Sign in Subscribe
ADPPA

Let's talk about the elephant: how well does ADPPA protect against post-Roe threats?

Let's talk about the elephant in the room.

Jon

17 min read
An elephant crossing a dirt road

Last updated December 16.  See update log at the bottom.

As Danielle Keats Citron discusses in The End of Roe Means We Need a New Civil Right to Privacy, the Supreme Court’s recent decision allowing states to criminalize abortion highlights the stakes of online privacy.  In response, Rep. Sara Jacobs (D-introduced the My Body My Data Act, which would provide strong protections to reproductive health care; and Senators Elizabeth Warren, Ron Wyden, Patty Murray, Sheldon Whitehouse, and Bernie Sanders  introduced the Health and Location Data Privacy Act, which prohibits sale of health and location data.  The Fourth Amendment Is Not For Sale Act, which prohibits government agencies from buying data unless they have a warrant, would also help protect against posts-Roe threats.

Still, those bills' prospects are unclear, and everybody agrees that comprehensive privacy legislation is a vital complement even if they pass.  So in July, the House Energy & Commerce committee advanced the American Data Privacy and Protection Act (ADPPA) 53-2 – the first time this century a consumer privacy bill has made it out of committee.

But how well does ADPPA actually respond to post-Roe threats?  There's been surprisingly little discussion of this – back in July I called it "the elephant in the room" – but even so there are several red flags.  For example:

  • Sen. Ron Wyden, who’s usually right about stuff like this, says the "de-identified" data loophole lets companies sell location data to the government about visits to reproductive health facilities
  • And Kim Clark of Legal Voice says
“This bill, at least from the perspective of pregnant people, it really doesn’t do much.”

Stress-testing the elephant

So let’s build on A. Prince Albert III's excellent suggestion in Hiding OUT: A Case for Queer Experiences Informing Data Privacy Law and stress-test ADPPA by looking at whether it responds to key post-Roe privacy threats.  

yes! ADPPA passes the test
I’m not sure or it's complex
no.  ADPPA does not currently pass the test

  • ❌ Does ADPPA prevent prosecutors and law enforcement in states that have criminalized abortion from buying location data and targeting people who visit reproductive health care centers?
  • ❌ When people travel out of state to get abortions, does ADPPA protect their data?
  • ❌ Does ADPPA allow pregnant people to force companies to delete data that might put them at risk?
  • ❌ Does ADPPA protect pregnant people and abortion providers from risks of automated license plate readers (ALPRs)?
  • ❓Does ADPPA prevent anti-abortion “crisis pregnancy centers” from sharing data with vigilantes and law enforcement?
  • ❓Will ADPPA hold “crisis pregnancy centers” who break the law and violate people’s privacy accountable?
  • ❌ Will ADPPA prevent law enforcement from accessing people's private messages to investigate whether they got an abortion?

If you want to follow along in the bill's text, the section numbers (§) refer to the July 19 ADPPA version as amended by the six amendments that passed.

Thanks to Maya Morales of WA People's Privacy and all the other Washington privacy organizers who have helped with the analysis!

❌ Does ADPPA prevent prosecutors and law enforcement in states that have criminalized abortion from buying location data to target people who visit reproductive health care centers?

No.

ADPPA generally restricts selling sensitive data unless people give consent, and the definition of sensitive data (§2(28)) includes “precise location information.” But there are some important exceptions.

To start with, the “de-identified” location data isn’t covered by the ADPPA (§2(8)(B)(1)), so data brokers and tech companies buy sell it freely – and so can prosecutors, law enforcement, vigilantes doing "civil enforcement" of laws criminalizing abortion, and everybody else.  

Supposedly, it’s impossible to connect “de-identified” data to individual people. But as Center for Democracy and Technology (CDT) says in Following the Overturning of Roe v Wade, Action is Needed to Protect Health Data, “such data is easy to re-identify, with one study showing that one needs only up to four location points to identify the person.”    As EFF's Bennett Cyphers says,

Academic researchers have shown over and over again that de-identified or “anonymized” location data still poses privacy risks.

Indeed, in 2021, ”de-identified” data was used to out a gay priest’.  In How the U.S. Military Buys Location Data from Ordinary Apps, Joseph Cox quotes an engineer at a data broker that sells products using de-identified data as saying "we could absolutely deanonymize a person."  And  as HIPAA and the Leak of “Deidentified” EHR Data in the New England Medical Journal reports, this has long been a problem for electronic health records as well.

Alan Butler of EPIC Privacy has suggested that ADPPA’s definition of “de-identified” data is narrow enough that the exemption doesn’t cause risks.  In June, Sen. Wyden disagreed.

