A Post-Roe Future Presents Heightened Data Privacy Risks with FemTech

To call the forthcoming Supreme Court of the United States decision in Dobbs v. Jackson Women’s Health Organization “much anticipated” would be a gross understatement. On May 2, 2022 the draft opinion penned by Justice Alito that appeared in Politico shocked the nation. If such an opinion is ultimately issued by the Roberts Court, it would mark a radical reversal on human rights and would intensify debates on several legal and bioethical issues (e.g., the argument that, under current technological and societal conditions, forced gestational labor by a pregnant person is a form of involuntary servitude and contrary to the 13th Amendment of the U.S. Constitution; the implications for assisted reproductive technologies and genomic medicine; limits of fetal medicine interventions; extraterritorial application of state laws; etc.). Among the countless concerns raised by the leaked Dobbs opinion are the substantial informational or data privacy risks implicated by such an outcome to the case. Specifically, these include the data privacy risks for those who use FemTech apps and products, noted almost immediately by FemTech experts (such as Bethany Corbin and others) after the draft Dobbs opinion surfaced, as well as the dangerous chilling factor that such a decision (along with the state laws such a decision would essentially “bless”) will impose on women’s healthcare (such as those detailed in this Twitter thread) because of concerns about escalating attacks against the confidentiality of physician-patient communications.

 

A Quick Introduction to FemTech

FemTech, a term reportedly coined by Ida Tin in 2016, can be generally defined as technologies (such as mobile health apps, wearables, connected devices, software, products, and services) aimed at addressing women’s health. While much of the FemTech industry remains narrowly focused, reducing the wide range of women’s health issues to merely reproductive health, there is tremendous opportunity for FemTech to begin to address the myriad of women’s health issues that have long been ignored, dismissed, and otherwise understudied in biomedical research. [As an aside, extensive efforts have been underway for more than two decades to improve scientific understanding of women’s health and improve the representation of women in biomedical research. For more information, see, e.g., the 2001 Institute of Medicine Report “Exploring the Biological Contributions to Human Health: Does Sex Matter?” and the 2022 report by the National Academies of Science, Engineering, and Medicine “Improving Representation in Clinical Trials and Research”].

 

Placing FemTech Data Practices Under Scrutiny

The FemTech industry has been characterized as “surging,” with some projecting the market worth will reach $1.1 trillion within five years. However, following the FTC settlement against Flo Health, Inc. in 2021, increasing attention is being given to the potential misuse of data in FemTech and weaknesses in FemTech privacy policies. Some FemTech vendors have already gotten in trouble for their data sharing practices, as illustrated by the previously mentioned FTC settlement against Flo Health in 2021. Such practices in FemTech—sharing or selling data to third parties—would become even more alarming in a post-Roe society in which a woman’s tracked reproductive data could be used to infer civil or criminal liability. As a recent headline in Ms. Magazine put it, “Will My Period Tracking App Betray Me?” Adding to the concern is the extent to which the government (i.e., law enforcement) might seek access to such data—even in situations in which FemTech vendors have adopted protective privacy policies—to aggressively enforce the disturbing trend of criminalizing pregnancy and even punishing individuals for miscarriages. The Third Party Doctrine (recognized in the digital, information age by the Roberts Court in 2018 in Carpenter v. United States) as applied to FemTech would likely mean that individuals who use FemTech apps and devices to voluntarily capture, enter, and track data related to their menstrual cycle and/or fertility have reduced expectations of privacy (or perhaps even no legitimate expectation of privacy that the Court would be willing to recognize) in that information, thus making it even easier for the government to gain access to those records even without a warrant supported by probable cause. Some privacy scholars have explained the Third Party Doctrine is “deeply flawed”, has no place in our digital, datafied culture, and is incompatible with the Fourth Amendment right to be free from unreasonable searches and seizures. That the holding in Carpenter v. United States was so narrowly issued leaves considerable room for uncertainty and interpretation—a dangerous context in which FemTech could exist without Roe privacy protections.

 

Following the leaked Dobbs opinion, several U.S. Senators sent a letter to the CEO of Google expressing concern about data vulnerabilities and urging the Google Play Store to block apps that might be used—because of their data practices—to “victimize individuals” who seek reproductive healthcare services. They were joined by other U.S. Senators and Members of Congress in sending a separate letter to the CEO of Google calling for the company to reform its data practices to prevent its “digital infrastructure” from “be[ing] weaponized against women.”

 

FemTech Users in Pennsylvania Might Be Particularly Vulnerable to Data Privacy Risks

Unlike California, Virginia, Colorado, and Utah, Pennsylvania does not have a comprehensive consumer data protection law. Furthermore, unlike Vermont, California, and Nevada, Pennsylvania does not have a data broker registration law. This can be disconcerting when one also recognizes that most FemTech vendors are not required to comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. FemTech vendors are subject to the FTC’s Health Breach Notification Rule as well as general consumer protection requirements to avoid unfair and deceptive practices as set by Section 5 of the Federal Trade Commission Act. Thus, the limitations on FemTech data practices are mainly set by their own privacy policies and terms of use. While it is theoretically possible given its powerful catch-all provision of 73 P.S. §201-2(4)(xxi), it is currently unlikely that the Pennsylvania Unfair Trade Practices and Consumer Protection Law (73 P.S. §§201-1 – 201-9.2) would be applied in such a way that holds FemTech accountable for data practices and privacy policies that in combination “creates a likelihood of confusion or of misunderstanding.”

 

It is not without merit to view the current conditions in Pennsylvania—given the lax data protections in effect—as inviting FemTech startups to pilot their products and services with relatively few threats of liability for cybersecurity and data privacy features. While this might be helpful to promote innovation and competition in the FemTech industry, it is not comforting to prospective users who expect to be stripped of their human rights should the leaked Dobbs opinion become issued by the Supreme Court. One could anticipate that individuals no longer able to lawfully access essential healthcare services in their home state might travel to Pennsylvania. If these individuals also are FemTech users, there could be some dire consequences assisted by the lax data privacy laws in the Commonwealth. These conditions offer FemTech users little recourse against vendors if reasonable data protection measures are not performed and also place FemTech users at heightened risk of prosecution for pregnancy-related offenses if the data are disclosed to or accessible by others.

 

The leaked Dobbs decision jeopardizes health information privacy generally

Furthermore, the leaked Dobbs decision also has serious implications for women’s health aside from FemTech specifically. For example, it is plausible that electronic health records for services provided within Pennsylvania would become targets of subpoenas originating from any state. HIPAA—specifically 45 CFR 164.512(e) and 45 CFR §164.512(f)—permits disclosures of protected health information when responding to subpoenas and to law enforcement under certain conditions. While responses to such attempts might vary across healthcare providers and systems, it seems all but certain that these provisions will be exploited by forced birth advocates in and beyond Pennsylvania. Another unsettling aspect is whether overturning Roe v. Wade will disrupt efforts to improve representation of women in biomedical research, as choice of law for research activities remains unsettled (as highlighted by two recent publications in the Journal of Law and the Biosciences) and as NIH Certificates of Confidentiality for participation (which already had significant gaps identified by law scholars) could also prove themselves inadequate shields for information of interest in Mississippi, Texas, Oklahoma, and elsewhere post-Roe.

 

Quite simply, the emerging rise in FemTech and concurrent escalating attacks on women’s rights highlight how integral data privacy is to the realization of human rights.

 

Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy, and Engineering at the Pennsylvania State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report, and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.

 

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.


Leave a Reply

Your email address will not be published. Required fields are marked *