will interact with other states’ restrictive abortion laws. However, it is certain that similar data privacy laws protecting sensitive data should be passed on either a national level or in other states that have legalized abortion. In addition to actions taken by regulatory agencies on the national level, a national law or stricter state protections can ensure that abortion access to individuals providing and receiving abortion services is guaranteed in more states beyond California.