[T]his loophole could allow data brokers to sell location data to the government about visits to reproductive health facilities, for example, or other private information that is trivially easy to connect to individuals,

The bill’s definition of “de-identified” data has changed twice since then,* and the last quote I saw from Sen Wyden’s office was that they were looking at the latest version.  So it’ll be interesting to hear their opinions.

"De-identified data" is only one of many location-related issues in ADPPA.  A few more examples:

  • Californians for Consumer Privacy suggests highlights another apparent loophole: the definition of precise location information (§ 2(24)) excludes “information identifiable or derived solely from the visual content of an legally obtained image, including the location of the device that captured such image.” So companies can share and sell this data without people's consent – to prosecutors, law enforcement, vigilantes, and everybody else.
  • Loopholes discussed below in the sections on license plate readers and data sharing with vigilantes apply to location data as well.

Also, ADPPA doesn't prevent prosecutors and law enforcement with valid warrants or subpoenas from getting access to sensitive data.  As discussed below in he section on law access to private messages, courts may well decide that ADPPA doesn't prevent states like California and Washington from passing their own legislation to address this ... but that won't help people in the states that have criminalized abortion.

❌ When people travel out of state to get abortions, does ADPPA protect their data?

No.

ADPPA doesn’t cover airlines or other transportation common carriers.  As travel-related human rights expert Ed Hasbrouck points out, “while the most common real-world attackers of travel reservations data have been stalkers and domestic abusers, this data could also be used to identify (even in advance) and track post-Roe interstate abortion travellers.”  

Hasbrouck's What's in a Passenger Name Record (PNR)? goes into detail about various information that's associated with reservations – including home address, phone number, who paid for the travel, who's traveling together, and timestamped IP address.  As Sabre and Travelport help the government spy on air travelers discusses,

Travelers’ data is routinely made available by Sabre and other CRS/GDS companies not only to US and other government agencies but publicly, without even passwords, through online check-in, PNR viewing, and remote stalking sites and apps such as Sabre’s VirtuallyThere.com.

And, ADPPA doesn’t cover employee data including benefits. So people whose employers pay for abortion-related travel are doubly at risk.

❌ Does ADPPA allow pregnant people to force companies to delete data that might put them at risk?

ADPPA, like most modern privacy laws, gives people the right to request to see what data companies are storing about them (often called "access") – and request that it be deleted (§203).  However, there are some important exceptions:

  • Companies and non-profits holding the data must ignore requests they “reasonably believe” are being made to support criminal activity.  (§203(e)(1)(E)).  In states that criminalize abortion, does this mean that requests to delete pregnancy-related data can’t be honored?
  • Companies may ignore requests that interfere with "investigations, or reasonable efforts to guard against, detect, prevent, or investigate ... unlawful activity."  (§203(e)(3)(A)(vii)).  In states that criminalize abortion, does this mean that “crisis pregnancy centers” or menstrual apps can decline requests to delete pregnancy-related data?
  • When government contractors collect, process, or transfer data on behalf of government agencies, ADPPA doesn’t require either the contractors or government agencies to offer access or deletion rights.**

It’s also worth mentioning that the latest version of ADPPA makes it extremely challenging for people to find out what companies their data has been shared with. The company that originally collected the data is supposed to relay requests on to whoever they’ve transferred it to, but suppose you want to double-check this? Easier said than done!

  • Privacy policies only need to include the categories of third parties and service providers (§202(b)(4)), not the names of specific companies.
  • Previously, the data returned from an access request had the names of third parties; now, it also only has to include categories of third parties, although it does have to provide “an option for consumers to obtain the names of any such third party.” (§203(1)(B)).
  • Companies with less than $41,000,000 in revenue have up to 90 days to respond to an access request, with an automatic 45-day exception (§203(c)), so it’s going to take a loooong time to figure out all the people who have your data; then they’ve got a similar amount of time to respond to your request about what data they have.

By the way, companies also get up to 90 days, with an automatic 45-day exception, to respond to deletion requests.  So even in the best case where they decide to honor them, it’s gonna take a while.

But wait, there's more.  ADPPA limts people to two free access and deletion requests a year, after which companies can charge people a "reasonable fee" to exercise their rights.  As ACLU of Washington says in their s Data Privacy Guiding Principles:

Pay-for-privacy provisions worsen the digital divide, which is also a privacy divide and raise racial equity issues. Strong regulations ensure that privacy rights are available to all and not just to those who can afford to pay to keep our privacy.

❌ Does ADPPA protect pregnant people and abortion providers from risks of automated license plate readers (ALPRs)?

