How well does ADPPA protect against post-Roe threats?

Let's talk about the elephant in the room.

How well does ADPPA protect against post-Roe threats?

Last updated September 15.  See update log at the bottom.

As Danielle Keats Citron discusses in The End of Roe Means We Need a New Civil Right to Privacy, the Supreme Court’s recent decision allowing states to criminalize abortion highlights the stakes of online privacy.  In response, Rep. Sara Jacobs (D-introduced the My Body My Data Act, which would provide strong protections to reproductive health care; and Senators Elizabeth Warren, Ron Wyden, Patty Murray, Sheldon Whitehouse, and Bernie Sanders  introduced the Health and Location Data Privacy Act, which prohibits sale of health and location data.  The Fourth Amendment Is Not For Sale Act, which prohibits government agencies from buying data unless they have a warrant, would also help protect against posts-Roe threats.

Still, those bills' prospects are unclear, and everybody agrees that comprehensive privacy legislation is a vital complement even if they pass.  So in July, the House Energy & Commerce committee advanced the American Data Privacy and Protection Act (ADPPA) 53-2 – the first time this century a consumer privacy bill has made it out of committee.

But how well does ADPPA actually respond to post-Roe threats?  There's been surprisingly little discussion of this – back in July I called it "the elephant in the room" – but even so there are several red flags.  For example:

  • Rep. Anna Eshoo has said ADPPA has a loophole that leaves pregnant people at risk of having their data shared with"sinister prosecutors" in states that have criminalized abortion.  
  • Sen. Ron Wyden, who’s usually right about stuff like this, says the "de-identified" data loophole lets companies sell location data to the government about visits to reproductive health facilities
  • And Kim Clark of Legal Voice says
“This bill, at least from the perspective of pregnant people, it really doesn’t do much.”

Let's look more closely at the elephant

So let’s look in more detail at five specific post-Roe threats and see how well ADPPA responds to them:

  • Does ADPPA prevent sinister prosecutors and law enforcement from buying location data and targeting people who visit reproductive health care centers?
  • When people travel out of state to get abortions, does ADPPA protect their data?
  • Does ADPPA allow pregnant people to force companies to delete data that might put them at risk?
  • Does ADPPA prevent anti-abortion “crisis pregnancy centers” from sharing data with vigilantes and law enforcement?
  • Will ADPPA hold “crisis pregnancy centers” who break the law and violate people’s privacy accountable?

If you want to follow along in the bill's text, the section numbers (§) refer to the July 19 ADPPA version as amended by the six amendments that passed. The redlined version from IAPP and Future of Privacy Forum, including all the amendments and highlighting changes from the subcommittee's version, is also very useful.

Thanks to Maya Morales of WA People's Privacy and all the other Washington privacy organizers who have helped with the analysis!

When people travel out of state to get abortions, does ADPPA protect their data?

Let's start with an easy one.  

No.

ADPPA doesn’t cover airlines or other transportation common carriers.  As travel-related human rights expert Ed Hasbrouck points out, “while the most common real-world attackers of travel reservations data have been stalkers and domestic abusers, this data could also be used to identify (even in advance) and track post-Roe interstate abortion travellers.”  

Hasbrouck's What's in a Passenger Name Record (PNR)? goes into detail about various information that's associated with reservations – including home address, phone number, who paid for the travel, who's traveling together, and timestamped IP address.  As Sabre and Travelport help the government spy on air travelers discusses,

Travelers’ data is routinely made available by Sabre and other CRS/GDS companies not only to US and other government agencies but publicly, without even passwords, through online check-in, PNR viewing, and remote stalking sites and apps such as Sabre’s VirtuallyThere.com.

And, ADPPA doesn’t cover employee data including benefits. So people whose employers pay for abortion-related travel are doubly at risk.

Does ADPPA prevent sinister prosecutors and law enforcement from using location data and targeting people who visit reproductive health care centers?

This is a lot more complicated but the answer is no for several reasons.  

ADPPA generally restricts selling sensitive data unless people give consent, and the definition of sensitive data (§2(28)) includes “precise location information.” But there are some important exceptions – on or more of which may be the “major loophole” that Rep. Eshoo was referring to.

To start with, ADPPA clearly wouldn't prevent situations like what happened this spring in Nebraska, where Facebook gave law enforcement private messages between a teen and her mom that were then used to prosecute both of them for an abortion.

