The two data privacy and protection bills in play in Congress would not stop states from obtaining personal information on reproductive services.
The “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152) and the “Consumer Online Privacy Rights Act“ (COPRA) (S.3195) would provide protection for health information above and beyond what many other types of personal information would receive. However, exceptions in both bills would permit covered entities to heed state laws requiring the production of personal information, and this would almost certainly include personal information related to reproductive services. How this factors into negotiations about a U.S. data privacy and protection bill is not immediately clear, but Members and staff on the Democratic side are keen to protect data regarding reproductive services.
Understandably, in response to the overturning of Roe v. Wade, Democratic lawmakers and staff in Congress have started viewing negotiations over a United States (U.S.) data privacy and protection bill through the perspective of how personal data relating to reproductive services would be protected. According to The Washington Post, a memorandum circulated by Senate Democratic staff asserted that ADPPA “makes it harder for women to seek redress when their sensitive health data has been used against them” and would force women to “jump through arbitrary, drawn-out hoops” to sue over privacy violations.” Other than a say nothing quote from Senate Commerce, Science, and Transportation Committee Ranking Member Roger Wicker (R-MS), there was no indication of what Republicans think of this issue. However, it is not a stretch to imagine most Republicans content with circumstances that would allow states to press companies for personal information proving that women have broken new anti-abortion laws. Undoubtedly Republicans will publicly and privately assert they want to keep abortion and data privacy as separate issues no matter how much Democrats try to link the two issues.
Aside and apart from what stakeholders are saying or thinking, what does the most recent text of the ADPPA say? Moreover, what does the most recent public draft of Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell’s (D-WA) bill, COPRA, say?
Taking ADPPA first, most personal information related to reproductive services would be “sensitive covered data.” This terms covers many categories of personal information, but it notably includes: “[a]ny information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual.” This would seem to encompass almost every component of seeking and obtaining reproductive services. But, in the event it does not, there are other categories of sensitive covered data that would. For example, “Biometric information, “Genetic information,” and “Precise geolocation information” would cover personal information that does not fall into what might be called the “health information” sub-category. However, under ADPPA, precise geolocation information pertains to information indicating a person’s location within 1000 feet or less. Hence, everything outside that range is merely covered data, which is not subject to the same level of protection. Moreover, this term “does not mean geolocation information identifiable solely from the visual content of an image.” And so, a person’s photos, especially those on social medias that are not locked, could be used for purposes of geolocation.