No.  

ADPPA excludes "publicly available information" and ALPR vendors have in the past successfully argued that license plate information is public.  

As EFF's Dave Maass writes in Automated License Plate Readers Threaten Abortion Access. Here’s How Policymakers Can Mitigate the Risk,

Law enforcement agencies typically do not require officers to get a warrant, demonstrate probable cause or reasonable suspicion, or show really much proof at all of a law enforcement interest before searching ALPR data. Meanwhile, as EFF has shown through hundreds of public records requests, it is the norm that agencies will share ALPR data they collect broadly with other agencies nationwide, without requiring any justification that the other agencies need unfettered access. Police have long argued that you don't have an expectation of privacy when driving on public streets, conveniently dodging how this data could be used to reveal private information about you, such as when you visit a reproductive health clinic....

What's worse is that private actors can also access this database. DRN [Motorola's Digital Recognition Network] sells access to ALPR data to private investigators, who only need to check a box saying that they're querying the data for litigation development. With the passage of SB 8 in Texas, private actors now have the ability to sue to enforce the state's abortion ban. Unfortunately, anti-abortion activists for years have been compiling their own databases of license plates of abortion providers; now they can use that to query private ALPR databases to surveil abortion seekers and reproductive healthcare providers.

In addition, the apparent loophole for surveillance camera location information I mentioned above (§ 2(24)) may also apply to ALPR-based location information.  If so, then even if it was covered it wouldn't be considered sensitive data.

Brennan Center's 2020 Automatic License Plate Readers: Legal Status and Policy Recommendations for Law Enforcement Use is a deeper dive into the issues around license plate readers, and Thor Benson's The Danger of License Plate Readers in Post-Roe America on Wired has additional discussion about how this puts pregnant people at risk.

Does ADPPA prevent anti-abortion “crisis pregnancy centers” from sharing data with vigilantes?

"A Crisis Pregnancy Center (CPC) is an anti-abortion nonprofit organization, a fake clinic, or a mobile vehicle that poses as a legitimate health care center, often to purposely deceive pregnant people. They aim to dissuade, deceive, scare, or pressure people into not seeking or receiving abortion care."

– National Women's Law Center (NWLC) FTC Comments
"Pregnancy centers, many of which are affiliated with national anti-abortion advocacy groups, including Care Net and Heartbeat International, collect personal data from the millions of women they interact with every year in person, by telephone, and through online chats. This data includes sexual and reproductive histories, test results, ultrasound photos, and information shared during consultations, parenting classes, or counseling sessions, which some pregnancy centers require before they provide aid, like diapers. Because most centers are not licensed medical clinics and offer services for free, privacy lawyers tell TIME that they are not legally bound by federal health data privacy laws."

Anti-Abortion Centers’ Databases Could Be Weaponized Post-Roe, Abigail Abrams and Vera Bergengruen, Time

Today, “crisis pregnancy centers” use the data they collect to target ads and boost their search results.  And it works, too: a recent report by Julia Love and Davey Alba on Bloomberg notes that when people type the words “abortion clinic” into the Google Maps search bar in states like South Carolina or Idaho, “five or more of the top 10 results were for CPCs, not abortion clinics.”  When pregnant people contact the “crisis pregnancy center”, they provide a lot more information over the phone, which then gets used to try to talk them out of getting an abortion.

Of course a lot of pregnant people see through “crisis pregnancy centers’” manipulation, and wind up seeking abortions elsewhere.  In states where abortion is criminalized, this means that the “crisis pregnancy centers” have a lot of data that they can potentially weaponize and/or monetize – sharing with it vigilantes and bounty hunters doing “civil enforcement” of laws like Texas’, or even selling it.

ADPPA has strong protections for “sensitive data”, including health and reproductive data, so it seems like they shouldn't be allowed do to this.  However, when you dig into the specific ways the CPCs operate, there are some potential loopholes.  

For example, NWLC's comments note that Heartbeat International (H.I.), a network of CPCs that is connected with over 2,000 affiliates, has developed its own Content Management System (CMS) to streamline the collection and retention of personal data.  If H.I. provides the CMS as a service to law enforcement and bounty hunters as well as clinics, the last-minute ADPPA amendment approved by the committee could give them substantial leeway in sharing the data.  

For example, §302(b)(1)(D)(ii) allows service providers to combine data they've gathered from users with "service provider data" for any of the  §101(b) permissible purposes – including  "to  prevent, detect, protect against or respond to illegal activity."

