Blog Data, Privacy + Cybersecurity Insights August 03, 2022

Tech Companies Need to Prepare for the Data Privacy Implications of Dobbs v. Jackson Women’s Health Organization

In overturning Roe v. Wade and eliminating the constitutional right to abortion in the U.S., Dobbs v. Jackson Women’s Health Organization has caused a seismic shift in constitutional jurisprudence. The Dobbs ruling and the legislation criminalizing abortion that has followed in a number of states threaten to alter numerous dimensions of the American legal landscape. The impact on privacy rights and civil liberties, in particular, is likely to be especially profound. In a time of ever-increasing digital surveillance, technologies that once seemed innocuous and largely beneficial to consumers may be weaponized against them in an effort to enforce new restrictive abortion laws. Internet search history, data collected and compiled in various reproductive health, fitness and wellness applications, email and SMS communications, geolocation data, website tracking, and even consumer behaviors as subtle as mouse movements are likely to become increasingly subject to access by law enforcement authorities. In addition, companies that are the custodians of such data (as well as their service providers) might find themselves under increasing financial and reputational risk from cyberattacks and other incidents that compromise information that could be used to track health and pregnancy-related data.

State law enforcement authorities and governmental agencies may be able to access and acquire massive amounts of sensitive consumer data, such as GPS/location, search history, and phone application data, through various means including subpoenas, warrants and even simple requests to access one’s device. In addition, like private parties, law enforcement and government agencies can purchase user information through data brokers and can, of course, issue subpoenas and warrants to companies demanding access to the data those companies retain.

In many cases, such data may play a role in bringing charges against individuals who administer, assist with, or receive abortion services a state deems illegal. For example, some smartphone application data, such as period tracking apps which are used by millions of Americans, collect personal data that can indicate when a user has become pregnant. Wellness tracking apps that are not focused specifically on menstrual cycles can also generate data that may be indicative of a pregnancy and the cessation of a pregnancy. Geolocation data, which can show the precise location of where a user has been at a specific point in time, could lend additional evidence to support that such user has been inside a facility that administers abortion services. Law enforcement agencies that obtain a user’s Internet search history or social media interactions indicating that such user has recently sought information related to abortion services may have enough evidence to charge an individual for obtaining an illegal abortion. This invasive approach to building an evidentiary record for abortion-related charges is not a new phenomenon. Even prior to Dobbs, there were well-publicized cases of police accessing women’s web browsing history in efforts to prove that claimed natural miscarriages were actually the result of an intentional illegal act. As abortion laws become increasingly restrictive in many parts of the country, it seems likely that there will be increased efforts at gathering this type of digital evidence.

In response to these potential threats to privacy, some tech companies are already developing ways to limit or prevent sensitive data from being used against individuals seeking abortion services. Some of the aforementioned period tracking apps have recently announced that they are investigating the development of anonymous modes and have reassured their users that they will not sell or share sensitive data collected via their applications with any third parties. However, this does not solve the risk of the acquisition of such data by law enforcement authorities and private parties pursuant to a valid legal process. Additionally, users that do not specifically opt in to anonymous modes will unwittingly continue to provide sensitive data that could be used against them by the state to bring serious criminal charges. Moreover, sensitive data retained by providers of various platforms and apps would remain vulnerable to the risk of a data breach caused by employees or third-party service providers and may be specifically targeted by hackers sympathetic to abortion bans.

 

What Tech Companies Can Do to Prepare for New Data Privacy Implications of Dobbs

In light of this new landscape, companies that handle data that reveals information about an individual’s private reproductive health may find themselves challenged by the simultaneous focus on offering adequate privacy protections to their consumers and the legal obligation to respond to the demands of law enforcement authorities, private parties pursuing civil actions and governmental agencies. There are a number of steps that technology companies should begin to take to address their precarious position in this new legal landscape.

 

  • Conduct an Internal Review

As a first step, companies that are in possession of data that may reveal information relevant to reproductive health matters should ensure that they have a full understanding about their own data collection, use, retention and sharing practices. In conducting this assessment, companies should ask themselves questions such as:

  • Are we limiting our data collection to what is necessary to provide our service?
  • Have we adopted a privacy by design approach across the board throughout our enterprise?
  • What data are we sharing with whom and for what purposes?
  • What do our agreements with data recipients, including service providers, say about their ability to use and share the data?
  • What are our policies and practices for responding to subpoenas and other demands for information?
  • When we respond to user requests to modify or delete data, how do we ensure that such requests are carried out correctly and completely throughout all of our information systems?

 

  • Review Privacy Policies, Disclosures and Other Public Statements

An Executive Order signed by President Biden on July 8, 2022, aims to provide guidance on the transfer and sale of sensitive health-related data and digital surveillance related to reproductive healthcare services. Specifically, President Biden has asked the Federal Trade Commission (“FTC”) and  the Department of Health and Human Services (“HHS”) to protect consumers seeking information about, and the provision of, reproductive healthcare services, and to consider options to address fraudulent or deceptive practices to protect online access to accurate information. Based on this Executive Order, we anticipate that the FTC will act more aggressively against companies that sell or share sensitive personal data if their privacy policies or other public statements say that they will not do so. To mitigate the risk of enforcement, companies must understand their data collection and sharing practices and accurately reflect these practices in their privacy policies. It will also be crucial to review all public statements about data practices to ensure they are accurate and consistent.  Regulators are unlikely to  consider a company’s argument that it lacked awareness of its data practices as an excuse for  wrongful conduct or as a basis for decreasing financial penalties or dismissing an action.

 

  • Ensure Appropriate Data Protection Plans, Policies and Technologies Are in Place to Prevent Security Incidents

Ensuring the security of company information systems is even more critical given the sensitivity of data involved in personal reproductive choices, with data concerning abortions being even more sensitive. Companies should prioritize the allocation of Company resources to invest in cyber-hygiene and cyber-resiliency, including measures such as periodic expert review, penetration testing and audits, periodic patching of vulnerabilities, migrating legacy systems to frameworks amendable to updates, and codifying policy for staffing sufficient IT and software engineering personnel.

 

  • Establish Procedures to Verify and Honor Data Subject Access and Deletion Requests

Many companies that are subject to the California Consumer Privacy Act are already equipped to handle data subject deletion requests from California residents. Companies that collect personal data could choose to honor all deletion requests if such data could be used against individuals seeking or providing abortion services.

 

  • Consider Technical Solutions

We expect companies to develop technical solutions that will protect users’ privacy, including through anonymization, encryption or moving operations offshore. Businesses that collect sensitive data should monitor the market and deploy these technologies as they become available.

 

Conclusion

The full impact of the Dobbs decision is not yet clear. It is already apparent, however, that technology companies will have the opportunity to occupy an increasingly central role in supporting meaningful protections for data privacy.

The post Tech Companies Need to Prepare for the Data Privacy Implications of Dobbs v. Jackson Women’s Health Organization appeared first on Data + Privacy + Cybersecurity Insights.