How the Dobbs abortion ruling reshaped America’s privacy debate, from health to politics and law
The Supreme Court’s verdict put the spotlight on the country’s patchy privacy protections.
What are 360s? Grid’s answer to stories that deserve a fuller view.
Like an earthquake’s aftershocks, jolts to privacy rights have rumbled across the legal landscape following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the June ruling that ended the national right to abortion.
Since June, a dozen states have enacted new abortion restrictions — and some of them are testing how far police and prosecutors can go in accessing private information, including digital data.
In Nebraska, prosecutors are pursuing criminal charges against a mother and daughter based on their Facebook messages about abortion pills. University of Idaho officials say that a state law that bars students and staff from “advertising or promoting” abortion or birth control is vague, including what it might mean for the use of school networks for social media posts and private communication.
The emerging debate over abortion and digital privacy is complicated by a larger, unsettled privacy debate in the United States. Amid a rapidly changing digital landscape, privacy advocates have called on Congress for years to set a floor for privacy rights, but there’s been no meaningful action out of Washington. States have stepped in with their own laws, creating a mishmash of protections depending on where a person lives. Very few states have a comprehensive framework.
Legal experts say that Dobbs has created a greater sense of urgency around the privacy debate — awakening many Americans to the state of privacy laws.
“This is a common refrain, this idea of, ‘I don’t care because I have nothing to hide,’ and what I think Dobbs has revealed for us is that you have nothing to hide until you do,” said Leah Fowler, a research assistant professor at the University of Houston Law Center.
Congress has long kicked the can down the road on meaningful privacy legislation. States have enacted their own policies, but major gaps remain for several categories of private data. The fallout from the Dobbs verdict — which has sparked intense debates not just about abortion rights but about the security of Americans’ most sensitive data — shows signs of re-energizing the push for privacy protections in the United States.
The Dobbs decision is about privacy
Dobbs’ biggest impact in a legal sense is around the right to privacy, which is not codified in the Constitution but has been established by a series of court cases over time. Roe v. Wade, the now-overturned 1973 Supreme Court ruling establishing a national right to abortion, has been among the most significant.
Roe was predicated in large part on the notion that the 14th Amendment contains an implicit right to privacy that protects a woman’s decision about whether to terminate a pregnancy and protects against state interference in a person’s private decisions more generally.
But that changed with Dobbs. The Supreme Court’s new 6-3 conservative majority ruled that this implicit right does not extend to abortion, saying its “inescapable conclusion is that a right to abortion is not deeply rooted in the Nation’s history and traditions.”
The decision sharply departed from decades of rulings that insulated American private lives from government intrusion. The strongest legal precedent is the 1965 case Griswold v. Connecticut, which forbade states from banning contraceptives. Along with allowing abortion in Roe, this principle undergirded the right to interracial marriage and same-sex relationships and marriage in court decisions.
“When we are talking about this kind of privacy, we are talking about the right to make intimate personal decisions about one’s life, marriage, contraception and things like that,” said Sonia Suter, founding director of the Health Law Initiative at George Washington University. “There’s certainly lots to worry about with other rights backed by substantiative due process.”
The 6-3 majority decision in Dobbs essentially argued that abortion lacked due process protection since it wasn’t mentioned in the Constitution and was outlawed in many states at the time that Roe made it legal nationwide. While the same could be argued about same-sex marriage, contraception and other due process rights when they were recognized, the majority argued that abortion is fundamentally different because it ends a potential life.
However, both the dissenting opinion in the case and a concurrence written by Justice Clarence Thomas dismissed this caveat. The basic problem, said Suter, is that the court’s special case exception for abortion is tacked on to the end of the majority’s argument, added after its historical test had already undermined due process. Nothing would stop a future court from conjuring up another special-case exception for whatever right it decides no longer exists for historical reasons.
“If you think a little bit about it, who had rights when the 14th Amendment was ratified?” said Greer Donley of the University of Pittsburgh Law School. (The amendment was ratified in 1868.) “It’s certainly not women, people of color, LGBT folks.”
“So, the second that you realize the test the court is using is historical, and consider how that test would be applied for considering, for instance, the right to contraception or the right to gay marriage, you start to get pretty nervous about how those cases would come out,” she added.
Digital privacy is privacy
In July, the Biden administration released an executive order aimed at protecting access to abortion and treatment for pregnancy complications, as well as insulating medical records from legal investigations. The Federal Trade Commission followed the order to start making federal privacy rules for consumer data a month later, citing a need to protect people’s right to seek healthcare information.
“The Dobbs decision opened up a lot of people’s eyes who never had to worry about surveillance or their privacy rights being infringed upon before,” said Sara Geoghegan of the Electronic Privacy Information Center, citing concerns about abortion-banning states looking for people seeking abortions based on their travel data. “Digital privacy is privacy.”
On one side, there is concern about people’s digital records, their instant messages, location data, search history and the myriad app data ending up packaged and sold to law enforcement by data brokers, or subpoenaed. Privacy agreements with apps and HIPAA medical privacy rules are no protection against subpoenas. On the business side, those data brokers sell every bit of personal information they can find to anyone willing to pay for it.
