{"id":4070,"date":"2022-08-31T05:41:56","date_gmt":"2022-08-31T05:41:56","guid":{"rendered":"https:\/\/2024.thenexus.today\/index.php\/2022\/08\/31\/adppa-post-roe-threats\/"},"modified":"2022-08-31T05:41:56","modified_gmt":"2022-08-31T05:41:56","slug":"adppa-post-roe-threats","status":"publish","type":"post","link":"https:\/\/2024.thenexus.today\/index.php\/2022\/08\/31\/adppa-post-roe-threats\/","title":{"rendered":"Let&#8217;s talk about the elephant: how well does ADPPA protect against post-Roe threats?"},"content":{"rendered":"<p><em>Last updated December 16. \u00a0See update log at the bottom.<\/em><\/p>\n<p>As Danielle Keats Citron discusses in<a href=\"https:\/\/slate.com\/technology\/2022\/06\/end-roe-civil-right-intimate-privacy-data.html\"> The End of Roe Means We Need a New Civil Right to Privacy<\/a>, the Supreme Court\u2019s recent decision allowing states to criminalize abortion highlights the stakes of online privacy. \u00a0In response, Rep. Sara Jacobs (D-introduced the My Body My Data Act, which would provide strong protections to reproductive health care; and Senators Elizabeth Warren, Ron Wyden, Patty Murray, Sheldon Whitehouse, and Bernie Sanders \u00a0introduced the Health and Location Data Privacy Act, which prohibits sale of health and location data. \u00a0The Fourth Amendment Is Not For Sale Act, which prohibits government agencies from buying data unless they have a warrant, would also help protect against posts-Roe threats.<\/p>\n<p>Still, those bills&#8217; prospects are unclear, and everybody agrees that comprehensive privacy legislation is a vital complement even if they pass. \u00a0So in July, the House Energy &amp; Commerce committee advanced the American Data Privacy and Protection Act (ADPPA) 53-2 \u2013 the first time this century a consumer privacy bill has made it out of committee.<\/p>\n<p>But how well does ADPPA actually respond to post-Roe threats? \u00a0There&#8217;s been surprisingly little discussion of this \u2013 back in July I called it &#8220;<a href=\"__GHOST_URL__\/what-about-the-elephant\/\">the elephant in the room<\/a>&#8221; \u2013 but even so there are several red flags. \u00a0For example:<\/p>\n<ul>\n<li>Sen. Ron Wyden, who\u2019s usually right about stuff like this, says the &#8220;de-identified&#8221; data loophole lets companies sell location data to the government about visits to reproductive health facilities<\/li>\n<li>And Kim Clark of Legal Voice <a href=\"https:\/\/www.spokesman.com\/stories\/2022\/jul\/25\/historic-data-privacy-law-could-be-within-reach-if\/\">says<\/a><\/li>\n<\/ul>\n<blockquote><p>\u201cThis bill, at least from the perspective of pregnant people, it really doesn\u2019t do much.\u201d<\/p><\/blockquote>\n<h2 id=\"stress-testing-the-elephant\">Stress-testing the elephant <\/h2>\n<p>So let\u2019s build on A. Prince Albert III&#8217;s excellent suggestion in <a href=\"https:\/\/publicknowledge.org\/hiding-out-a-case-for-queer-experiences-informing-data-privacy-laws\">Hiding OUT: A Case for Queer Experiences Informing Data Privacy Law<\/a> and stress-test ADPPA by looking at whether it responds to key post-Roe privacy threats. \u00a0<\/p>\n<p><strong>\u2705 <\/strong><em><strong>yes<\/strong>!<strong> <\/strong>ADPPA passes the test<\/em><br \/><strong>\u2753 <\/strong><em>I\u2019m not sure or it&#8217;s complex<\/em><br \/><strong>\u274c <\/strong><em><strong>no.<\/strong> \u00a0ADPPA does not currently pass the test<\/em><\/p>\n<ul>\n<li>\u274c Does ADPPA prevent prosecutors and law enforcement in states that have criminalized abortion from buying location data and targeting people who visit reproductive health care centers?<\/li>\n<li>\u274c When people travel out of state to get abortions, does ADPPA protect their data?<\/li>\n<li>\u274c Does ADPPA allow pregnant people to force companies to delete data that might put them at risk?<\/li>\n<li>\u274c Does ADPPA protect pregnant people and abortion providers from risks of automated license plate readers (ALPRs)?<\/li>\n<li>\u2753Does ADPPA prevent anti-abortion \u201ccrisis pregnancy centers\u201d from sharing data with vigilantes and law enforcement?<\/li>\n<li>\u2753Will ADPPA hold \u201ccrisis pregnancy centers\u201d who break the law and violate people\u2019s privacy accountable?<\/li>\n<li>\u274c Will ADPPA prevent law enforcement from accessing people&#8217;s private messages to investigate whether they got an abortion?<\/li>\n<\/ul>\n<p>If you want to follow along in the bill&#8217;s text, the section numbers (\u00a7) refer to the<a href=\"https:\/\/docs.house.gov\/meetings\/IF\/IF00\/20220720\/115041\/BILLS-117-8152-P000034-Amdt-1.pdf\"> July 19 ADPPA version<\/a> as amended by the six<a href=\"https:\/\/docs.house.gov\/Committee\/Calendar\/ByEvent.aspx?EventID=115041\"> amendments<\/a> that passed. <\/p>\n<p>Thanks to Maya Morales of WA People&#8217;s Privacy and all the other Washington privacy organizers who have helped with the analysis!