The Roe reversal showed the need for data privacy laws. Will that be enough to get them?
Rep. Sara Jacobs (D-CA) uses a period-tracking app. So do many of her friends and constituents, who messaged her about those apps after the Supreme Court’s decision to overturn Roe v. Wade leaked. Major privacy concerns with period tracking apps emerged earlier this year, as the possibility that abortion could become illegal in certain parts of the country loomed. That’s when Jacobs realized many people didn’t know what they were supposed to do to keep their online data private.
“I realized each individual person shouldn’t have to figure this out on their own,” Jacobs told Recode. “It’s our job as a government to protect this very sensitive and personal data.”
In response, she introduced the My Body, My Data Act in June. The bill requires that reproductive and sexual health data collection be minimized, that users are able to access and delete the data about them that has been collected, and that consumers have the right to sue companies they believe have violated those rules and their privacy. Period apps would be covered by the law, but so would a lot of other things — which is good, because the health privacy problem extends well beyond period apps.
“It becomes really scary to think about all of the ways this data can be used and the fact that we have no protections against it right now,” Jacobs said.
Her bill is just one example of how the reversal of Roe and subsequent criminalization of abortion in several states may have put the biggest spotlight on online privacy since Facebook’s Cambridge Analytica scandal. It’s been less than a month since the Supreme Court’s decision came down, but the other two branches of government have already taken action. Congress is investigating apps and data brokers whose information could be used against abortion seekers and providers, and a federal consumer privacy bill that has been years in the works is making unprecedented progress in Congress. Meanwhile, President Biden addressed digital privacy in an executive order aimed at protecting reproductive health care. And some states, which have led the way on consumer privacy laws, are considering new or stronger privacy laws.
“I do think it is kind of a turning point,” Caitlin Seeley George, campaigns and managing director of digital advocacy group Fight for the Future, said. “Congress should see this as an opportunity where they have public attention, they have a directive from the executive, they should absolutely be doing all they can on this issue.”
Some lawmakers, like Jacobs, weren’t previously known as data privacy advocates. Others who have been beating the privacy drum for years see the Roe reversal as a way to make the public more aware of the problem and supportive of laws that could solve it.
“I’ve had a huge response from Oregonians and allies here in Congress since the draft opinion was first released,” said Sen. Ron Wyden (D-OR), a longtime privacy hawk who, with Sen. Mazie Hirono (D-HI), sponsored a Senate version of Jacobs’s bill. “The movement to secure personal information against political prosecutions will only grow as the fallout from Republicans’ crusade against women becomes clear.”
Joining Jacobs’s bill in the post-Roe digital privacy fight is the Health and Location Data Protection Act, which would ban data brokers from selling or sharing health data and location data. And House Speaker Nancy Pelosi said in a recent letter that House Democrats were considering legislation that protects data stored in reproductive health apps.
Alongside the president’s executive order, the Biden administration has made digital privacy part of its post-Roe reproductive health agenda. The Department of Health and Human Services issued new guidance that included best practices for finding and using private and secure online services. And the Federal Trade Commission issued a statement saying the agency will “will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.” This week, the Federal Communications Commission also announced a probe into mobile carriers’ privacy practices and how they handle consumers’ location data (the agency did not say if this was a response to the decision).
And while Republicans aren’t likely to sign onto any privacy legislation introduced as a direct response to a Supreme Court decision their party supports, some of them do support another data privacy bill that was introduced last month: the American Data Privacy and Protection Act (ADPPA), a bipartisan, bicameral bill that just became the first consumer privacy bill to make it out of a full committee markup, and with a nearly unanimous vote. If nothing else, that’s an indication of just how difficult it has been to get anywhere on such laws, even after years of trying. It may also be an indication of how motivated some lawmakers are to pass a law this time around.
But some experts aren’t so sure that even this will be enough to put a federal consumer privacy law on the books. India McKinney, director of federal affairs at the Electronic Frontier Foundation, said online tracking and surveillance has been “so creepy and so weird for so long” that she’s not sure if the fallout from the Supreme Court’s Dobbs decision will be the thing that makes the dangers of having few privacy protections click for the American public.
“I suppose that if something good does come out of Dobbs, it would be that it leads to increased privacy awareness [or] legislation,” Jen King, privacy and data policy fellow at the Stanford University Institute for Human-Centered Artificial Intelligence, said. “That said, because Dobbs only directly implicates half of our population, I’m slightly skeptical that will be the end result.”
