The recent Supreme Court decision in Dobbs v. Jackson Women’s Health Organization has sent shock waves across the legal community.
In the tech space, the ruling raises difficult privacy and security questions related to how the digital surveillance economy might be used to track women seeking health care services and in turn has big and small tech companies rethinking their data-collection practices in this post-Dobbs landscape.
This is spurred even further by guidance from the Federal Trade Commission indicating that the FTC will aggressively wield enforcement authority as it relates to deceptive statements about sensitive data. The FTC showed its focus in this area should be taken seriously when it filed a lawsuit in Idaho against Kochava, an app analytics firm.
The FTC alleges that Kochava accrued a large amount of sensitive data by collecting geolocation data from consumers’ mobile devices at exact times, consequently gaining access to latitude and longitude coordinates and pairing that data with unique identifiers assigned to a consumer’s mobile device. Kochava then sold that data to clients.
In its complaint, the FTC relied on the FTC Act’s general prohibition against “unfair and deceptive acts or practices,” alleging that Kochava unfairly sold this sensitive data that could be used to track people visiting abortion clinics, domestic abuse shelters, places of worship and other sensitive locations.
It’s noteworthy that Kochava also filed a lawsuit against the FTC asserting that the geolocation data came from third-party brokers who obtained the information from consenting consumers.
Although it is likely this case will settle, it brings to the forefront several policy considerations, specifically whether the FTC has the authority to essentially require a consent-based regime for the sale of sensitive information when no federal law requires this.
As the implications of this case and Dobbs undoubtedly evolve over time, tech companies can take several practical steps now to better protect their businesses and thwart consumer concerns:
◗ Review and amend privacy notices. Anticipating that the FTC will act more aggressively against companies that sell or share sensitive personal data if their privacy policies or other public statements say they will not do so, it is recommended that companies review their privacy policies and ensure they align with the companies’ data-collection practices.
Additionally, as consumers become leery of how companies use and disclose their information, companies might want to limit their processing activities (actual or potential) to give users comfort that their data will be used only in specific and limited ways and that only the minimum information necessary will be collected and maintained.
◗ Minimize data collection. While we live in an age where data is extremely valuable, companies should consider scrutinizing data collection and analyzing the benefits of such collection versus the risk to a user if such data were obtained and shared. If a company does limit data collection to what is necessary, disclosure of such a practice might provide users with the comfort they need to continue using the service.
For example, certain big tech companies have already declared they will automatically delete geolocation data for individuals who visit abortion clinics, reproductive centers or other similar providers.
◗ Develop a subpoena-response plan. Sensitive health data collected by companies is becoming progressively vulnerable to subpoena by law enforcement authorities in states with more restrictive abortion laws or if the procedure is criminalized by state laws. If companies receive subpoenas or similar legal orders, they will need to consider whether a specific mandate is enforceable in their own jurisdiction.
Schisms across jurisdictions have already arisen, and we are likely to see new laws that seek to counter Dobbs. These laws might prohibit companies from responding to abortion-specific subpoenas or other law enforcement demands, especially if they originate in a different state.
◗ Review cybersecurity safeguards. Companies should examine their cybersecurity safeguards, analyzing both their own cybersecurity and the cybersecurity of any third party through whom consumer data can be obtained. Especially in states that ban or criminalize abortion, there is growing concern that cyberattackers could seek to obtain relevant data from companies in an effort to expose or identify and report individuals who have sought an abortion out of state or through other means.
Specific measures include periodic risk assessments, such as penetration tests and vulnerability scans, patching of vulnerabilities, implementing end-to-end encryption, cybersecurity training, and migrating legacy systems to new versions.•
Cain is an Indianapolis-based privacy, cybersecurity and data-strategy partner at Faegre Drinker.