Privacy in a Post-Roe World: What Businesses of All Types Should Consider
Following the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization overruling Roe v. Wade, businesses and organizations that process personal data—including those outside the health or reproductive space—have an important role to play in protecting those who seek reproductive healthcare.
Why Data Privacy Is Paramount in a Post-Roe United States
In anticipation of Dobbs, some states passed or resurrected laws that significantly restrict and prohibit access to abortion and reproductive healthcare. These laws have incentivized law enforcement to scrutinize pregnant persons and those around them, undermining individuals' rights to privacy in addition to threatening their health and safety. From empowering private citizens to enforce (and even profit from) abortion restrictions to broad prohibitions on attempts to seek reproductive healthcare, including limits on out-of-state travel for abortion services or medications, and threats to criminalize all who support or facilitate abortion access, the intention of these state laws is clear: identify and punish those who seek abortion care and intimidate any who might consider seeking an abortion.
Avoiding the Misuse of Data to Identify People Seeking to Procure or Facilitate Abortion
Laws that attempt to thwart access to abortion allow law enforcement and anti-abortion actors to weaponize the digital personal data that businesses collect about employees and consumers—including location information and web-browsing history—to prove that someone sought or assisted in the provision of abortion care in violation of those laws. Businesses and organizations, including those outside the health or reproductive space, that are concerned about protecting individual privacy and their constituents' access to reproductive care can address these issues by considering the following questions:
1. Data collection. What personal data is the business collecting? About whom? What could that data reveal about individuals' reproductive healthcare decisions and access to abortions?
Health-related data has an obvious nexus to reproductive issues, but geolocation information, browsing or search history, travel records, expense reimbursements, and commercial or purchasing records also could reveal efforts to obtain pregnancy or abortion care. Employment records, such as time off or travel reimbursements (particularly where employers offer financial support for abortion-related travel) could be targets of anti-abortion subpoenas or even warrants for emails and other communications. Even personal data that is not typically considered "sensitive" or collected for health-related purposes could nonetheless reveal highly sensitive insights into an individual's reproductive decisions.
2. Data minimization and retention. How much personal data are we collecting and how long are we retaining personal data that might reveal information about health-related decisions and access to reproductive healthcare?
Businesses can ensure data privacy—and protect their employees and consumers—by collecting only the personal data that they need to achieve their stated goals and by retaining personal data for only as long as necessary to achieve the purposes for which it was originally collected. These fundamental data privacy practices will prevent those seeking to interfere with access to reproductive care from obtaining that data.
3. Data inferences. What is the business inferring based on the personal data it collects? What could someone else infer if they had access to this personal data, or were able to combine it with other information?
As we pointed out in our discussion of data collection above, personal data may not, on its face, reveal information about pregnancy or abortion, but such inferences can be drawn when multiple data elements are combined. And even though we may not consider certain purchases to be revealing, the FTC has noted that data aggregators and brokers often build profiles about consumers and draw inferences about them based on the places they have visited, categorizing health conditions and highlighting a consumer's status as an "expectant parent."
4. Data sharing. With whom does the business share personal data? How will those recipients use the personal data? Do or will data recipients disclose the data to data brokers? Are we disclosing it to data brokers? What access do internal actors have to others' personal data? What checks are in place to prevent an internal "bad actor" from compromising the privacy or security of personal data? What processes are in place to prevent an external "bad actor"—including the business's vendors—from compromising data privacy or security?
Contractual restrictions on personal data recipients' use of that data may help protect privacy, but it can ultimately be difficult to control where personal data ends up or how it is used. Limiting disclosure of personal data, particularly that which reveals or could reveal pregnancy or reproductive care, can help protect privacy. Similarly, internal access controls, audits, and monitoring are important data security practices, as are precautions to protect data from hackers and oversight to ensure that vendors, such as cloud storage providers, do not make data vulnerable to unauthorized access.
5. Business offerings. How might our products and services be used to chill access to abortion and healthcare? What policies or procedures can we establish to prevent these uses of our offerings?
Anti-abortion organizations and activists may seek to use technology products and services to target and/or chill those accessing healthcare and abortion care. For example, crisis pregnancy centers, which often present as healthcare centers but maintain anti-abortion agendas, use targeted advertising to identify and target individuals seeking reproductive care. One marketing company sought to combine targeted advertising services with geofencing technology, using location information to identify people who crossed a digital "fence" to a clinic offering abortion services. The marketing company, Copley Advertising, LLC, marketed this service as enabling anti-abortion groups to deliver anti-abortion messaging directly to individuals in clinics via standard targeted advertising technology. (Copley's offering resulted in a settlement with the Massachusetts Attorney General assuring that Copley will not use geofencing technology at or near Massachusetts healthcare facilities to infer the health status, medical condition, or medical treatment of any individual.) Updating terms of service, customer agreements, and internal policies, may limit unintended uses of a business's technology, products, and services to target abortion care.
As enforcement of post-Roe abortion laws begins, businesses and organizations that collect, use, and store personal data can expect to receive requests for information related to reproductive care, abortion, and pregnancy. They might also be compelled to produce that kind of information through the use of subpoenas, warrants, and other legal processes. (Government entities can also ask for records and content of communications from providers under the "emergency" exception that allows for production without formal legal process in situations involving danger of death or serious physical injury to any person. Under some states' "fetal personhood" laws, this exception could be used to generate an emergency request for data to prevent an abortion.) Some of these requests or demands for information may not disclose the effort to identify those who may consider having an abortion or have had or aided an abortion.
Preparing now by developing and maintaining a robust privacy program that includes best practices and a plan of action for responding to requests or orders for data can help employees, consumers and other stakeholders feel more confident and secure in their personal reproductive decisions.