AI Policy & Governance, Privacy & Data
Disabled People Need Critical Privacy Protections in ADPPA
Disabled people are one of the most hyper-surveilled communities within the U.S. Public and private entities alike collect enormous amounts of often deeply personal data about our lives and health, for purposes ranging from benign (such as tracking disability-targeted hiring benchmarks) to malicious (such as profiling students as likely future criminals). Algorithm-driven systems now commonly power recruiting and hiring processes, tenant background checks, public benefits applications, and even remote test proctoring, all with outsized impact on people with disabilities. Meanwhile, researchers and developers are racing to create increasingly sophisticated algorithms to detect disability and predict future diagnosis of mental health disabilities.
Popular misconceptions about health data protections fuel ignorance about just how much data related to disability and health can be freely exploited, shared, and sold for profit, with little recourse for those affected. Passed in 1996, the Health Information Portability and Accountability Act (better known as HIPAA) imposes relatively strict protections on health-related data… but crucially, only if that data is held by medical providers and health insurers (or their service providers). HIPAA does not offer any protections at all for data (no matter how personal) held by most websites you visit, wearables you use, apps on your phone (think health and fitness apps, and yes, period tracking apps), any employer where you’ve ever worked or applied for a job, the gym where you work out, or the massive data brokers you probably don’t know about.
This year, Congress made history by advancing out of committee a bipartisan comprehensive privacy bill, the American Data Privacy and Protection Act (ADPPA). ADPPA aims to protect ordinary people from misuse and risky use of their data in a much wider range of contexts than HIPAA does, including through strong data minimization requirements placed on companies, rather than burdens placed on people.
For disabled people in particular, ADPPA offers heightened protections. ADPPA defines as “sensitive” any data that is or could be interpreted or perceived as relating to disability, or mental and physical health in general, including past, present, or future disabilities and any data that can be used to infer such information. Such sensitive data (and all categories of sensitive data) can be collected or used by a company only if it is strictly necessary to provide the service the person is requesting – which would mean no more data bonanzas where companies collect everything they can and monetize it later. Further, health and disability data would not be allowed as an input for targeted advertising.
ADPPA also rightly frames data-driven discriminatory practices as a civil rights issue – and designates several groups, including disabled people, as protected classes for the purpose of civil rights protections. The civil rights section of the ADPPA states that companies cannot engage in data practices that discriminate against, or make unavailable certain opportunities for, disabled people. Many of the examples of disability discrimination discussed earlier in this post and in other reports from CDT would not be allowed to exist under ADPPA because they discriminate against disabled people.
Given the strength of the disability protections in the ADPPA, over twenty-five disability rights and disability justice advocacy organizations recently joined in a letter urging Congress to retain these disability protections as ADPPA moves further through the legislative process.
Disabled people need and deserve autonomy and privacy over their lives and their data. Left unchecked, data-driven practices and algorithmic systems can and will continue to replicate, perpetuate, and exacerbate existing patterns of disability discrimination everywhere, from hiring to education to housing to policing. People with disabilities also deserve to understand their choices about what data they share with whom and about how their data is used – but under the current privacy regime, nondisabled and disabled people alike are subject to inaccessible, lengthy privacy policies and consent buttons that do little more than give the veneer of control without any of the substance. Congress must take decisive action to protect people’s privacy and autonomy, and the disability protections in the ADPPA are an important move in the right direction.