The FTC’s rule-making process averages five years, however. In the meantime, the U.S. has no strong nationwide privacy law like the European Union’s General Data Protection Regulation, leaving people with few real privacy protections and dependent on online guides to protect their data themselves.
“No individual person should have to make a trade-off between useful tools on their phone or their internet use and worry about surveillance. And an individual should not be responsible for protecting themselves from corporate or governmental surveillance,” said Geoghegan. “Unfortunately, this is the reality of our post-Roe legal landscape.”
States take the lead
In the absence of federal action on data privacy, states have begun to weigh in with their own laws.
California passed the strongest privacy law in the United States in 2018; its California Consumer Privacy Act gives consumers more control over the data companies gather about them. A handful of other states, including Virginia, Colorado and Utah, have passed their own, weaker, privacy statutes in recent years. Legislatures in at least four states — Michigan, New Jersey, Ohio and Pennsylvania — are debating consumer privacy bills.
The issue cuts across parties. Polls show strong bipartisan support for privacy legislation.”So far, I have not seen, at least in my experience, I’ve not seen Republicans backing away from the issue of privacy,” said Justin Brookman, director of technology policy for Consumer Reports.
But that hasn’t translated into success at the federal level. And while Democrats have incorporated criticisms of the Dobbs decision into their midterm messaging platforms, privacy has largely been absent on the campaign trail — for either party.
A bipartisan privacy bill, the American Data Privacy and Protection Act (ADPPA), passed out of a House committee in June by a 53-2 vote — progressing further than any privacy legislation in recent memory. It would govern how companies handle personally identifiable information and other areas of data collection.
But the bill has raised objections from House Speaker Nancy Pelosi (D-Calif.), who is unhappy that it would preempt state privacy laws like California’s. And it is not clear how it would fare in the Senate.
“I think there’s broad agreement that we won’t see action there before the midterms, but our understanding is that bipartisan talks are still going strong in terms of the ADPPA and that there’s even an interest in picking it back up after the midterms,” said Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals.
But that could depend in part on the outcome of the midterms, which often determines the agenda for any lame-duck session. “Those who watch the Hill closely recognize that December is not historically when we see significant legislative action, particularly in a lame duck,” Fennessy said.
Brookman agreed. “I think ADPPA probably still has a chance, but it’s definitely a long shot,” he said. “It was a long shot from the beginning. Congress has failed to pass privacy legislation for the past 20 to 30 years.”
New scrutiny for apps and data brokers
Concerns about digital tracking in the wake of the Dobbs decision have increased scrutiny of tech companies’ practices. For some, like Apple, privacy has long been a marketing point. Others have changed their practices in the wake of the Supreme Court decision with the goal of reassuring their users.
In early July, for example, Google responded to concerns about the privacy of location data by announcing it would delete location data when people visit abortion clinics. But Google does not automatically delete data on web searchers about abortion, although users can opt to delete their search history.
And Meta has been harshly criticized by reproductive rights advocates for turning over private Facebook messages in the case of a mother and daughter in Nebraska facing criminal charges related to the daughter’s abortion.
Miriam H. Wugmeister, a partner and co-chair of Morrison and Foerster’s Global Privacy and Data Security Group, said that there is an incredible pressure on companies post-Dobbs.
“There are companies that are doing things and thinking about this internally but are being very careful about how much they talk about it externally,” said Wugmeister.
In the meantime, several state privacy laws will be coming into effect in 2023, further altering the legal landscape for businesses. Take Fitbit, which sells wearable fitness trackers. The company says its data collection practices comply with HIPAA. But next year, it will also have to ensure its wearables comply with state laws that may limit what data the company can collect or share, said Amy Olivero, Westin research fellow at IAPP.
State and federal regulators have begun to take action against companies who violate existing privacy statutes. The beauty chain Sephora recently agreed to pay $1.2 million to settle alleged violations of California’s data privacy law. And the Federal Trade Commission filed suit in August against the data broker Kochava for selling location data that could reveal a person’s visits to sensitive locations, including reproductive health clinics or places of worship.
These are early signals to businesses that regulators are more closely examining their consumer privacy practices, Olivero said.
But so far that has not fundamentally changed business models around things like data brokers and advertising. “I will say overall, it seems [business changes post-Dobbs have] been fairly flimsy,” said Brookman. “We haven’t seen dramatic changes to the tracking ad-tech and location-tracking ecosystem.”
Meanwhile, firms that are offering abortion assistance to employees also face a tricky legal landscape.
The law firm Sidley Austin, which is based in Chicago and has an office in Austin, announced it would pay for employees in Texas and other states with abortion restrictions to travel for abortion care. A group of Texas lawmakers, including a lawyer at a rival firm, sent Sidley Austin a letter informing it that they believed the firm was “complicit in illegal abortions” and “the state of Texas will ensure that you and colleagues are held accountable for every abortion that you illegally assisted.”