<\/p>\n<h2 id=\"%E2%9D%8C-does-adppa-prevent-prosecutors-and-law-enforcement-in-states-that-have-criminalized-abortion-from-buying-location-data-to-target-people-who-visit-reproductive-health-care-centers\">\u274c Does ADPPA prevent prosecutors and law enforcement in states that have criminalized abortion from buying location data to target people who visit reproductive health care centers?<\/h2>\n<p>No. <\/p>\n<p>ADPPA generally restricts selling sensitive data unless people give consent, and the definition of sensitive data (\u00a72(28)) includes \u201cprecise location information.\u201d But there are some important exceptions.<\/p>\n<p>To start with, the \u201cde-identified\u201d location data isn\u2019t covered by the ADPPA (\u00a72(8)(B)(1)), so data brokers and tech companies buy sell it freely \u2013 and so can prosecutors, law enforcement, vigilantes doing &#8220;civil enforcement&#8221; of laws criminalizing abortion, and everybody else. \u00a0 <\/p>\n<p>Supposedly, it\u2019s impossible to connect \u201cde-identified\u201d data to individual people. But as Center for Democracy and Technology (CDT) says in <a href=\"https:\/\/cdt.org\/insights\/following-the-overturning-of-roe-v-wade-action-is-needed-to-protect-health-data\/\">Following the Overturning of Roe v Wade, Action is Needed to Protect Health Data<\/a>, \u201csuch data is<a href=\"https:\/\/www.nytimes.com\/interactive\/2018\/12\/10\/business\/location-data-privacy-apps.html\"> easy to re-identify<\/a>, with<a href=\"https:\/\/phys.org\/news\/2013-03-easy-identity-cell.html#:~:text=By%20analyzing%2015%20months%20of,identify%2095%25%20of%20the%20individuals\"> one study<\/a> showing that one needs only up to four location points to identify the person.\u201d \u00a0 \u00a0As EFF&#8217;s Bennett Cyphers <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/08\/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police\">says<\/a>,<\/p>\n<blockquote><p>Academic researchers have shown <a href=\"https:\/\/www.osti.gov\/pages\/servlets\/purl\/1095747\">over<\/a> and <a href=\"https:\/\/link.springer.com\/chapter\/10.1007\/978-3-642-27576-0_3\">over again<\/a> that de-identified or \u201canonymized\u201d location data <a href=\"https:\/\/dl.acm.org\/doi\/10.1145\/2030613.2030630\">still poses privacy risks<\/a>.<\/p><\/blockquote>\n<p>Indeed, in 2021, <a href=\"https:\/\/www.vox.com\/recode\/22587248\/grindr-app-location-data-outed-priest-jeffrey-burrill-pillar-data-harvesting\">\u201dde-identified\u201d data was used to out a gay priest\u2019<\/a>. \u00a0In<a href=\"https:\/\/www.vice.com\/en\/article\/jgqm5x\/us-military-location-data-xmode-locate-x\"> How the U.S. Military Buys Location Data from Ordinary Apps<\/a>, Joseph Cox quotes an engineer at a data broker that sells products using de-identified data as saying &#8220;we could absolutely deanonymize a person.&#8221; \u00a0And \u00a0as<a href=\"https:\/\/www.nejm.org\/doi\/full\/10.1056\/NEJMp2102616?query=WB\"> HIPAA and the Leak of \u201cDeidentified\u201d EHR Data<\/a> in the New England Medical Journal reports, this has long been a problem for electronic health records as well.<\/p>\n<p>Alan Butler of EPIC Privacy has suggested that ADPPA\u2019s definition of \u201cde-identified\u201d data is narrow enough that the exemption doesn\u2019t cause risks. \u00a0In June, Sen. Wyden disagreed.<\/p>\n<blockquote><p>[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals,<\/p><\/blockquote>\n<p>The bill\u2019s definition of \u201cde-identified\u201d data has changed twice since then,* and the last quote I saw from Sen Wyden\u2019s office was that they were looking at the latest version. \u00a0So it\u2019ll be interesting to hear their opinions.<\/p>\n<p>&#8220;De-identified data&#8221; is only one of many location-related issues in ADPPA. \u00a0A few more examples:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.caprivacy.org\/californians-for-consumer-privacy-announce-opposition-to-adppa\/\">Californians for Consumer Privacy suggests<\/a> highlights another apparent loophole: the definition of precise location information (\u00a7 2(24)) excludes \u201cinformation identifiable or derived solely from the visual content of an legally obtained image, including the location of the device that captured such image.\u201d So companies can share and sell this data without people&#8217;s consent \u2013 to prosecutors, law enforcement, vigilantes, and everybody else.<\/li>\n<li>Loopholes discussed below in the sections on license plate readers and data sharing with vigilantes apply to location data as well.