Interpreting California’s Reproductive Health Information Shield Law: The ‘In California’ Limitation

By Graham Streich, Legal Intern at CDT’s Security & Surveillance Project

Last year, California enacted a unique shield law for reproductive rights, AB 1242, stipulating that California providers of electronic communications services “shall not, in California, provide records, information, facilities, or assistance” (emphasis added) in response to legal process issued by law enforcement in another state in connection with an investigation of an abortion which, if performed in California, would be lawful under California law. 

California’s innovative abortion data privacy protections will almost certainly be the subject of litigation in the future, either in California or in a state with abortion bans from which law enforcement issues such legal process.

One issue that may arise in such litigation is what it means for companies to provide records, information, facilities, or assistance “in California.” The “in California” requirement may have been included to make the law more likely to pass constitutional scrutiny by requiring a clear nexus between California and what companies withhold against out-of-state warrants— “records, information, facilities, or assistance”— in addition to the fact that the company is incorporated or headquartered in California.

The prohibition on the provision of “assistance” in California seems relatively clear:  If company personnel who access the company’s user data in response to a law enforcement request — along with legal staff and other personnel who oversee such responses and turn over data to law enforcement — are located in California, then the company would be providing assistance “in California” when responding to a law enforcement request.  Such assistance would be prohibited in the case of an out-of-state request in connection with an investigation of an abortion that would be lawful in California.  Companies headquartered in California often will locate the relevant personnel in California as a matter of course.  

In some cases, however, the relevant personnel may be located outside California (e.g., personnel are located remotely in this post-pandemic age).  Nonetheless, by its terms, the shield law still applies if the relevant “records, information, [or] facilities” are provided in California.  Under basic canons of statutory construction, those words must be given meaning and not be rendered superfluous.  That language could mean that AB 1242 protections apply when responsive records and information are stored on servers physically located “in California” and the act of disclosure occurs there.  In somewhat analogous circumstances, in Microsoft v. United States—a case involving government demands for data that Microsoft stored in Ireland but could access in the United States—the Second Circuit found the relevant location was where Microsoft stored the data. 

In contrast, a federal district court in Wisconsin described the data’s location as intangible and found the relevant location to be where the provider disclosed the data to the government. A California district court maintained that the location of electronic data was so prone to fluctuation that its location might not be effectively tied to one jurisdiction, and similarly focused on the location of the disclosure to the government.  These differences were never resolved, as the Supreme Court vacated the Second Circuit’s decision in the Microsoft-Ireland case as moot once Congress passed the CLOUD ACT in 2018. .  

These unresolved issues could potentially limit how broadly AB 1242 protects users if the company personnel providing assistance are located outside of California. Even if user data is stored in California, a state demanding data for abortion investigations could argue (following the Wisconsin court) that the data’s location is actually intangible, or (following the California court) that data is subject to such rapid and unpredictable movement that its location should not be a factor for courts and instead, the focus should be on where the data is provided to law enforcement. Such arguments might have the effect of rendering the statutory reference to records or information superfluous, but If they were to prevail, the location of data in California might not be sufficient to trigger AB 1242.  

Assistance “in California” may be found in circumstances other than those in which the act of data disclosure to law enforcement occurs in California. For example, if the data is stored in California and the company copies it there and moves the copy to another state in which the act of disclosure occurs, arguably, the act of copying the data in California would be regarded as “assistance” provided in California. Likewise, other compliance-related activities in California that do not include the act of disclosure but are engaged in to prepare for making the disclosure, may constitute “assistance” provided in California. For example, the act in California of checking to determine whether a company has information responsive to a law enforcement disclosure demand may constitute “assistance” in California regardless of whether the data is stored there. 

California-headquartered technology and telecommunication companies should locate personnel that respond to law enforcement requests in California.  They should also ensure that activities they engage in to prepare to make disclosures to law enforcement occur in California. That should assure users that their data receives AB 1242 protections because “assistance” to law enforcement would be provided in California. Alternatively, or ideally, in addition, companies should also store relevant user data in California, which could provide an alternative avenue for the application of the statutory protections.  

The California legislature should also evaluate whether the “in California” requirement is necessary.  Washington has a shield law that, while similar in key respects to the California law, makes no distinction based on where aid is located, meaning the Washington law’s protections apply even if data is stored and assistance is provided out of state, so long as the company is incorporated or based in Washington. Users should advocate that the California legislature amend its law to eliminate the “in California” requirement for assistance or the location of data and require only that the company in question be headquartered or based in California.