State legislatures across the country are considering bills that address how sensitive health data is collected, transmitted, used or sold as part of an effort by Democrats to protect abortion and transgender rights.
That legislation, mostly in blue states, comes amid a broader push by lawmakers in both parties to regulate the troves of valuable personal data stockpiled by tech companies — often without consumers’ knowledge — in the absence of federal action to protect data privacy.
Abortion rights activists say the Supreme Court’s Dobbs decision overturning the constitutional right to an abortion raises the stakes on digital information, such as the last date a woman entered her period into a tracking app or how many times her cell phone pinged a tower near an abortion clinic. Those details, they say, have now become digital breadcrumbs that anti-abortion groups or law enforcement officials could potentially collect from third parties to harass or prosecute people who might seek abortions.
Getting bombarded by ads after searching for, say, running shoes “isn’t necessarily deeply harmful, in the sense that our lives or our ability to have privacy, or freedom of certain decisions, are at risk,” said Washington State Rep. Vandana Slatter (D), who introduced a bill last week. “However, in this situation, it is … and that’s deeply concerning.”
Slatter’s bill was filed in conjunction with the state Attorney General’s office and was among a package of abortion-related House and Senate bills that Democrats in control of the state legislature have promoted as top priorities for the 2023 session.
The Massachusetts Senate is considering a bill introduced by Sen. Cynthia Stone Creem (D) that aims to protect “reproductive health access, LGBTQ lives, religious liberty and freedom of movement” by banning the sale of cell phone location information.
New York Gov. Kathy Hochul (D) announced in January that she would propose legislation to protect the personal data, including location history and search history, of anyone seeking abortion care in New York. Other blue states, including Minnesota and Hawaii, are considering measures that would prohibit the use of digital data in abortion-related prosecutions in other states after California passed the first such law last year.
Democrats in Virginia and Missouri have proposed similar bills that are unlikely to garner the Republican support they would need to become law. Control of Virginia’s legislature is split between Republicans and Democrats, and Republicans control a supermajority of both Missouri chambers.
Advocates for abortion rights called such measures a logical next move, as blue states — many of which have already taken steps to solidify abortion rights — consider how those efforts could be unraveled by forces beyond their borders.
“For patients, being able to protect their health care information is critical,” said Elizabeth Nash, principal policy associate for state issues at the Guttmacher Institute, a research organization that advocates for abortion rights.
It is unclear how abortion opponents will respond. A representative from SBA Pro-Life America, which advocates for abortion restrictions on the state level, declined to weigh in on the recent spate of health privacy bills crafted to protect abortion recipients and providers.
Lawmakers in the 12 states and counting that are enforcing abortion bans generally say they don’t want to prosecute people who seek abortions and have so far voiced little public opposition to health privacy bills like the one in Washington State. A 90-minute hearing there on the bill last week did not attract any testimony from abortion opponents.
Rep. Jim Walsh (R), the ranking member of the Washington State House Civil Rights and Judiciary Committee, said he was surprised that the media’s portrayal of the bill focused on the abortion and reproductive rights protections. Walsh said at the hearing that it “looks more like a general medical privacy bill.”
Questions have been raised by the technology industry about the measures’ breadth.
“Without changes to key definitions, virtually all data would be included, including the purchase of everyday consumer products like toilet, paper, deodorant, and even shoes,” Ashley Sutton, executive director of the tech trade group TechNet, said at the Washington State hearing.
Congress fell short of passing federal privacy standards last year in part because of objections from California lawmakers about how it would preempt state law. Since then, lawmakers in states across the political spectrum have proposed legislation that would give consumers more control of the data that companies collect about them, said Max Rieper, who tracks data privacy legislation for MultiState, a government affairs company.
Democrats in Congress also promoted separate House and Senate bills that were meant to protect personal reproductive or sexual health information. Those measures stalled in both chambers and never had the support of congressional Republicans.
While some of the more sweeping bills on the state level have encountered broad resistance from tech companies, states have begun to explore more targeted measures. That includes bills in red and blue states aimed at protecting information collected from children and in progressive states focused on gender and reproductive health, Rieper said.
“There’s definitely a growing concern in general about what kind of information is being collected from consumers,” Rieper said. “It makes sense that we’re going to see a lot more bills like this.”
The federal Health Insurance Portability and Accountability Act prohibits health care providers from sharing health care data, but that doesn’t cover the myriad bits of data points that private companies collect from cell phones and personal computers every minute.
The Washington State bill, called the My Health My Data Act, would require companies to disclose how they are using and collecting consumer data, and only allow such practices after consumers have explicitly opted in. It would also give consumers the right to have their health data deleted, prohibit the sale of consumer health data, and prohibit geofences — which use a mobile device’s location to send unsolicited messages — at health care facilities.
The bill in Massachusetts would require companies to obtain yearly written consent before collecting cell phone location data and give them an opportunity to opt out of targeted ads. It would also prohibit most disclosure of location information to third parties and require companies to provide annual reports to the attorney general of any warrants they had received seeking location information.
“People deserve control over whether this data is collected and how it is being used,” Creem, the Massachusetts senator who sponsored the bill, said in a statement. “In this increasingly digital world, we need to defend our right to privacy adamantly and this bill will help ensure people can live their lives free of this unwarranted surveillance.”
Some tech companies voluntarily curbed their data collection in the aftermath of the Dobbs decision.
The American Civil Liberties Union, which supports the Washington State bill, raised concerns about reports that geolocation data has been used to target visitors to abortion clinics with ads for anti-abortion pregnancy counseling services, that cell phone companies have sold customers’ locations and personally identifying information to third-party companies, and that patients waiting for emergency room care had been targeted with ads for personal injury lawyers.
The ACLU also cited a 2022 case in Nebraska in which a teenager and her mother were indicted for violating the state’s abortion ban after investigators obtained information from the daughter’s social media messaging app.
“People should be able to seek the critical health care they need, reproductive or gender affirming care, without fear that they will be tracked by private companies or the government,” said Jennifer Lee, a technology and liberty project manager for the ACLU.
California Attorney General Rob Bonta (D) said other states have expressed interest in using the legislation he sponsored in California as a model. That includes Maryland, where he testified about a data privacy proposal last year.
California’s law requires out-of-state law enforcement agencies seeking data or records from corporations in California to confirm in writing that the investigation does not involve an abortion that is legal under state law. It also blocks out-of-state law enforcement officers from using warrants to obtain California cell phone tower data location or search history from computers with an IP address in the state to investigate abortion services.
“There should be a sealed door of privacy for any individual who has reproductive data stored with a third-party tech app,” Bonta told Pluribus News. “Tech companies should be recognizing that it is not their data. It is the data of the individual and it should be protected, protected and preserved and should not be ever used to support a prosecution of an individual for providing an abortion or seeking one.”