Impact on Data Privacy
The Evolution of Privacy Rights in a Post-Dobbs World
As privacy rights with respect to reproductive health remain subject to challenge, digital platforms maintaining personal information that relates to reproductive health, pregnancy, or obtaining abortion care have been forced to address new compliance, enforcement, and operational challenges following the U.S. Supreme Court’s ruling in Dobbs v. Jackson Women's Health Organization. For example, companies maintaining any personal information that could be used as proof of termination of a pregnancy face the possibility of being compelled by a subpoena or court order to disclose such information to law enforcement agencies seeking to enforce restrictive abortion laws.
“Significant quantities of personal information increasingly reside in digital technologies provided by companies to support individual consumers’ health and wellness."
Assess and Examine
As a result of the Dobbs decision, several states have enacted restrictive anti-abortion laws that potentially implicate a wide variety of companies that maintain customer data that may, by itself or combined with additional data, be used to criminally prosecute women and their doctors for alleged violations of these laws.
Any organization offering or using a digital platform powered by consumer data (e.g., significant quantities of personal information that could relate to reproductive health) should evaluate what data it collects, stores, and uses; how this data is disclosed pursuant to law enforcement requests (e.g., subpoenas or warrants); whether its privacy policies accurately notify individuals of such uses and disclosures; and how to respond to customer inquiries and concerns that the data is subject to this new risk of disclosure.
Evaluate State and Federal Privacy Laws
Laws governing consumer privacy are rapidly evolving at the state and federal levels. Organizations dealing with identifiable health information are often regulated by the Health Information Portability and Accountability Act (HIPAA) and Section 5 of the Federal Trade Commission Act on the federal level, as well as a wide array of state privacy laws. The Dobbs decision impacts the privacy of protected health information under HIPAA and many other types of data that may relate to abortion care, whether health-related or not. In an attempt to further protect sensitive information related to reproductive health care, the Department of Health and Human Services, Office for Civil Rights, has proposed the HIPAA Privacy Rule To Support Reproductive Health Care Privacy. The Dobbs decision also affects a wide range of companies that may have data relevant to law enforcement efforts under state abortion laws. It is likely that companies maintaining non-health-related data may be impacted if such data can be combined with other data to support the prosecution of restrictive abortion laws.
Companies handling such sensitive data ought to evaluate the data they collect, whether and to what extent that data is necessary to their business, and what options exist for safeguarding the collection, processing, and maintenance of such data.
Notably, some states are increasing privacy protections in response to the Dobbs decision. Thus, companies should also factor in these various state privacy laws to understand the compliance obligations related to the protection of such data, especially since stricter state privacy laws would take precedence over HIPAA.
“Although state laws may allow for law enforcement to seek data to support enforcement of anti-abortion laws, certain states are increasing privacy protections in the post-Dobbs world.”
Review Compliance Standards
Organizations should do the following:
- Consider the type and amount of data that is collected, used, and maintained, and limit it to the very minimum amount necessary to achieve the business purpose for which it is collected.
- Consider additional measures that you can take to manage personal information collection, maintenance, and use to avoid or minimize liability and involvement in civil and criminal matters.
- Review the content of your website terms and conditions and privacy policies in light of any changes in data collection and management. This may include developing consumer-facing materials explaining applicable protections for reproductive health data.
- Consider ways to afford consumers added privacy protections and security safeguards with respect to what data is collected and maintained in a digital platform.
- Evaluate internal policies and procedures with respect to when and how to respond to law enforcement requests for personal information maintained by the company.
- Ensure that you are strictly following your data retention and destruction policies for all data which you collect, use, and maintain.
- Consider whether to engage legislators in passing state data protection laws to help shape the legislation governing the types of data that will be protected and/or the purpose for the use of that data.
The team at Epstein Becker Green is well suited to assist your organization in addressing these matters to enable you to build and maintain trust in the market while helping to ensure compliance and managing risk.