Government Surveillance, Privacy & Data, Reproductive Rights
California To Enact Ground-Breaking Law To Protect Reproductive Health Data
Last night, the California legislature passed a bill designed to prevent companies in the state from disclosing communications content and metadata in response to out-of-state legal demands for information in abortion-related investigations. Gov. Newsom is expected to sign the bill into law.
The legislation, AB 1242, is a welcome and potentially significant response to the threat to data privacy resulting from the Supreme Court’s decision to overturn Roe v. Wade. Many of the largest communications service providers in the U.S. are incorporated in California (e.g., Apple), or have their principal place of business in California (e.g., Google and Meta).
Section 9 of the bill would bar companies that provide electronic communications services and are either (i) California corporations, or (ii) corporations whose principal executive offices are located in California, from providing “records, information, facilities or assistance” in California in response to legal process issued in another state that “relates to” an investigation into a violation of a law that prohibits “… providing, facilitating, or obtaining an abortion that is lawful under California law.” Disclosures in investigations into attempts to provide, facilitate, or obtain such abortions are also blocked.
The legislation also empowers the California Attorney General to bring civil actions to compel these companies to comply with this prohibition. Companies making prohibited disclosures are not subject to any cause of action unless they knew, or should have known, that the legal process they received related to an investigation of abortion-related conduct that is lawful in California. To set expectations for when companies should know a warrant is issued in an investigation related to abortion, the bill requires that any warrants with which California corporations comply must include “an attestation that the evidence sought is not related to to an investigation into [an abortion that is lawful under California law].”
This formulation is wise, as many investigations into unlawful abortions will likely occur under facially neutral statutes, such as homicide or child endangerment. However, the attestation requirement does not apply to disclosures by corporations that have their principal place of business in California but are not California corporations, and it does not apply to subpoenas, court orders, or any other legal process other than warrants.
The bill also blocks judges and law enforcement from aiding abortion investigations. Section 3 states that “no magistrate shall enter an ex parte order authorizing interception of wire or electronic communications for the purpose of investigating or recovering evidence of [an abortion that is lawful under California law],” Section 4 similarly prohibits judges from authorizing a pen register or a trap and trace for an abortion investigation, and Section 6 states that “No warrant shall issue for any item or items that pertain to [an abortion that is lawful under California law].” This may shield companies that are totally based in California (but may have private records and data belonging to users that reside in states where abortion is banned) from being served with demands for data or communications based on abortion investigations, making the state a safe haven for entities that might provide reproductive health advice, store patient records, or provide medication via the web.
The legislation may address some of the data privacy concerns that have arisen in the wake of the Supreme Court’s Dobbs decision. People who may become pregnant should not have to fear that engaging in everyday life activities that result in the generation of data about them — such as using a cell phone to communicate — could be used against them or their provider of reproductive health services.
They should not have to fear that searching for information about obtaining an abortion, or texting a friend to get a ride to a state in which abortion is legal, could generate data used against them or their friend. And providers of health services (such as websites that offer information about reproductive care or online pharmacies) should not have to worry that, by providing aid to keep users safe medically, they’ll be generating data that could be seized and put those same users in danger legally.
These are among the concerns that prompted CDT to form the Task Force on Protecting Reproductive Health Data after the Dobbs decision. California is poised to take a potentially significant step to address those fears.
The California legislation will raise some complex legal questions. It could put many companies in the uncomfortable position of choosing between complying with the mandate of another state to disclose user information in response to a warrant or other legal process in an abortion-related investigation, or the mandate of California to refrain from making such disclosures. It is not yet clear how these conflicts will be resolved. The requesting state may argue that the Full Faith and Credit clause of the Constitution bars California from enforcing such a blocking statute.
The impact of the “in California” restriction that is built into the bill is also unclear: Does a company with its principal place of business in California make a disclosure “in California” if it receives a disclosure demand from another state and it has a data center in that very state? What impact does it have if the data are stored in the state making the demand, in California, or an entirely separate location?
These questions will likely be resolved in litigation that we will be following closely. For now, AB-1242 should be seen as a significant step forward in the effort to protect reproductive health data in the wake of the Dobbs decision.