<\/li>\n<\/ul>\n<p>Also, ADPPA doesn&#8217;t prevent prosecutors and law enforcement with valid warrants or subpoenas from getting access to sensitive data. \u00a0As discussed below in he section on law access to private messages, courts may well decide that ADPPA doesn&#8217;t prevent states like California and Washington from passing their own legislation to address this &#8230; but that won&#8217;t help people in the states that have criminalized abortion. <\/p>\n<h2 id=\"%E2%9D%8C-when-people-travel-out-of-state-to-get-abortions-does-adppa-protect-their-data\">\u274c When people travel out of state to get abortions, does ADPPA protect their data?<\/h2>\n<p>No. <\/p>\n<p>ADPPA doesn\u2019t cover airlines or other transportation common carriers. \u00a0As travel-related human rights expert Ed Hasbrouck points out, \u201cwhile the most common real-world attackers of travel reservations data have been stalkers and domestic abusers, this data could also be used to identify (even in advance) and track post-Roe interstate abortion travellers.\u201d \u00a0<\/p>\n<p>Hasbrouck&#8217;s <a href=\"https:\/\/hasbrouck.org\/articles\/PNR.html\">What&#8217;s in a Passenger Name Record (PNR)?<\/a> <em> <\/em>goes into detail about various information that&#8217;s associated with reservations \u2013 including home address, phone number, who paid for the travel, who&#8217;s traveling together, and timestamped IP address. \u00a0As <a href=\"https:\/\/papersplease.org\/wp\/2022\/07\/01\/sabre-and-travelport-help-the-government-spy-on-air-travelers\/\">Sabre and Travelport help the government spy on air travelers<\/a> discusses, <\/p>\n<blockquote><p>Travelers\u2019 data is routinely made available by Sabre and other CRS\/GDS companies not only to US and other government agencies but publicly, without even passwords, through <a href=\"https:\/\/hasbrouck.org\/articles\/watching.html\">online check-in, PNR viewing, and remote stalking sites and apps<\/a> such as Sabre\u2019s <a href=\"https:\/\/virtuallythere.com\/new\/login.html\">VirtuallyThere.com<\/a>.<\/p><\/blockquote>\n<p>And, ADPPA doesn\u2019t cover employee data including benefits. So people whose employers pay for abortion-related travel are doubly at risk.<\/p>\n<h2 id=\"%E2%9D%8C-does-adppa-allow-pregnant-people-to-force-companies-to-delete-data-that-might-put-them-at-risk\">\u274c Does ADPPA allow pregnant people to force companies to delete data that might put them at risk?<\/h2>\n<p>ADPPA, like most modern privacy laws, gives people the right to request to see what data companies are storing about them (often called &#8220;access&#8221;) \u2013 and request that it be deleted (\u00a7203). \u00a0However, there are some important exceptions:<\/p>\n<ul>\n<li>Companies and non-profits holding the data <em>must <\/em>ignore requests they \u201creasonably believe\u201d are being made to support criminal activity. \u00a0(\u00a7203(e)(1)(E)). \u00a0In states that criminalize abortion, does this mean that requests to delete pregnancy-related data can\u2019t be honored?<\/li>\n<li>Companies <em>may<\/em> ignore requests that interfere with &#8220;investigations, or reasonable efforts to guard against, detect, prevent, or investigate &#8230; unlawful activity.&#8221; \u00a0(\u00a7203(e)(3)(A)(vii)). \u00a0In states that criminalize abortion, does this mean that \u201ccrisis pregnancy centers\u201d or menstrual apps can decline requests to delete pregnancy-related data?<\/li>\n<li>When government contractors collect, process, or transfer data on behalf of government agencies, ADPPA doesn\u2019t require either the contractors or government agencies to offer access or deletion rights.**<\/li>\n<\/ul>\n<p>It\u2019s also worth mentioning that the latest version of ADPPA makes it extremely challenging for people to find out what companies their data has been shared with. The company that originally collected the data is supposed to relay requests on to whoever they\u2019ve transferred it to, but suppose you want to double-check this? Easier said than done!<\/p>\n<ul>\n<li>Privacy policies only need to include the <em>categories<\/em> of third parties and service providers (\u00a7202(b)(4)), not the names of specific companies.<\/li>\n<li>Previously, the data returned from an access request had the names of third parties; now, it also only has to include categories of third parties, although it does have to provide \u201can option for consumers to obtain the names of any such third party.\u201d (\u00a7203(1)(B)).<\/li>\n<li>Companies with less than $41,000,000 in revenue have up to 90 days to respond to an access request, with an automatic 45-day exception (\u00a7203(c)), so it\u2019s going to take a loooong time to figure out all the people who have your data; then they\u2019ve got a similar amount of time to respond to your request about what data they have.