Clauses like this also appear in many other privacy bills that were written before the Roe decision, and unlike the other potential issues discussed above, at least there's some legal process here.  Still, when you think about how they'll be applied in states that criminalize abortion it's clear that this create a major risk to pregnant people.

I haven't yet seen any analyses of whether ADPPA would potentially create new obligations on companies when subpoenas and warrants are served out of state. Today, companies can ignore these requests unless there's a state law requiring them to respond.*

Location data from surveillance cameras and license plate readers gets lower protection

The definition of precise location information (§ 2(24)) excludes “information identifiable or derived solely from the visual content of an legally obtained image, including the location of the device that captured such image.”

Californians for Consumer Privacy suggests that this excludes location information from surveillance cameras.  It also appears to exclude information from Automated License Plate Readers (ALPRs).

If so, that's very bad.  The Danger of License Plate Readers in Post-Roe America goes into more detail about how this puts pregnant people at risk.

“De-identified” data is exempt

“De-identified” data isn’t covered by the ADPPA, so it can be bought and sold freely – by sinister prosecutors and everybody else.   Supposedly, it’s impossible to connect “de-identified” data to individual people.

But as Center for Democracy and Technology (CDT) says in Following the Overturning of Roe v Wade, Action is Needed to Protect Health Data, “such data is easy to re-identify, with one study showing that one needs only up to four location points to identify the person.”  Indeed, in 2021, ”de-identified” data was used to out a gay priest’; and in How the U.S. Military Buys Location Data from Ordinary Apps, for example, Joseph Cox quotes an engineer at a data broker that sells products using de-identified data as saying "we could absolutely deanonymize a person."  And  as HIPAA and the Leak of “Deidentified” EHR Data in the New England Medical Journal reports, this has long been a problem for electronic health records as well.

Alan Butler of EPIC Privacy has suggested that ADPPA’s definition of “de-identified” data is narrow enough that the exemption doesn’t cause risks.  In June, Sen. Wyden disagreed.

[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals,

The bill’s definition of “de-identified” data has changed twice since then,** and the last quote I saw from Sen Wyden’s office was that they were looking at the latest version.  So it’ll be interesting to hear their opinions.

Does ADPPA allow pregnant people to force companies to delete data that might put them at risk?

ADPPA, like most modern privacy laws, gives people the right to request to see what data companies are storing about them (often called "access") – and request that it be deleted (§203).  However, there are some important exceptions:

  • Companies and non-profits holding the data must ignore requests they “reasonably believe” are being made to support criminal activity.  (203(e)(1)(E)).  In states that criminalize abortion, does this mean that requests to delete pregnancy-related data can’t be honored?
  • Companies may ignore requests that interfere with "investigations, or reasonable efforts to guard against, detect, prevent, or investigate ... unlawful activity."  (203(e)(3)(A)(vii)).  In states that criminalize abortion, does this mean that “crisis pregnancy centers” or menstrual apps can decline requests to delete pregnancy-related data?
  • When government contractors collect, process, or transfer data on behalf of government agencies, ADPPA doesn’t require either the contractors or government agencies to offer access or deletion rights.***
  • ADPPA's access and deletion rights are limited to the last 24 months of data , and don't apply if data has been temporarily moved to archival storage (§203(a)(1)(A)). Californians for Consumer Privacy contrasts  these sections with CPRA's stronger protections.

It’s also worth mentioning that the latest version of ADPPA makes it extremely challenging for people to find out what companies their data has been shared with. The company that originally collected the data is supposed to relay requests on to whoever they’ve transferred it to, but suppose you want to double-check this?  Easier said than done!

  • Privacy policies only need to include the categories of third parties and service providers (§202(b)(4)), not the names of specific companies.
  • Previously, the data returned from an access request had the names of third parties; now, it also only has to include categories of third parties, although it does have to provide “an option for consumers to obtain the names of any such third party.” (§203(1)(B)).
  • Companies with less than $41,000,000 in revenue have up to 90 days to respond to an access request, with an automatic 45-day exception (§203(c)), so it’s going to take a loooong time to figure out all the people who have your data; then they’ve got a similar amount of time to respond to your request about what data they have.

By the way, companies also get up to 90 days, with an automatic 45-day exception, to respond to deletion requests.  So even in the best case where they decide to honor them, it’s gonna take a while.