Another potential loophole that seems like it could be exploited by “crisis pregnancy centers” (and anybody else who believes that abortion is murder): an exception to the duty of loyalty (§102(3)(C)) allows businesses or non-profits to transfer (share or sell) an individual’s sensitive data to third parties without consent if

the transfer is necessary to prevent an individual from imminent injury where the covered entity believes in good faith that the individual is at risk of death, or serious physical injury, or serious health risk

“Crisis pregnancy centers” could certainly claim a good faith belief that fetuses are at risk of death, and in states that have criminalized abortion they’ve got the law on their side as well.  Is it “imminent”?  Maybe the Fifth Circuit judges who routinely uphold anti-abortion laws would decide that it isn’t, and maybe the Supreme Court would agree.  But I’d certainly expect “crisis pregnancy centers” to argue that it is, and share the data until they’re told not to.

It would be great to see a detailed legal analysis of these – and other threats related to CPCs.  Until then, it's hard to know just how serious these potential loopholes are, so I'll leave this one as a

Will ADPPA hold “crisis pregnancy centers” who break the law and violate people’s privacy accountable?

Suppose it turns out that loophole doesn't apply, and ADPPA doesn't actually allow "crisis pregnancy centers" to share data with vigilantes.  If they decide to ignore the law and do it anyhow, does ADPPA have enough teeth to hold them accountable?

Probably not.

At first, it seems like the answer is yes.  ADPPA has a “three-tier” enforcement structure: the FTC, state Attorneys General and privacy authorities, and individuals all have some enforcement powers.  

But when you look at it more closely, it’s a lot less clear:

  • The FTC has  limited resources – and the current version of ADPPA adds a lot of responsibilities, but doesn’t allocate additional funding.
  • A coalition of ten AG’s warned in a July 19 letter that ADPPA puts a significant barrier to their enforcement abilities.***  So the "crisis pregancy centers" don't have to worry about California, Connecticut, Illinois, Maine, Massachusetts, Nevada, New Mexico, New Jersey, New York, Washington and who knows how many other states.  
  • Individuals have a limited private right of action, but ADPPA also puts up a lot of roadblocks.  As Senate Commerce Committee staffers warned in June, it “makes it harder for women to seek redress when their sensitive health data has been used against them” and would force women to “jump through arbitrary, drawn-out hoops” to sue over privacy violations.
  • A potential fourth tier of city and county privacy authorities and prosecutors aren't allowed to enforce the law (or pass their own law).  

If a “crisis pregnancy center” shares an individual’s data in a way that breaks the law, here’s some of the specific barriers they’d face if they want to sue:

  • ADPPA generally allows “forced arbitration” clauses, where businesses and non-profits can force consumers to give up their right to sue if they want to use the service.
  • Companies and non-profits with an annual revenue less than $25,000,000 are exempt from ADPPA’s private right of action.  Many “crisis pregnancy centers “fall below this threshold
  • Before suing, companies have to let the FTC or state privacy authority know and give them 60 days to decide whether to bring an action.
  • Companies and non-profits who are sued have a 45-day “right to cure”

Add it all up and ADPPA’s supporters’ claims of “strong enforcement” start to look like a substantial exaggeration, at least in this situation.

❌ Will ADPPA prevent law enforcement from accessing people's private messages to investigate whether they got an abortion?

No.  

ADPPA allows covered entities to transfer data to comply with legal obligations under state, local, or tribal law.  So it wouldn't do anything to prevent harms like the Burgess case in Nebraska, where police got a warrant for a teen's Facebook messages with her mom and then charged them with an illegal abortion illustrates.

By contrast, California's  A.B. 2091, sponsored by Asm. Mia Bonta, prohibits health care providers from releasing medical information about abortion to law enforcement, or in response to a subpoena, based on either an out-of-state law that interferes with California abortion rights,**** or an out-of-state suit “to punish an offense against the public justice of that state”. EFF's California Leads on Reproductive and Trans Health Data Privacy discusses this and two other recent privacy laws California has passed.  Washington state's legislature will consider similar legislation in 2023, and other states where Democrats control the legislature and governorship are likely to follow ... but this doesn't help people in red states.

I haven't yet seen any analyses of how ADPPA would interact with laws' like California's and Washington's. ADPPA's current version has some exceptions to preemptions and I think laws like these would't be preempted, but the whole preemption section is so complicated that it's very likely it would wind up in court and I'm not sure how it would work out.  And it could get worse: the US Chamber of Commerce and some trade associations are pressing to make ADPPA fully preemptive, which would mean it would override these new laws (as well as Washington's and California's current and future privacy laws).