<\/li>\n<\/ul>\n<p>By the way, companies also get up to 90 days, with an automatic 45-day exception, to respond to deletion requests. \u00a0So even in the best case where they decide to honor them, it\u2019s gonna take a while.<\/p>\n<p>But wait, there&#8217;s more. \u00a0ADPPA limts people to two free access and deletion requests a year, after which companies can charge people a &#8220;reasonable fee&#8221; to exercise their rights. \u00a0As ACLU of Washington says in their s <a href=\"https:\/\/www.aclu-wa.org\/docs\/data-privacy-guiding-principles-and-bill-comparison-chart\" rel=\"noopener ugc nofollow\">Data Privacy Guiding Principles<\/a>:<\/p>\n<blockquote><p>Pay-for-privacy provisions worsen the digital divide, which is also a privacy divide and raise racial equity issues. Strong regulations ensure that privacy rights are available to all and not just to those who can afford to pay to keep our privacy.<\/p><\/blockquote>\n<h2 id=\"%E2%9D%8C-does-adppa-protect-pregnant-people-and-abortion-providers-from-risks-of-automated-license-plate-readers-alprs\">\u274c Does ADPPA protect pregnant people and abortion providers from risks of automated license plate readers (ALPRs)?<\/h2>\n<p>No. \u00a0<\/p>\n<p>ADPPA excludes &#8220;publicly available information&#8221; and ALPR vendors have in the past successfully argued that<a href=\"https:\/\/www.techdirt.com\/2014\/06\/18\/license-plate-reader-company-sues-another-state-violating-its-first-amendment-right-to-build-18-billion-image-database\/\"> license plate information is public<\/a>. \u00a0<\/p>\n<p>As EFF&#8217;s Dave Maass writes in <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/09\/automated-license-plate-readers-threaten-abortion-access-heres-how-policymakers\">Automated License Plate Readers Threaten Abortion Access. Here\u2019s How Policymakers Can Mitigate the Risk<\/a>,<\/p>\n<blockquote><p>Law enforcement agencies typically do not require officers to get a warrant, demonstrate <a href=\"https:\/\/www.google.com\/search?client=firefox-b-1-d&amp;q=%22reasonable+suspicion+or+probable+cause+is+not+required+before+using+an+ALPR.%22\">probable cause or reasonable suspicion<\/a>, or show really much proof at all of a law enforcement interest before searching ALPR data. Meanwhile, as EFF has shown through <a href=\"https:\/\/www.eff.org\/pages\/automated-license-plate-reader-dataset\">hundreds of public records requests<\/a>, it is the norm that agencies will share ALPR data they collect broadly with other agencies nationwide, without requiring any justification that the other agencies need unfettered access. Police have long argued that you don&#8217;t have an expectation of privacy when driving on public streets, conveniently dodging how this data could be used to reveal private information about you, such as when you visit a reproductive health clinic&#8230;.<\/p>\n<p>What&#8217;s worse is that private actors can also access this database. DRN [Motorola&#8217;s Digital Recognition Network] sells access to ALPR data to private investigators, who only need to check a box saying that they&#8217;re querying the data for litigation development. With the passage of SB 8 in Texas, private actors now have the ability to sue to enforce the state&#8217;s abortion ban. Unfortunately, anti-abortion activists for years have been <a href=\"https:\/\/www.austinchronicle.com\/daily\/news\/2014-08-12\/undercover-audio-reveals-anti-abortion-tactics\/\">compiling their own databases<\/a> of license plates of abortion providers; now they can use that to query private ALPR databases to surveil abortion seekers and reproductive healthcare providers.<\/p><\/blockquote>\n<p>In addition, the apparent loophole for surveillance camera location information I mentioned above (\u00a7 2(24)) may also apply to ALPR-based location information. \u00a0If so, then even if it was covered it wouldn&#8217;t be considered sensitive data.<\/p>\n<p>Brennan Center&#8217;s 2020 <a href=\"https:\/\/www.brennancenter.org\/our-work\/research-reports\/automatic-license-plate-readers-legal-status-and-policy-recommendations\">Automatic License Plate Readers: Legal Status and Policy Recommendations for Law Enforcement Use<\/a> is a deeper dive into the issues around license plate readers, and Thor Benson&#8217;s <a href=\"https:\/\/www.wired.com\/story\/license-plate-reader-alpr-surveillance-abortion\/\">The Danger of License Plate Readers in Post-Roe America<\/a> on Wired has additional discussion about how this puts pregnant people at risk.<\/p>\n<h2 id=\"%E2%9D%93does-adppa-prevent-anti-abortion-%E2%80%9Ccrisis-pregnancy-centers%E2%80%9D-from-sharing-data-with-vigilantes\"><strong>\u2753<\/strong>Does ADPPA prevent anti-abortion \u201ccrisis pregnancy centers\u201d from sharing data with vigilantes?