A bipartisan, bicameral federal privacy bill is making progress
Tech companies have been able to build entire business models and ecosystems around tracking people online and off. It’s not just Big Tech, either. There’s also a world of data brokers and app developers that, in the absence of federal privacy legislation, track us in ways many people don’t understand or expect. Those companies are facing new scrutiny as reports detail how marketplaces sell aggregated data about visits to abortion clinics or lists of devices that have period apps installed. Some companies have tried to smooth things over by changing certain data practices around sensitive information like reproductive health. But without an actual law, we’re left to rely on the same companies that built their businesses around tracking us to keep their promises to stop doing so.
“We can’t rely on the goodwill of Big Tech to protect sensitive information that may affect women’s access to abortion and reproductive health care services — or worse, lead to their prosecution,” said Sen. Elizabeth Warren (D-MA), who introduced the Health and Location Data Protection Act (of which Wyden is a cosponsor). “We need federal legislation with strong privacy guarantees, and my bill would do just that.”
But any federal privacy bill needs some Republican support to pass. ADPPA has that support and has been heralded by many as the best chance yet that Congress has to pass a privacy law. Both sides have made concessions on things that prevented them from putting out a bipartisan privacy bill before. Some privacy and consumer advocacy groups, like Consumer Reports and EPIC, are cautiously optimistic about the bill. ADPPA doesn’t explicitly address the Roe reversal, but many of its provisions would protect health privacy just the same.
“This is an area where Congress should be able to come together to get something done,” said Rep. Ro Khanna (D-CA), who wrote an Internet Bill of Rights in 2018. “I’m hopeful that renewed momentum on this issue will catalyze Congress to act.”
Rep. Suzan DelBene, a moderate Democrat from Washington state who has proposed several privacy bills over the years, said a national consumer privacy law would better serve the American public than legislation like Jacobs’s, which targets specific types of data.
“We should not be playing whack-a-mole with narrow privacy policies,” DelBene said. “We need a strong national foundational privacy standard so we are forward-looking and not just reactive.”
But ADPPA faces significant obstacles, even with the momentum the Roe reversal may have provided. Many California Democrats have said they won’t support a bill that weakens their state’s privacy law. Sen. Maria Cantwell (D-WA) currently opposes the bill, and as chair of the Senate Commerce Committee, her support is necessary for the bill to go anywhere. Sens. Wyden, Brian Schatz (D-HI), and Richard Blumenthal (D-CT) have also spoken out against the bill. A Senate aide close to the discussions who was not authorized to speak publicly told Recode there’s a chance that the Dobbs decision could make some lawmakers less willing to compromise on what they see as a weaker bill now that the need for a stronger one is more apparent than ever.
While most members of Congress avoided the subject, Rep. Anna Eshoo (D-CA) mentioned the Supreme Court decision during ADPPA’s markup, saying: “The legislation should take head-on the new world women are living in since June 24.” She added that the law should close a loophole that would allow law enforcement to access data to help prosecute people for getting abortions. Eshoo was one of just two members of Congress to vote against advancing ADPPA to a House floor vote. The other, Nanette Barragán, also represents California.
Time is also running out to pass ADPPA this session, and there’s no guarantee it will pass in the next one. If Republicans attain a majority in the Senate, it’s likely that Sen. Ted Cruz (R-TX) will be heading up the Commerce committee. His priorities might not be the same.
States may continue to take the lead on privacy
Some states have already done what the federal government hasn’t. Thanks to the Roe reversal, more might be on the way.
“The vast majority of privacy laws that have passed over the past 10-20 years come from the states,” Kade Crockford, director of the Technology for Liberty Program of the ACLU of Massachusetts, said. “I expect that that is going to continue to be the case in the short-term future.”
McKinney, of the Electronic Frontier Foundation, said Illinois’s Biometric Information Privacy Act, Vermont’s Data Broker Act, and California’s Consumer Privacy Act and Privacy Rights Act were examples of states that passed privacy laws in lieu of federal action. New York is also trying to ban controversial geofence and keyword search warrants, where law enforcement orders companies to turn over a list of devices that were in a certain area or a list of devices or accounts that searched for certain terms, respectively.
Rep. Jacobs says that, even after all the outcry over period apps and privacy issues, she has yet to delete hers. Why? Because, she says, she lives in a state that has a strong, comprehensive privacy law.
“I am very grateful to live in California,” Jacobs said.