The US Supreme Court’s voiding of Roe v. Wade has sparked alarm about the potential use of sensitive data in states where abortion is illegal to investigate whether someone has had the procedure.
Five states—California, Virginia, Colorado, Utah and Connecticut—have enacted comprehensive consumer data privacy laws in recent years, as part of a growing trend of state action in the absence of a sweeping federal law. Certain provisions in those laws, and similar ones that other states may enact in the future, are likely to come into play.
California’s law is the only statute currently active. The others will become effective in the next few years.
1. What abortion access data is covered?
The state privacy laws have different definitions of personal information that must be protected, but generally pertain to data that is linked to or reasonably associated with an individual. That may include identifiers such as genetic data, financial transaction information, race, religious beliefs, and sexual orientation.
Geolocation data—which could reveal a person’s use of reproductive health services—in most cases falls under that definition of personal information.
If a customer opts out of the sale of their personal information, and a company nevertheless sells it, that would violate the state privacy laws.
Remedies for state privacy law violations would be limited, as the measures generally don’t allow consumers to bring their own lawsuits (except in California, which has a limited private right of action for certain data breaches). State attorneys general may inititate enforcement actions and penalize companies that violate the law.
2. Are there any exemptions?
Yes. Data governed by the Health Insurance Portability and Accountability Act of 1996 is exempted. That includes medical records and health plan numbers.
The laws also don’t apply to HIPAA-governed entities and business associates in a majority of the states—California, Virginia, Utah, and Connecticut. That means data handled by HIPAA-governed health clinics and many of the businesses that work with them would be out of scope of the consumer privacy laws.
In Colorado, information and documents created by a covered entity for purposes of complying with HIPAA are exempt, as is protected health information.
The laws also contain carve-outs for data governed by the Gramm–Leach–Bliley Act, which regulates banks and other financial institutions. In all of the states except California, the laws have a wider exemption that includes GLBA-governed entities.
3. How is law enforcement access governed?
All five of the state privacy laws include language specifying that their provisions shouldn’t interfere with a company’s ability to comply with federal, state, or local laws, rules, or regulations.
California’s privacy law, for example, says that it shouldn’t restrict a business’ ability to “cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.”
4. What’s next?
Tech giants have been tight-lipped about what they would do with regard to law enforcement data requests connected to abortion.
The California Privacy Protection Agency, tasked with promulgating regulations under the state’s landmark privacy law, could address abortion data in future rulemaking packages. Colorado’s attorney general is also planning to engage in rulemaking, which may address the topic.
Most state legislative sessions have ended for 2022, but state lawmakers may weigh measures in future sessions that would address protections—or carveouts—for health information and other data related to abortion access.
To Learn More:
—From Bloomberg Law:
Post-Roe Health Privacy Guidelines Detailed by Biden HHS
Health Apps Must Shield Reproductive Data, California AG Urges
Fertility Apps Bound by Weak Disclosure Rules in Post-Roe World
Abortion Patients Have a Limited Privacy Shield: HIPAA Explained
—From Bloomberg News:
Tech Firms Brace for Legal Mess of Abortion Data Subpoenas
Google to Delete User Data on Trips to Abortion Clinics (1)
Biden Seeks to Boost Abortion Patient Privacy After Roe Tossed
Anti-Abortion Firms Lure Pregnant Teens Online, Save Their Data
Washington to Block Anti-Abortion States From Accessing ID Data
To contact the reporter on this story:
To contact the editors responsible for this story:
To read more articles log in.
Learn more about a Bloomberg Law subscription.