<\/h2>\n<blockquote><p>&#8220;A Crisis Pregnancy Center (CPC) is an anti-abortion nonprofit organization, a fake clinic, or a mobile vehicle that poses as a legitimate health care center, often to purposely deceive pregnant people. They aim to dissuade, deceive, scare, or pressure people into not seeking or receiving abortion care.&#8221;<\/p>\n<p>\u2013 National Women&#8217;s Law Center (NWLC) <a href=\"https:\/\/www.regulations.gov\/comment\/FTC-2022-0053-0898\">FTC Comments <\/a><\/p><\/blockquote>\n<blockquote><p>&#8220;Pregnancy centers, many of which are affiliated with national anti-abortion advocacy groups, including Care Net and Heartbeat International, collect personal data from the millions of women they interact with every year in person, by telephone, and through online chats. This data includes sexual and reproductive histories, test results, ultrasound photos, and information shared during consultations, parenting classes, or counseling sessions, which some pregnancy centers require before they provide aid, like diapers. Because most centers are not licensed medical clinics and offer services for free, privacy lawyers tell TIME that they are not legally bound by federal health data privacy laws.&#8221;<\/p>\n<p>\u2013 <a href=\"https:\/\/time.com\/6189528\/anti-abortion-pregnancy-centers-collect-data-investigation\/\">Anti-Abortion Centers\u2019 Databases Could Be Weaponized Post-Roe<\/a>, Abigail Abrams and Vera Bergengruen, Time<\/p><\/blockquote>\n<p>Today, \u201ccrisis pregnancy centers\u201d use the data they collect to target ads and boost their search results. \u00a0And it works, too: a recent <a href=\"https:\/\/twitter.com\/daveyalba\/status\/1575539335499288596\">report<\/a> by Julia Love and Davey Alba on Bloomberg notes that when people type the words \u201cabortion clinic\u201d into the Google Maps search bar in states like South Carolina or Idaho, \u201cfive or more of the top 10 results were for CPCs, not abortion clinics.\u201d \u00a0When pregnant people contact the \u201ccrisis pregnancy center\u201d, they provide a lot more information over the phone, which then gets used to try to talk them out of getting an abortion.<\/p>\n<p>Of course a lot of pregnant people see through \u201ccrisis pregnancy centers\u2019\u201d manipulation, and wind up seeking abortions elsewhere. \u00a0In states where abortion is criminalized, this means that the \u201ccrisis pregnancy centers\u201d have a lot of data that they can potentially weaponize and\/or monetize \u2013 sharing with it vigilantes and bounty hunters doing \u201ccivil enforcement\u201d of laws like Texas\u2019, or even selling it.<\/p>\n<p>ADPPA has strong protections for \u201csensitive data\u201d, including health and reproductive data, so it seems like they shouldn&#8217;t be allowed do to this. \u00a0However, when you dig into the specific ways the CPCs operate, there are some potential loopholes. \u00a0<\/p>\n<p>For example, NWLC&#8217;s <a href=\"file:\/\/\/Users\/jdp\/Downloads\/FTC-2022-0053-0898_attachment_1-1.pdf\">comments<\/a> note that Heartbeat International (H.I.), a network of CPCs that is connected with over 2,000 affiliates, has developed its own Content Management System (CMS) to streamline the collection and retention of personal data. \u00a0If H.I. provides the CMS as a service to law enforcement and bounty hunters as well as clinics, the last-minute ADPPA <a href=\"https:\/\/docs.house.gov\/meetings\/IF\/IF00\/20220720\/115041\/BILLS-117-8152-H001067-Amdt-4.pdf\">amendment<\/a> approved by the committee could give them substantial leeway in sharing the data. \u00a0<\/p>\n<p>For example, \u00a7302(b)(1)(D)(ii) allows service providers to combine data they&#8217;ve gathered from users with &#8220;service provider data&#8221; for any of the \u00a0\u00a7101(b) permissible purposes \u2013 including \u00a0&#8220;to \u00a0prevent, detect, protect against or respond to illegal activity.&#8221;<\/p>\n<p>Another potential loophole that seems like it could be exploited by \u201ccrisis pregnancy centers\u201d (and <a href=\"https:\/\/www.usnews.com\/news\/national-news\/articles\/2022-05-06\/the-push-to-make-fetuses-people-and-abortion-murder\">anybody else who believes that abortion is murder<\/a>): an exception to the duty of loyalty (\u00a7102(3)(C)) allows businesses or non-profits to transfer (share or sell) an individual\u2019s sensitive data to third parties without consent if<\/p>\n<blockquote><p>the transfer is necessary to prevent an individual from imminent injury where the covered entity <strong>believes in good faith<\/strong> that the individual is at <strong>risk of death,<\/strong> or serious physical injury, or serious health risk<\/p><\/blockquote>\n<p>\u201cCrisis pregnancy centers\u201d could certainly claim a good faith belief that fetuses are at risk of death, and in states that have criminalized abortion they\u2019ve got the law on their side as well. \u00a0Is it \u201cimminent\u201d? \u00a0Maybe the Fifth Circuit judges who routinely uphold anti-abortion laws would decide that it isn\u2019t, and maybe the Supreme Court would agree. \u00a0But I\u2019d certainly expect \u201ccrisis pregnancy centers\u201d to argue that it is, and share the data until they\u2019re told not to.