That is a significant threat in Texas, where a law bans abortion after six weeks of pregnancy and allows private individuals to take civil action against anyone who assists a person in obtaining an abortion after that point — with penalties of at least $10,000.
To minimize such risks, Wugmeister said, companies should minimize data collection. For a company offering employees abortion assistance, this might involve referring to such aid in paperwork as a generic “out of plan benefit” as opposed to “obtained travel services for an abortion.”
“The whole concept of data minimization, you find that in almost every privacy law in the world, so from a data security perspective, we tell people all the time, you get rid of what you don’t need, the less you have, the easier it is to protect,” said Wugmeister.
The limits of HIPAA
The Dobbs ruling inadvertently highlighted how much technology has changed healthcare in the 50 years Roe v. Wade was the law of the land.
Once, handwritten notes from a doctor were often the only record of a person’s abortion. Now, the process of seeking and obtaining the procedure leaves a long digital trail — search histories, fertility tracking apps, text messages, location data and electronic health records — that can potentially be mined by law enforcement.
That is already happening, as illustrated by the case of the mother and daughter in Nebraska whose Facebook messages were obtained by law enforcement.
“Roe was doing a lot of work to prevent states from getting too aggressive about prosecuting either providers of abortion services or people seeking abortion care,” said Carmel Shachar, executive director of the Petrie-Flom Center for Health Law Policy, Biotechnology and Bioethics at Harvard Law School. “Dobbs took away those protections for both groups, and lack of data privacy opens them up to criminal prosecution and civil liability.”
The magnitude of the change shocked many people in the weeks after a draft version of the Dobbs verdict leaked in May, as concerns mounted about the vulnerability created by use of everyday technology like cellphones and social media.
People often view the Health Insurance Portability and Accountability Act, or HIPAA, as a privacy shield around medical information, Schachar said. But it is a narrow law with lots of exceptions.
“HIPAA is the way we protect data in your medical record that is compiled by traditional healthcare providers,” Shachar said, including clinicians, hospitals and entities that facilitate insurance coverage. That information, which might include individually identifiable diagnoses, procedures or prescription history, normally cannot be shared without the patient’s consent.
But that protection evaporates when law enforcement is looking for evidence of a crime, which now includes abortion in many states. If presented with a subpoena or warrant, healthcare providers are permitted, but not required, to share information that would otherwise be protected under HIPAA.
“This exception doesn’t require providers to be proactive,” Shachar said, meaning they could decline to share patient information, although this could open them up to subsequent legal action. The Department of Health and Human Services recently issued guidance clarifying the conditions under which providers are allowed to disclose information, but there’s still a lot of gray area.
Apps, search histories and more
That gray area includes the extensive health-related information available through data brokers who are not governed by HIPAA and can and do sell data to law enforcement.
Modern life generates enormous quantities of digital detritus — old text messages, location history, past purchases, data from wearable devices — that can be reconstructed by law enforcement to show someone sought abortion care.
“HIPAA doesn’t reach this whole other world of data that says a lot about your health, but isn’t found in a traditional medical record,” Shachar said.
Fertility apps that track menstrual cycles have received lots of attention in the wake of Dobbs, since they store data obviously relevant to reproduction. “These apps contain information about the dates of your periods,” which could be used to date when someone became pregnant, said Fowler of the University of Houston Law Center. “If someone were looking for evidence that an abortion was outside of the legal window, they could look at whether or not the last menstrual period was indicated in that range in that app.”
But privacy worries extend far beyond information stored in a single app.
“We live in a world where so much of our lives are connected digitally, we leave vast trails in our wake,” Fowler said. Changes in purchasing patterns might suggest a pregnancy, while Google searches for abortion clinics or how to obtain abortion pills might signal intent. Programs as seemingly innocuous as weather apps or games often track user location and could be used to show proximity to an abortion clinic, she said: “Even if any bit of that information doesn’t reveal anything specific, taken as a whole, it can reveal quite a bit.”
Data brokers can purchase these data from multiple sources, aggregate them and sell the bundled information to anyone willing to pay for it. “Data from people who are pregnant, or trying to be, are potentially 15 times more valuable [to advertisers],” Fowler said, and there are no privacy protections around these data in the face of a court order. An online privacy company, DeleteMe, reports that 80 data brokers might track a typical individual in a year. Some democratic senators have introduced legislation to ban data brokers from selling health- and location-related data, though the industry remains resistant.
Before Dobbs, digital data was already, on rare occasions, being used to prosecute people in anti-abortion states. In 2017, prosecutors used phone internet search data about abortion pills to successfully argue that Latice Fisher, a Mississippi woman, had murdered her fetus. Post-Dobbs, abortion care advocates argue such tactics could become more widespread.
In the absence of broader policy changes, it falls on individuals to protect their privacy. But that’s a lot to ask of people in such a tech-dependent world, Fowler said. “If it really comes down to telling people that the only option that we have is to get off the grid, we have an enormous policy failure that we have to grapple with.”
Thanks to Lillian Barkley for copy editing this article.