But wait, there's more.  ADPPA limts people to two free access and deletion requests a year, after which companies can charge people a "reasonable fee" to exercise their rights.  As ACLU of Washington says in their s Data Privacy Guiding Principles:

Pay-for-privacy provisions worsen the digital divide, which is also a privacy divide and raise racial equity issues. Strong regulations ensure that privacy rights are available to all and not just to those who can afford to pay to keep our privacy.

Does ADPPA allow anti-abortion “crisis pregnancy centers” to share data with vigilantes?

Pregnancy centers, many of which are affiliated with national anti-abortion advocacy groups, including Care Net and Heartbeat International, collect personal data from the millions of women they interact with every year in person, by telephone, and through online chats. This data includes sexual and reproductive histories, test results, ultrasound photos, and information shared during consultations, parenting classes, or counseling sessions, which some pregnancy centers require before they provide aid, like diapers. Because most centers are not licensed medical clinics and offer services for free, privacy lawyers tell TIME that they are not legally bound by federal health data privacy laws.

Anti-Abortion Centers’ Databases Could Be Weaponized Post-Roe, Abigail Abrams and Vera Bergengruen, Time

Today, “crisis pregnancy centers” use the data they collect to target ads and boost their search results.  And it works, too: recent report by Davey Alba and Jack Ketchum on Bloomberg notes that when people type the words “abortion clinic” into the Google Maps search bar in states like South Carolina or Idaho, “five or more of the top 10 results were for CPCs, not abortion clinics.”  When pregnant people contact the “crisis pregnancy center”, they provide a lot more information over the phone, which then gets used to try to talk them out of getting an abortion.

Of course a lot of pregnant people see through “crisis pregnancy centers’” manipulation, and wind up seeking abortions elsewhere.  In states where abortion is criminalized, this means that the “crisis pregnancy centers” have a lot of data that they can potentially weaponize and/or monetize – sharing with it vigilantes and bounty hunters doing “civil enforcement” of laws like Texas’, or even selling it.

ADPPA has strong protections for “sensitive data”, including health and reproductive data, so it seems like it should prohibit this.  However, there’s a potential loophole that seems like it could be exploited by “crisis pregnancy centers” and anybody else who believes that abortion is murder.  An exception to the duty of loyalty (§102(3)(C)) allows businesses or non-profits to transfer (share or sell) an individual’s sensitive data to third parties without consent if

the transfer is necessary to prevent an individual from imminent injury where the covered entity believes in good faith that the individual is at risk of death, or serious physical injury, or serious health risk

“Crisis pregnancy centers” could certainly claim a good faith belief that fetuses are at risk of death, and in states that have criminalized abortion they’ve got the law on their side as well.  Is it “imminent”?  Maybe the Fifth Circuit judges who routinely uphold anti-abortion laws would decide that it isn’t, and maybe the Supreme Court would agree.  But I’d certainly expect “crisis pregnancy centers” to argue that it is, and share the data until they’re told not to.

Will ADPPA hold “crisis pregnancy centers” who break the law and violate people’s privacy accountable?

Suppose that “crisis pregnancy centers” (or anybody else) decide to ignore what ADPPA says and do whatever the heck they want with pregnant people’s data even if it breaks the law.  Does ADPPA have enough teeth to hold them accountable?

At first, it seems like the answer is yes.  ADPPA has a “three-tier” enforcement structure: the FTC, state Attorneys General and privacy authorities, and individuals all have some enforcement powers.  

But when you look at it more closely, it’s a lot less clear:

  • The FTC has  limited resources – and the current version of ADPPA adds a lot of responsibilities, but doesn’t allocate additional funding.
  • A coalition of ten AG’s warned in a July 19 letter that ADPPA puts a significant barrier to their enforcement abilities.****  So the "crisis pregancy centers" don't have to worry about California, Connecticut, Illinois, Maine, Massachusetts, Nevada, New Mexico, New Jersey, New York, Washington and who knows how many other states.  
  • Individuals have a limited private right of action, but ADPPA also puts up a lot of roadblocks.  As Senate Commerce Committee staffers warned in June, it “makes it harder for women to seek redress when their sensitive health data has been used against them” and would force women to “jump through arbitrary, drawn-out hoops” to sue over privacy violations.
  • A potential fourth tier of city and county privacy authorities and prosecutors aren't allowed to enforce the law (or pass their own law).  