<\/p>\n<p>It would be great to see a detailed legal analysis of these \u2013 and other threats related to CPCs. \u00a0Until then, it&#8217;s hard to know just how serious these potential loopholes are, so I&#8217;ll leave this one as a <strong>\u2753<\/strong><\/p>\n<h2 id=\"%E2%9D%93will-adppa-hold-%E2%80%9Ccrisis-pregnancy-centers%E2%80%9D-who-break-the-law-and-violate-people%E2%80%99s-privacy-accountable\"><strong>\u2753<\/strong>Will ADPPA hold \u201ccrisis pregnancy centers\u201d who break the law and violate people\u2019s privacy accountable?<\/h2>\n<p>Suppose it turns out that loophole doesn&#8217;t apply, and ADPPA doesn&#8217;t actually allow &#8220;crisis pregnancy centers&#8221; to share data with vigilantes. \u00a0If they decide to ignore the law and do it anyhow, does ADPPA have enough teeth to hold them accountable?<\/p>\n<p>Probably not.<\/p>\n<p>At first, it seems like the answer is yes. \u00a0ADPPA has a \u201cthree-tier\u201d enforcement structure: the FTC, state Attorneys General and privacy authorities, and individuals all have some enforcement powers. \u00a0<\/p>\n<p>But when you look at it more closely, it\u2019s a lot less clear:<\/p>\n<ul>\n<li>The FTC has \u00a0limited resources \u2013 and the current version of ADPPA adds a lot of responsibilities, but doesn\u2019t allocate additional funding.<\/li>\n<li>A coalition of ten AG\u2019s warned in a <a href=\"https:\/\/oag.ca.gov\/system\/files\/attachments\/press-docs\/Letter%20to%20Congress%20re%20Federal%20Privacy.pdf\">July 19 letter<\/a> that ADPPA puts a significant barrier to their enforcement abilities.*** \u00a0So the &#8220;crisis pregancy centers&#8221; don&#8217;t have to worry about California, Connecticut, Illinois, Maine, Massachusetts, Nevada, New Mexico, New Jersey, New York, Washington and who knows how many other states. \u00a0<\/li>\n<li>Individuals have a limited private right of action, but ADPPA also puts up a lot of roadblocks. \u00a0As Senate Commerce Committee staffers warned in June, it \u201cmakes it harder for women to seek redress when their sensitive health data has been used against them\u201d and would force women to \u201cjump through arbitrary, drawn-out hoops\u201d to sue over privacy violations.<\/li>\n<li>A potential fourth tier of city and county privacy authorities and prosecutors aren&#8217;t allowed to enforce the law (or pass their own law). \u00a0<\/li>\n<\/ul>\n<p>If a \u201ccrisis pregnancy center\u201d shares an individual\u2019s data in a way that breaks the law, here\u2019s some of the specific barriers they\u2019d face if they want to sue:<\/p>\n<ul>\n<li>ADPPA generally allows \u201c<a href=\"https:\/\/www.nclc.org\/issues\/forced-arbitration.html\">forced arbitration<\/a>\u201d clauses, where businesses and non-profits can force consumers to give up their right to sue if they want to use the service.<\/li>\n<li>Companies and non-profits with an annual revenue less than $25,000,000 are exempt from ADPPA\u2019s private right of action. \u00a0Many \u201ccrisis pregnancy centers \u201cfall below this threshold<\/li>\n<li>Before suing, companies have to let the FTC or state privacy authority know and give them 60 days to decide whether to bring an action.<\/li>\n<li>Companies and non-profits who are sued have a 45-day \u201cright to cure\u201d<\/li>\n<\/ul>\n<p>Add it all up and ADPPA\u2019s supporters\u2019 claims of \u201cstrong enforcement\u201d start to look like a substantial exaggeration, at least in this situation.<\/p>\n<h2 id=\"%E2%9D%8C-will-adppa-prevent-law-enforcement-from-accessing-peoples-private-messages-to-investigate-whether-they-got-an-abortion\">\u274c Will ADPPA prevent law enforcement from accessing people&#8217;s private messages to investigate whether they got an abortion?