Of course, there's no way Congressional Republicans would support a clause like that in ADPPA.  So even though this is a hugely important threat, with a clear answer, I left it until the end – it's a dead end politically until Democrats have a majority in both chambers and get rid of the filibuster for abortion-related legislation.  

Get involved!

Reproductive justice organizations and experts in reproductive health law haven’t yet added their voices to the public discussion about ADPPA – and for good reason: they’re dealing with crises in multiple states and moving full steam ahead on their post-Roe strategy.  Still, with dozens of privacy and civil rights groups calling on Speaker Pelosi to schedule a vote on ADPPA, time’s moving fast.  So I really hope that privacy organizations and Democratic legislators who support abortion rights are looking closely at these and other post-Roe threats to see whether ADPPA’s current language is sufficient – and if not, what to do instead.

The good news is that there’s still time to amend ADPPA to strengthen its protections for pregnant people.  In addition, as I mentioned earlier, Congress is working on two other bills that do directly address post-Roe threats: Rep. Sara Jacobs’ My Body My Data has very strong protections for reproductive health data.  The Health and Location Data Privacy Act (sponsored by Sens. Warren, Wyden, and Whitehouse) prohibits sales of health and location data.  Even if they don’t move forward this session, language from them could be useful for strengthening ADPPA.

But the not-so-good news is that it’s not clear there’s political support for strengthening ADPPA.  Most of the changes in the latest version weakened it, and big tech companies and data brokers are lobbying to weaken it further.  And specifically when it comes to abortion, Democrats may worry that pushing for improvements could cause Republicans to drop their support for the bill.

So if you think it’s important for ADPPA to respond to post-Roe abortion threats, it’s a great time to get involved by contacting your legislators and let them know.  You don’t have to go into details; just say something like

It’s critical to protect pregnant people’s privacy – especially after the Supreme Court decision ending Roe.  Please only vote for privacy legislation that protects pregnant people and health information from vigilantes and sinister prosecutors in states that criminalize abortion – and lets pregnant people protect themselves by deleting all the data companies are tracking about them.

Congress.gov lets you look up your representative based on your address – or here's a directory if you know their name or what congressional district you live in.  And if you work at a big tech company or data broker, make sure to tell your government affairs office and executives that you want them to lobby to ensure that ADPPA protects pregnant employees even if they’re in states that have criminalized abortion!

Rumors are that Congress may take another try at passing privacy legislation in the "lame duck" session after the midterms , so there's still a chance we'll see a new version of ADPPA.  As to just what will be in it, it's hard to know: various "stakeholders" are negotiating that behind closed doors. How effectively will it protect against post-Roe threats?  We shall see.  

Stay tuned!

Updates

September 15: add new section on travel privacy, improve discussion on state and local enforcement (and context in footnote), include pay-for-privacy.

October 8: split out license plate reader and private message questions to their own sections, minor updates to reflect that it didn't move in September.

November 12: change wording of first item to highlight it's not related to Rep. Eshoo's mention of an ADPPA loophole allowing access to "sinister prosecutors", and reference to upcoming Washington state law.

December 5: update section on "crisis pregnancy centers” sharing data with vigilantes and law enforcement to incorporate NWLC's FTC comments.

December 9: remove confusing discussion of access rights in the section on deletion

December 16: change title to Let's Talk about the Elephant

Image credit: Savanna elephant in Kruger National Park, South Africa. By Felix Andrews (CC-BY-SA-3.0) via Wikimedia Commons.

Footnotes

* the version of ADPPA the subcommittee advanced broadened the definition of “de-identified” data substantially, and then the committee undid those changes.  I think this gets it back to the language that Wyden originally objected to, but I’m not 100% sure.

** government contractors are considered service providers.  If the data has originally been collected by or transferred to a covered entity (business or non-profit), the covered entity must forward access and deletion requests to service providers.  However, there's no similar requirement for government agencies – who aren't covered by ADPPA.

***  §404(b)(2)(A): “a violation of this Act shall not be pleaded as an element of any such cause of action."  The AG's letter says:

In many states, the Attorney General’s office uses civil investigative demands under its consumer protection authority to demand documents or information from entities when we believe there could have been a violation of a law. Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But Section 404 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims. This language unnecessarily interferes with robust enforcement capabilities.

We're especially annoyed by this in Washington because we had a big legislative battle over exactly this issue in 2020, when the state AG said a similar problem made the bill unenforceable.  Big tech conceded on this here in 2021 so even though it's not surprising, it's still kind of annoying to discover that tech lobbyists' fingers were crossed.  

**** If you're surprised that California can do this, so was I!  But Orin Kerr points out that the full faith and credit clause doesn’t apply in this situation, and he's usually right about stuff like this.