The Role of Digital Privacy in Ensuring Access to Abortion and Reproductive Health Care in Post-Dobbs America

June 13, 2024 | Suzanne Bernstein, EPIC Law Fellow

The Supreme Court’s Dobbs decision overturning Roe v. Wade in 2022 unleashed a reproductive health crisis in the U.S. The country also faces a data privacy crisis. The two are intrinsically related, increasing the risks that people face to access reproductive health care.

We live so much of our lives online and on our phones, from social media to internet searches, fitness apps, and more. Without a federal comprehensive data privacy law, the apps and services we use daily can collect, analyze, and monetize each and every data point about us with little oversight. Some of that personal data is extremely sensitive, like a calendar appointment to seek abortion care or an internet search for information about abortion medication. And while other personal data may seem benign, like your t-shirt size or looking up the weather in your neighborhood, each data point is a small piece of an intricate puzzle detailing who we are and what we are doing. Online firms and data brokers track us across the internet, collecting and analyzing millions of data points to build detailed profiles for targeted advertising and other purposes. The impact of these commercial surveillance ecosystems can be especially acute for certain communities, like people seeking abortions or other reproductive health care.

Criminalization and stigmatization related to pregnancy outcomes and abortion is not a new concept. However, in the immediate wake of Dobbs, these efforts were turbocharged: trigger laws criminalizing abortion for the patient and/or the provider went into effect, and many states began to enact new laws or enforce existing criminal laws against people seeking abortion care or even experiencing a miscarriage. Some states enacted statutes that permit private parties to seek civil penalties against abortion providers and others who may help a person seek or obtain an abortion. On a national level, an anti-abortion group sued the Food and Drug Administration to severely restrict access to mifepristone, a commonly used medication to end a pregnancy. Unfortunately, our lack of digital privacy protections only intensifies these ongoing, dangerous efforts to criminalize and limit access to abortion and reproductive health care.

In the current digital age, law enforcement, prosecutors, and civil litigants have unprecedented access to incriminating information about pregnant people. Relevant data collection can come from search query histories, health and fitness apps, period tracking apps, and many other sources. Location information recorded by an app on a cellphone can be particularly incriminating, revealing that a person visited an abortion clinic or left a state to seek abortion care. Pregnancy status and health information can also be inferred from analyzing seemingly innocuous data points, like information from an online grocery order, or hovering a cursor longer than usual on a certain video.

Law enforcement can access this data in multiple ways. As people are constantly tracked online and seek information from search engines and social media, they develop a detailed digital footprint. Law enforcement can seek to obtain these records through normal legal processes like a subpoena or a warrant. There are some federal laws that restrict disclosure of certain types of information like health information in the Health Insurance Portability and Accountability Act (HIPAA), financial information in the Gramm-Leach-Bliley Act, and certain telecommunications information in the Stored Communications Act. However, these laws all have exceptions for law enforcement, leaving covered entities responsible for responding to criminal investigations, warrants, and sometimes civil subpoenas. Outside of legal processes, law enforcement can purchase data from data brokers on the largely unregulated open market. Data brokers can use machine learning tools to analyze large pools of data for inferences or correlations that reveal pregnancy status or abortion-related information. While data brokers may typically compile or sell this information for targeted advertising purposes, there is nothing stopping law enforcement, or private persons initiating civil lawsuits against abortion providers, from purchasing this information as well.

Digital privacy for pregnant people or anyone seeking reproductive health care has become extremely consequential. For providers and patients, the effects of criminalization are severe. In addition to actual imprisonment, there are social and financial consequences to having a criminal record or fines, and for providers, the potential revocation of their medical license. Because even the threat of these consequences is so serious, doctors cannot provide abortion care or treatment related to miscarriage in many states. As a result, pregnant people or people seeking reproductive health care suffer severely limited health care options.

There are important efforts on the federal and state levels and in the private sector to strengthen reproductive privacy. In April 2024, the Department of Health and Human Services published a final rule to modify disclosure standards in the HIPAA Privacy Rule. Among other provisions, the HIPAA Privacy Rule will now prohibit covered entities from using or disclosing Protected Health Information related to reproductive health care in scenarios where that information is sought to incriminate or impose liability on a person seeking or providing reproductive health care. Even though HIPAA’s scope is relatively narrow, this rulemaking is a critical step in stopping or slowing the data flow of reproductive health information from providers and other HIPAA-covered entities to external litigants or law enforcement that could end up incriminating or imposing liability on a provider, a pregnant person, or a person seeking reproductive health care.

Although Congress has yet to pass a comprehensive privacy law, over a dozen states have passed comprehensive privacy laws, and there is momentum for other states to enact similar laws. While these laws vary in many ways, basic state-level regulation of how companies manage data collection, retention, and sharing with third parties can be a boon to safeguard reproductive privacy. In addition to comprehensive state privacy bills, Washington state has enacted the landmark My Health My Data Act, which specifically governs health data privacy. This law also prohibits geofencing around any entity that provides health care services, like an abortion clinic or reproductive health care facility. Geofencing is the use of technology like Wi-Fi or cell tower data to create a boundary around a physical location or to locate a consumer within that boundary. This provision of the law could play an important role in limiting the collection and use of location data for criminalizing abortion care or other reproductive health care. Following Washington, Nevada also passed a health privacy law, illustrating the momentum to protect consumer health data, including reproductive information.

Americans are becoming increasingly aware of the consequences of having little or no protections for data privacy and reproductive rights. Without congressional action, consumer demand for tech companies to protect reproductive data continues to grow. As a result, Google promised in 2022 that it would delete location data records from users visiting medical facilities, including abortion clinics. It also announced in December 2023 that it would only save location history on the users’ devices, limiting potential law enforcement access to location data. While the announcements for these policy changes sound promising, Google has yet to completely implement either change, illustrating why self-regulation is generally unreliable in this sector. In January 2024, the Electronic Privacy Information Center filed a complaint along with Accountable Tech asking the Federal Trade Commission (FTC) to investigate Google’s harmful location data retention practices and alleged that these practices violated Section 5 of the FTC Act because despite its public promises to the contrary, Google continued to collect and retain sensitive location data revealing whether a user visited a medical facility. If Google sees these policy changes through, it could go a long way to protect reproductive privacy and limit the location information accessible to law enforcement for investigatory purposes.

Digital privacy is a necessary element to ensure reproductive choice and freedom. The threat of criminalization for seeking or obtaining reproductive health care is harrowing. What’s more, the same tracking and data collection that fuels the harmful commercial surveillance and targeted advertising ecosystem can be accessed and used by law enforcement for investigations. Our grim–and avoidable–reality is that an online search for “abortion pills,” or “miscarriage care,” or the location data generated on a cell phone reflecting a visit to the pharmacy or abortion clinic can leave a trail for law enforcement. To protect reproductive health care, privacy, and freedom, it is critical for any regulatory or legislative body to also consider strong data privacy protections.

*This article was originally published in the American Bar Association Human Rights Magazine, Volume 49, Issue 4, titled “Technology and the Law.”

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.