<\/h2>\n<p>No. \u00a0 <\/p>\n<p>ADPPA allows covered entities to transfer data to comply with legal obligations under state, local, or tribal law. \u00a0So it wouldn&#8217;t do anything to prevent harms like <a href=\"https:\/\/www.npr.org\/2022\/08\/12\/1117092169\/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion\">the Burgess case in Nebraska<\/a>, where police got a warrant for a teen&#8217;s Facebook messages with her mom and then charged them with an illegal abortion illustrates. <\/p>\n<p>By contrast, California&#8217;s \u00a0A.B. 2091, sponsored by Asm. Mia Bonta, prohibits health care providers from releasing medical information about abortion to law enforcement, or in response to a subpoena, based on either an out-of-state law that interferes with California abortion rights,**** or an out-of-state suit \u201cto punish an offense against the public justice of that state\u201d. EFF&#8217;s <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/09\/california-leads-reproductive-and-trans-health-data-privacy\">California Leads on Reproductive and Trans Health Data Privacy<\/a> discusses this and two other recent privacy laws California has passed. \u00a0Washington state&#8217;s legislature will consider <a href=\"https:\/\/www.governor.wa.gov\/news-media\/inslee-and-legislators-roll-out-more-reproductive-freedom-bills-2023-legislative-session\">similar legislation<\/a> in 2023, and other states where Democrats control the legislature and governorship are likely to follow &#8230; but this doesn&#8217;t help people in red states.<\/p>\n<p>I haven&#8217;t yet seen any analyses of how ADPPA would interact with laws&#8217; like California&#8217;s and Washington&#8217;s. ADPPA&#8217;s current version has some exceptions to preemptions and I <em>think <\/em>laws like these would&#8217;t be preempted, but the whole preemption section is so complicated that it&#8217;s very likely it would wind up in court and I&#8217;m not sure how it would work out. \u00a0And it could get worse: the US Chamber of Commerce and some trade associations are pressing to make ADPPA fully preemptive, which would mean it would override these new laws (as well as Washington&#8217;s and California&#8217;s current and future privacy laws).<\/p>\n<p>Of course, there&#8217;s no way Congressional Republicans would support a clause like that in ADPPA. \u00a0So even though this is a hugely important threat, with a clear answer, I left it until the end \u2013 it&#8217;s a dead end politically until Democrats have a majority in both chambers and get rid of the filibuster for abortion-related legislation. \u00a0<\/p>\n<h2 id=\"get-involved\">Get involved!<\/h2>\n<p>Reproductive justice organizations and experts in reproductive health law haven\u2019t yet added their voices to the public discussion about ADPPA \u2013 and for good reason: they\u2019re dealing with crises in multiple states and moving full steam ahead on their post-Roe strategy. \u00a0Still, with dozens of privacy and civil rights groups calling on Speaker Pelosi to schedule a vote on ADPPA, time\u2019s moving fast. \u00a0So I really hope that privacy organizations and Democratic legislators who support abortion rights are looking closely at these and other post-Roe threats to see whether ADPPA\u2019s current language is sufficient \u2013 and if not, what to do instead.<\/p>\n<p>The good news is that there\u2019s still time to amend ADPPA to strengthen its protections for pregnant people. \u00a0In addition, as I mentioned earlier, Congress is working on two other bills that <em>do <\/em>directly address post-Roe threats: Rep. Sara Jacobs\u2019 My Body My Data has very strong protections for reproductive health data. \u00a0The Health and Location Data Privacy Act (sponsored by Sens. Warren, Wyden, and Whitehouse) prohibits sales of health and location data. \u00a0Even if they don\u2019t move forward this session, language from them could be useful for strengthening ADPPA.<\/p>\n<p>But the not-so-good news is that it\u2019s not clear there\u2019s political support for strengthening ADPPA. \u00a0Most of the changes in the latest version weakened it, and big tech companies and data brokers are lobbying to weaken it further. \u00a0And specifically when it comes to abortion, Democrats may worry that pushing for improvements could cause Republicans to drop their support for the bill.<\/p>\n<p>So if you think it\u2019s important for ADPPA to respond to post-Roe abortion threats, it\u2019s a great time to get involved by contacting your legislators and let them know. \u00a0You don\u2019t have to go into details; just say something like<\/p>\n<blockquote><p>It\u2019s critical to protect pregnant people\u2019s privacy \u2013 especially after the Supreme Court decision ending Roe. \u00a0Please only vote for privacy legislation that protects pregnant people and health information from vigilantes and sinister prosecutors in states that criminalize abortion \u2013 and lets pregnant people protect themselves by deleting all the data companies are tracking about them.<\/p><\/blockquote>\n<p><a href=\"https:\/\/www.congress.gov\/contact-us\">Congress.gov lets you look up your representative based on your address<\/a> \u2013 or<a href=\"https:\/\/www.house.gov\/representatives\"> here&#8217;s a directory<\/a> if you know their name or what congressional district you live in. \u00a0And if you work at a big tech company or data broker, make sure to tell your government affairs office and executives that you want them to lobby to ensure that ADPPA protects pregnant employees even if they\u2019re in states that have criminalized abortion!