If a “crisis pregnancy center” shares an individual’s data in a way that breaks the law, here’s some of the specific barriers they’d face if they want to sue:

  • ADPPA generally allows “forced arbitration” clauses, where businesses and non-profits can force consumers to give up their right to sue if they want to use the service.
  • Companies and non-profits with an annual revenue less than $25,000,000 are exempt from ADPPA’s private right of action.  Many “crisis pregnancy centers “fall below this threshold
  • Before suing, companies have to let the FTC or state privacy authority know and give them 60 days to decide whether to bring an action.
  • Companies and non-profits who are sued have a 45-day “right to cure”

Add it all up and ADPPA’s supporters’ claims of “strong enforcement” start to look like a substantial exaggeration, at least in this situation.

Get involved!

Reproductive justice organizations and experts in reproductive health law haven’t yet added their voices to the public discussion about ADPPA – and for good reason: they’re dealing with crises in multiple states and moving full steam ahead on their post-Roe strategy.  Still, with dozens of privacy and civil rights groups calling on Speaker Pelosi to schedule a vote on ADPPA, time’s moving fast.  So I really hope that privacy organizations and Democratic legislators who support abortion rights are looking closely at these and other post-Roe threats to see whether ADPPA’s current language is sufficient – and if not, what to do instead.

The good news is that there’s still time to amend ADPPA to strengthen its protections for pregnant people.  In addition, as I mentioned earlier, Congress is working on two other bills that do directly address post-Roe threats: Rep. Sara Jacobs’ My Body My Data has very strong protections for reproductive health data.  The Health and Location Data Privacy Act (sponsored by Sens. Warren, Wyden, and Whitehouse) prohibits sales of health and location data.  Even if they don’t move forward this session, language from them could be useful for strengthening ADPPA.

But the not-so-good news is that it’s not clear there’s political support for strengthening ADPPA.  Most of the changes in the latest version weakened it, and big tech companies and data brokers are lobbying to weaken it further.  And specifically when it comes to abortion, Democrats may worry that pushing for improvements could cause Republicans to drop their support for the bill.

So if you think it’s important for ADPPA to respond to post-Roe abortion threats, it’s a great time to get involved by contacting your legislators and let them know.  You don’t have to go into details; just say something like

It’s critical to protect pregnant people’s privacy – especially after the Supreme Court decision ending Roe.  Please only vote for privacy legislation that protects pregnant people and health information from vigilantes and sinister prosecutors in states that criminalize abortion – and lets pregnant people protect themselves by deleting all the data companies are tracking about them.

Congress.gov lets you look up your representative based on your address – or here's a directory if you know their name or what congressional district you live in.  And if you work at a big tech company or data broker, make sure to tell your government affairs office and executives that you want them to lobby to ensure that ADPPA protects pregnant employees even if they’re in states that have criminalized abortion!

The House is in session through September 30, so over the next couple of weeks various "stakeholders" will be negotating the next version of ADPPA. How effectively will it protect against post-Roe threats?  We shall see.  

Stay tuned!


Updates

September 15: add new section on travel privacy, improve discussion on state and local enforcement (and context in footnote), include pay-for-privacy.


* This was news to me! But Orin Kerr points out that the full faith and credit clause doesn’t apply in this situation, and he's usually right about stuff like this.  

** the version of ADPPA the subcommittee advanced broadened the definition of “de-identified” data substantially, and then the committee undid those changes.  I think this gets it back to the language that Wyden originally objected to, but I’m not 100% sure.

*** government contractors are considered service providers.  If the data has originally been collected by or transferred to a covered entity (business or non-profit), the covered entity must forward access and deletion requests to service providers.  However, there's no similar requirement for government agencies – who aren't covered by ADPPA.

****  §404(b)(2)(A): “a violation of this Act shall not be pleaded as an element of any such cause of action."  The AG's letter says:

In many states, the Attorney General’s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.

We're especially annoyed by this in Washington because we had a big legislative battle over exactly this issue in 2020, when the state AG said a similar problem made the bill unenforceable.  Big tech conceded on this here in 2021 so even though it's not surprising, it's still kind of annoying to discover that tech lobbyists' fingers were crossed.