How the California Delete Act Further Protects Reproductive Rights
[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]
Last week California Senate Bill 362 (SB 362) — the California Delete Act — was introduced by State Senator Josh Becker. SB 362 would create an online portal for consumers to request that data brokers delete any data they have on the consumer and no longer track them. Modeled on the FTC’s Do Not Call registry, it turns out that one of the biggest proponents of this global delete and do not track concept is Apple CEO Tim Cook, who called for a data broker “clearinghouse” that would require
“all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.”
In this blog post, I will discuss how the California Delete Act would further protect reproductive rights that will be continuously under attack now that Roe has been overturned. And full disclosure: I proposed this bill to Senator Becker and co-drafted it, and I write extensively about data brokers in my upcoming book Containing Big Tech.
Background
Data brokers are businesses that knowingly collect, sell, and share the personal information of a consumer with whom the business does not have a direct relationship. According to the privacy group EPIC, there are thousands of data brokers in the United States who buy, aggregate, sell, and trade billions of data points on Americans. Some data brokers advertise that they collect and aggregate over 10,000 data points per consumer.
Because consumers don’t have a direct relationship with data brokers, consumers are often oblivious to who is selling and trading their personal data, as well as have no knowledge of which third parties are acquiring that data and what those third parties are doing with their data.
Recent reporting has highlighted some highly problematic invasions of privacy being facilitated by data brokers. For example, The Markup has done an expose documenting how location data is being harvested from apps on phones, sold to data brokers who aggregate that data with other personal data, and then will offer to third parties the ability to precisely track a consumer’s movements. An example of this included an LGBTQ dating app and a Muslim prayer app selling data on people’s locations to a data broker. LawFareBlog has also documented how data brokers were advertising how they could sell real-time location data of active military personnel.
These chilling violations of privacy highlight the fact that much of our sensitive personal data — gender, sexual orientation, political preference, financial transactions, websites we have visited, and even our precise geolocation — is used by data brokers to profile and score us. So, it is critical that consumers know who the data brokers are out there that are collecting, aggregating, selling, and trading their data, and have an easy way to tell data brokers to delete their data and no longer track them.
Data Brokers and Reproductive Rights
So, you may be saying “Specific to reproductive rights, abortion is legal in California, so why should I care that data brokers are tracking me and selling my data?” My response is the following: first of all, in light of the recent ruling that saw a Federal judge blocking the Food and Drug Administration’s approval of the abortion pill mifepristone, the reality is that abortion rights in California may still be chipped away. But second, even if abortion is legal in California, the data collected about Californians’ reproductive health can be weaponized against them.
Here are a number of real-world examples.
First, data brokers are selling geolocation data that can be used to track people visiting Planned Parenthood and other reproductive health centers. For example, in 2022, just after Roe was repealed, a reporter purchased a week’s worth of information on where people came and went from a Planned Parenthood. It cost the reporter only $160 to get that information.
From there, by simply tracing patterns of movement with the purchased location data, it is possible to deduce who the individual is being tracked (e.g., a mobile device is traced returning to a single-family residence every evening). For example, data broker Fog Data Science, which claims it has billions of data points on 250 million devices, says it can provide a person’s “pattern of life,” which lets its customers track individuals to their “bed downs” (i.e., places where people sleep) and commonly visited “locations of interest.” Do we want a world where anyone with a credit card can see who has visited a Planned Parenthood?
Second, data brokers are selling data regarding who has a period tracking app installed. In May of 2022, a reporter was able to buy a sample of that data for $100. No doubt there are other healthcare apps whose installation may give a clue of other personal medical conditions, as app providers are not covered under HIPAA. Do we want knowledge about what apps are on our phone being bought and sold?
Third, it is possible to buy from data brokers information regarding people who are affiliated with or have a strong interest in Planned Parenthood. The sensitive nature of the collected and inferred data provides many opportunities for intentional discrimination. For example, potential employers may be influenced by political interests or affiliations (e.g., one data broker advertises to consumers interested in the NAACP, National LGBTQ Task Force, and Planned Parenthood).
Fourth, data brokers can sell data regarding women whom the data brokers’ algorithms have inferred to be pregnant based on consumers’ credit card purchases, website visits, etc. — all sources of data for data brokers. This is not theoretical. The FTC documented that data brokers have segmented consumers with inferred health matters such as “Expectant Parent,” “Diabetes Interest,” and “Cholesterol Focus.” Or they could engage with another data broker that has created categories of consumers with the following medical conditions: bedwetting, bowel irregularity, trouble sleeping due to breathing, diet concerns, using adult diapers, cold sores, and depression. Do we want our sensitive health data being bought and sold?
I could go on, but we have seen in the past that anti-abortion groups have purchased data from data brokers so they can serve anti-abortion ads to people who are at Planned Parenthood locations. We have seen discrimination based on data collected from data brokers. And we have seen governments buy data from data brokers, so it would be easy for say the Idaho Attorney General to buy location data of people visiting Planned Parenthoods in California and then track if any of those people have “bed downs” in Idaho.
The California Delete Act Can Protect Reproductive Rights
Tim Cook said this in an address at Stanford:
“If we accept as normal and unavoidable that everything in our lives can be aggregated and sold, then we lose so much more than data. We lose the freedom to be human.”
So, if you truly want to protect a right such as reproductive rights, you should not allow sensitive data to be weaponized to chip away at those rights, including the right to privacy in our medical decisions. The California Delete Act elegantly lets Californians tell data brokers to delete their data and no longer collect data on them. The alternative is hundreds of hours per consumer to try to track down hundreds of data brokers and manually request that happen. That’s not practical or fair to consumers. The California Delete Act provides the ability for Californians to fully exercise their right to say No to third parties whom consumers don’t even have a direct relationship to stop selling their data and tracking them.
The California Delete Act also offers consumers more transparency by explicitly requiring data brokers to register and specify if they collect geolocation data and if they collect reproductive health data.