<\/p>\n<p>Rumors are that Congress may take another try at passing privacy legislation in the &#8220;lame duck&#8221; session after the midterms , so there&#8217;s still a chance we&#8217;ll see a new version of ADPPA. \u00a0As to just what will be in it, it&#8217;s hard to know: various &#8220;stakeholders&#8221; are negotiating that behind closed doors. How effectively will it protect against post-Roe threats? \u00a0We shall see. \u00a0<\/p>\n<p>Stay tuned!<\/p>\n<p><!--kg-card-begin: html--><\/p>\n<hr id=\"updates\" \/><!--kg-card-end: html--><\/p>\n<h2 id=\"updates\">Updates<\/h2>\n<p><em>September 15: <\/em>add new section on travel privacy, improve discussion on state and local enforcement (and context in footnote), include pay-for-privacy.<\/p>\n<p><em>October 8: <\/em>split out license plate reader and private message questions to their own sections, minor updates to reflect that it didn&#8217;t move in September.<\/p>\n<p><em>November 12: <\/em>change wording of first item to highlight it&#8217;s not related to Rep. Eshoo&#8217;s mention of an ADPPA loophole allowing access to &#8220;sinister prosecutors&#8221;, and reference to upcoming Washington state law.<\/p>\n<p><em>December 5<\/em>: update section on &#8220;crisis pregnancy centers\u201d sharing data with vigilantes and law enforcement to incorporate NWLC&#8217;s FTC comments.<\/p>\n<p><em>December 9:<\/em> remove confusing discussion of access rights in the section on deletion<\/p>\n<p><em>December 16<\/em>: change title to Let&#8217;s Talk about the Elephant<\/p>\n<hr>\n<p><em>Image credit: Savanna elephant in Kruger National Park, South Africa. By Felix Andrews (<a href=\"http:\/\/creativecommons.org\/licenses\/by-sa\/3.0\/\">CC-BY-SA-3.0<\/a>) via <a href=\"http:\/\/commons.wikimedia.org\/wiki\/File:Elephant_side-view_Kruger.jpg\">Wikimedia Commons<\/a>.<\/em><\/p>\n<h2 id=\"footnotes\">Footnotes<\/h2>\n<p>* the version of ADPPA the subcommittee advanced broadened the definition of \u201cde-identified\u201d data substantially, and then the committee undid those changes. \u00a0I <em>think <\/em>this gets it back to the language that Wyden originally objected to, but I\u2019m not 100% sure.<\/p>\n<p>** government contractors are considered service providers. \u00a0If the data has originally been collected by or transferred to a covered entity (business or non-profit), the covered entity must forward access and deletion requests to service providers. \u00a0However, there&#8217;s no similar requirement for government agencies \u2013 who aren&#8217;t covered by ADPPA.<\/p>\n<p>*** \u00a0\u00a7404(b)(2)(A): \u201ca violation of this Act shall not be pleaded as an element of any such cause of action.&#8221; \u00a0The AG&#8217;s letter says:<\/p>\n<blockquote><p>In many states, the Attorney General\u2019s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.<\/p><\/blockquote>\n<p>We&#8217;re especially annoyed by this in Washington because we had a big legislative battle over exactly this issue in 2020, when the state AG said a similar problem made the bill <em>unenforceable<\/em>. \u00a0Big tech conceded on this here in 2021 so even though it&#8217;s not surprising, it&#8217;s still kind of annoying to discover that tech lobbyists&#8217; fingers were crossed. \u00a0<\/p>\n<p>**** If you&#8217;re surprised that California can do this, so was I! \u00a0But Orin Kerr points out that <a href=\"https:\/\/twitter.com\/OrinKerr\/status\/1542570282279260160\">the full faith and credit clause doesn\u2019t apply in this situation<\/a>, and he&#8217;s usually right about stuff like this. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last updated December 16. \u00a0See update log at the bottom. As Danielle Keats Citron discusses in The End of Roe Means We Need a New Civil Right to Privacy, the Supreme Court\u2019s recent decision allowing states to criminalize abortion highlights the stakes of online privacy. \u00a0In response, Rep. Sara Jacobs (D-introduced the My Body My [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[458,459],"class_list":["post-4070","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-adppa","tag-federal-privacy-legislation"],"_links":{"self":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/comments?post=4070"}],"version-history":[{"count":0,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/posts\/4070\/revisions"}],"wp:attachment":[{"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/media?parent=4070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/categories?post=4070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2024.thenexus.today\/index.php\/wp-json\/wp\/v2\/tags?post=4070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}