Post-Roe, businesses advised to prepare for increased data surveillance

Nearly two months after the U.S. Supreme Court’s draft opinion in Dobbs v. Jackson Women’s Health Organization was leaked, the final ruling came June 24: “The Constitution does not confer a right to abortion; Roe and Casey are overruled; and the authority to regulate abortion is returned to the people and their elected representatives,” the decision states.

To be sure, some privacy attorneys had already begun preparations since the leak, examinng ways in which pregnant peoples’ data would be collected and commodified—from geofencing to biometrics to period tracking apps—should Roe v. Wade be overturned. Now, many are also stressing the importance of educating businesses and individuals on how to protect themselves from a digital landscape that, as it stands, offers consumers little autonomy over their data.

As attorneys on both the consumer and business sides of the aisle across the U.S. are readying to see the repercussions of Dobbs in their particular states, they share a primary consensus: there’s likely to be an increase in digital surveillance, from advertisers and law enforcement alike.

Organizations tracking people going to abortion clinics

Jay Edelson, CEO and founder of Chicago-based plaintiffs firm Edelson PC, said the time between the leak to the decision offered his firm a chance to prepare for what was to come.

“Our message to any organization that wants to try and track people who are going to abortion clinics is really, ‘Don’t do it,’ because you are probably breaking the law and we’re going to come after you,” Edelson said.

One of the major forms of tracking Edelson is eyeing is “geofencing,” or the use of GPS or radio frequency identification (RFID) to determine what geographical boundary a certain device is in. Geofencing abilities provide advertisers a business opportunity to target certain consumers with commercials or messages when they “trip” a geofence. For example, an anti-abortion group might pay an advertiser to send “alternative choices” or other such ads to those entering a Planned Parenthood with their device’s location on.

Currently, only one state bans geolocation near abortion clinics: Massachusetts.

“We would much prefer that [businesses] stopped the practice, but we know that a lot won’t, and we’re going to bring litigation in the near future,” Edelson said. “We don’t pretend that it stops the problem, but it’s an important fight and something that we are pretty comfortable taking on.”

Certainly, the same geolocation data that businesses or advertisers might acquire would be available to law enforcement in states that criminalize abortion, enabling them to track those who may cross state lines after a positive pregnancy or enter the periphery of a clinic.

“I think the law is undeveloped when it comes to geolocation tracking,” Edelson added. “I think this is a good opportunity to do what we kind of did in the biometric arena in Illinois [the Biometric Information Protection Act] and make it clear, ‘No you can’t do this.’”

Still, not all the ways that data will be used might be as complex as geofence warrants or biometrics. Carrie Sophia Zoubul, an attorney at New York-based firm C.A. Goldberg, pointed out how internet search histories and a lack of accurate search results from data aggregators will largely contribute to how pregnant people might be targeted.

“If you’re pregnant and you’re in a state where you’re looking for information, it starts when you search online and the accuracy of search results,” Zoubul said. “You have to think, what if a pregnant person comes in contact with a crisis pregnancy center instead of an actual [abortion] clinic? Then, the pregnant person gives their information [to the crisis pregnancy center], they become a part of that database, and then that’s circulated.”

Zoubul noted that Google has been approached by consumers and attorneys on multiple occasions to better clarify their search results, and has failed to do so.

“If there was someone who could show they had suffered actual damages because of the information they received,” an inaccurate search result could actually be grounds for a lawsuit in the coming years, Zoubul said.

To be sure, an indictment based on an internet search history is not far-fetched. In 2017, Latice Fisher was charged with second-degree murder in a Mississippi court after a pregnancy loss, when prosecutors raked her search history to find she had looked up “misoprostol,” a drug used to end a pregnancy.

“I think hopefully, this [decision] will highlight the big problem with the lack of control over our personal data,” Zoubul added. “Maybe this will help people understand how much of our data is being shared and how much is being compromised.”

For businesses, “If you don’t need it, destroy it”

Jennifer Beckage, the founder of the Beckage Firm, is preparing to tackle the decision from the other side of the field as a representative of businesses who might face data privacy suits from firms like Edelson or C.A. Goldberg.

For Beckage, there is a high probability that efforts to procure personal data concerning abortions will spike in the coming months. She sees this as the “ripple effects” of Dobbs, pointing out that it’s the right time for businesses to look into their privacy compliance programs.

“At this point, I would say [to businesses] to continue following their data security and privacy laws,” Beckage said. While she stressed that individuals will likely face the initial brunt of the Dobbs decision, organizations will likely come soon after. “There’s so much there,” from employee benefits plans to record retention practices to the location of employee data, all of which will have to be reevaluated, she said. “If you don’t need it, destroy it.”

If it is any indication of a larger trend of asking private companies for users’ personal information, Google’s latest transparency report shows the highest number of government requests for user information yet.

“For some organizations, their employees might share their Uber accounts with them or they can see where they are going,” Beckage said. “Some of it is personal, combined with emails with the HR department requesting time off. Are there printed documents still at Iron Mountain referring to this stuff? Every company just needs to evaluate what they are supposed to do, because there’s just not one prescription for everyone.”

In spite of the spirited reactions among the legal industry and beyond to Dobbs, Beckage advised calm when it comes to decision-making, cautioning businesses from making “wide-sweeping changes in the next 24 hours.”

Instead, she advised having business leaders focus on getting their privacy compliance in order. After all, within many state data privacy statutes are data retention policies, data subject access request protocols and right to delete obligations, all of which have the potential to be useful tools when it comes to safeguarding a business from being partners in what is bound to be an increase in data surveillance.

Still, businesses can only do so much at this stage, especially since so much is up in the air. Myriah Jaworski, attorney at Octillo, recommended that businesses look at their data minimization—deletion of unnecessary stores of data—as “if it does not exist, it cannot be provided,” she said.

But beyond that, an important step in keeping employee and consumer data safe post-Dobbs is to be clear with them about what data might be vulnerable.

“Businesses that collect this type of information should clearly disclose this form of information collection and any internal policies or practices they have with respect to law enforcement requests,” Jaworski said. For example, she noted that oftentimes businesses do state in their privacy policies that they share information with law enforcement, and this type of transparency with consumers is especially important as data surveillance increases.

“Certainly, businesses may want to take a closer look at their practices and could work to give notice to consumers when a law enforcement request is received, or otherwise determine not to comply with state law enforcement requests,” she added.

Isha Marathe is a New York-based legal technology reporter, covering new things happening around privacy law, e-discovery and cybersecurity. Meanwhile, attempting to hit every hole-in-the-wall restaurant from Brooklyn to at least South of Houston.