Navigating Data Privacy in Post-Roe America

Photo by sdecoret on iStock

June 28, 2023
Authors
  • Hannah Darnton portrait

    Hannah Darnton

    Director, Technology and Human Rights, BSR

  • Avatar

    Samone Nigam

    Manager, Technology and Human Rights, BSR

  • Jen Stark portrait

    Jen Stark

    Co-Director, Center for Business and Social Justice, BSR

Key Points

  • Since the overturning of Roe v Wade, 24 states have enacted full restrictions on abortion access.
  • The past year has posed unsettling questions about how data collected by companies could be used as evidence against individuals seeking abortion.
  • From data-minimization practices, to increased privacy protection, BSR’s Human Rights and Tech team provide key recommendations for technology companies in post-Roe America.

One year ago, the US Supreme Court overturned the landmark 1973 ruling which established constitutional protection for abortion. The overturning of Roe v Wade enabled state governments to impose new restrictions, bans, and trigger laws on abortion and reproductive rights, severely curtailing human rights including access to healthcare, access to information pertaining to family planning, and the right to privacy, among others.

A year later, the policy landscape surrounding abortion remains uncertain and subject to ongoing litigation.

 

Legislative Developments

The past year has seen abortion access curtailed across the nation. Since the overturning of Roe, 24 states have enacted full bans or significant restrictions on abortion access, and active litigation in many states continues to cause confusion for providers and patients. Today, 25 million women of childbearing age now live in states with bans or restrictions on abortion.

State-level regulations on abortion and reproductive healthcare do not stop with bans and restrictions. A handful of states are regulating services connected to reproductive rights as well: Texas has recently introduced bills which would ban credit card companies from processing abortion-related transactions and would require internet service providers to ban access to websites that provide abortion information or facilitate access to abortion.

There are ongoing counter efforts to codify access to abortion at the national level, and state initiatives to pass legal protections, however, abortion-related cases continue to be disputed at the federal level. In April, the US Supreme Court blocked a proposed restriction on the drug, Mifepristone (part of the two-drug regimen for medication abortion); nonetheless, this case continues to unfold. And in May, a bill known as the “My Body, My Data Act of 2023,” was introduced to the Senate. If passed, it would protect sensitive sexual and reproductive health data by establishing data minimization requirements and enshrining individuals’ right to access and delete their sensitive health data.

 

User Data and Abortion

Amid the regulatory turmoil, a variety of questions have arisen about the role of data—and the companies collecting data—in both amplifying and addressing risks.

The past year has posed unsettling questions about how data collected by companies may be used to infer rightsholders’ abortion and reproductive statuses and what happens when law enforcement agencies demand that this data is shared with them.

Early cases caught the public’s attention, including one example involving a Nebraskan woman who was arrested for helping her daughter access an abortion after Meta was legally required to hand over her Facebook Messenger communications to law enforcement. Since then, there has been growing concern about the types of data that can be used to incriminate abortion seekers and providers such as payment data, location data, and menstrual app data.

For example, Google has pledged that it will not store location history for visits to abortion centers; however, some believe that the company has struggled to fully implement this pledge in its entirety, claiming some inconsistency with sensitive location history data. The company is currently involved in a class action lawsuit for tracking data from healthcare providers’ websites, including Planned Parenthood.

However, it is not just large technology companies that face these risks — companies in ad-tech, financial services, retail, and consumer healthcare do too. Companies like fertility-tracking app, Flo Health, and analytics company, Kochava, have faced penalties from the Federal Trade Commission for selling sensitive reproductive health data and location data from reproductive healthcare clinics respectively.

One year after the overturning of Roe, one thing remains the same: the evolving nature of the political environment and state legislation creates a challenging environment for companies to navigate abortion and reproductive rights related issues responsibly; with real consequences for rightsholders seeking timely access to reproductive care.

BSR makes the following recommendations for companies collecting data (including, but not limited to technology companies) to safeguard the rights and privacy of abortion seekers and providers:

 

Recommendations

  1. Undertake human rights due diligence to identify risks to sexual and reproductive health that may be associated with the development or use of new or existing platforms, devices, products / product features. As part of their due diligence, companies should also consider state restrictions on reproductive rights or bans on abortion when deciding on the location of offices, data centers, or other assets that might give a state jurisdiction over the user data that the company holds.
  2. Apply best practice privacy principles, such as data minimization, purpose limitations, purpose-based data retention, and user transparency and control.
  3. Provide users with transparency about data practices, particularly for data pertaining to reproductive health. Increase the level of transparency users have on the types of data collected, how it is stored, how long it is stored, and with whom it is shared.
  4. Embed guidance and support on privacy into the product or platform to protect users seeking sexual and reproductive healthcare services. This may take the form of click through prompts about password security, how to set up multi-factor authentication, or ways to protect privacy when users search for information pertaining to sexual and reproductive healthcare services.
  5. Deploy end-to-end encryption on private messaging services.
  6. Set default privacy settings to the highest level of privacy protection. Privacy protections should be based on an opt-out model, not an opt-in model.
  7. Continue investing in efforts to ensure that policy commitments (e.g., “sensitive area” location data collection) are effectively implemented in practice.
  8. Apply human rights principles (such as the Global Network Initiative Principles and Implementation Guidelines) when responding to government or law enforcement demands for user data.
  9. Notify users when a government or law enforcement demand has been made for their data, when legally able to do so.
  10. Support legislation intended to protect the right to abortion and the privacy of abortion-related data, including federal level privacy protections.

For further information, including how BSR can support you with conducting human rights due diligence related to privacy and data risks and reproductive services, please contact the team.

Let’s talk about how BSR can help you to transform your business and achieve your sustainability goals.

Contact Us