Reproductive Rights Groups Voice Support for the California Delete Act (SB 362)
[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]
California Senate Bill 362 (SB 362) — the California Delete Act —would create an online portal for consumers to request that data brokers delete any data they have on the consumer and no longer track them. By giving Californians the ability to go to a single, user-friendly portal (ala the FTC’s Do Not Call registry) to facilitate this, the ability for consumers to take control of their personal data takes a giant leap forward. The alternative — that is neither practical nor feasible — is that Californians must individually go to 100s of data broker websites and make a deletion request AND then do that again a few months later to reflect the capture of any new data by data brokers (with each iteration equaling 100s of hours per consumer).
The good news is that reproductive rights groups — such as Planned Parenthood Affiliates of California and Access Reproductive Justice — are now throwing their support behind SB 362 as they see SB 362 as a means to limit the weaponization of reproductive healthcare data. But a huge Senator Appropriations Committee hearing looms in just a day from when I am posting this blog post, and it will be interesting to see if this broadening of support can overcome backroom influence from the data broker industry and their lobbyists. In this blog post, I will discuss the rationale for reproductive rights groups’ support of SB 362. [Full disclosure: I proposed this bill to State Senator Josh Becker and co-drafted the bill along with the Privacy Rights Clearinghouse.]
SB 362 Status
SB 362 succeeded in its first test by successfully passing the Senate Judiciary Committee by a vote of 9-2 on April 25, 2023. But on May 18, 2023 — just 2 days from when I am writing this — it will be considered in the Senate Appropriations Committee in a unique ritual called the “suspense file hearing.” This hearing has led to nearly 20% of bills getting culled without a mention or debate. Currently, there are 416 bills in 2023 that are on the docket for this Committee meeting, but any bill can be “silently euthanized” if the Chair of the Committee simply does not mention them in the meeting as he goes through the agenda of bills.
I experienced this last year with SB 1059, a bill I proposed and drafted that would move the California Data Broker Registry to the California Privacy Protection Agency. In last year’s suspense file hearing, SB 1059 was never mentioned by the Committee Chair and thus was considered held in committee without any further action, i.e., it was culled.
Last year SB 1059 did have broad privacy group support, just as SB 362 does in 2023, but I am hoping that the broadening of the coalition to include other civil society organizations such as reproductive rights groups such as Planned Parenthood can overcome the backroom lobbying. We shall know soon enough, but let’s next explore why groups such as Planned Parenthood are supportive of SB 362.
Weaponization of Data
Data brokers are businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship. Recent reporting has highlighted some highly problematic invasions of privacy being facilitated by data brokers. For example, The Markup has done an expose documenting how location data is being harvested from apps on phones, sold to data brokers who aggregate that data with other personal data, and then will offer to third parties the ability to precisely track a consumer’s movements. An example of this included an LGBTQ dating app and a Muslim prayer app selling data on people’s locations to a data broker. LawFareBlog has also documented how data brokers were advertising how they could sell real-time location data of active military personnel.
In the past, like Big Tech firms that also collect our data, data brokers did this broad collection of our personal data to facilitate advertising. But as I write in my upcoming book Containing Big Tech:
“Historically this near-total digital surveillance has enabled those companies to profile us and utilize this deep insight to let advertisers target us. But now, this data and behavioral analysis can be weaponized against us if, for example, you facilitate or get an abortion in certain US states. Or it can be used by adversarial nation-states to attack our democracy. Furthermore, the massive amounts of data collected by these Big Tech firms and the digital advertising ecosystem they facilitate can expose millions of people to identity theft every year.”
Thus, there is significant concern that even if abortion is legal in California, the data collected about Californians’ reproductive health can be weaponized against them.
Let me give a few examples.
First, data brokers are selling geolocation data that can be used to track people visiting Planned Parenthood and other reproductive health centers. For example, in 2022, just after Roe was repealed, a reporter purchased a week’s worth of information on where people came and went from a Planned Parenthood. It cost the reporter only $160 to get that information.
Second, data brokers are selling data regarding who has a period tracking app installed. In May of 2022, a reporter was able to buy a sample of that data for $100.
Third, data brokers can sell data regarding women whom the data brokers’ algorithms have inferred to be pregnant based on consumers’ credit card purchases, website visits, etc. — all sources of data for data brokers. This is not theoretical. The FTC documented that data brokers have segmented consumers with inferred health matters such as “Expectant Parent,” “Diabetes Interest,” and “Cholesterol Focus.” This Tech Policy Press article does a good job of giving concrete examples of this.
The image below shows the concerns people have regarding the weaponization of reproductive healthcare data that could occur.
So, if you truly want to protect a right such as reproductive rights, you should not allow sensitive data to be weaponized to chip away at those rights. The California Delete Act elegantly lets Californians tell data brokers to delete their data and no longer collect data on them. The alternative is hundreds of hours per consumer to try to track down hundreds of data brokers and manually request that happen. That’s not practical or fair to consumers. The California Delete Act provides the ability for Californians to fully exercise their right to say No to third parties whom consumers don’t even have a direct relationship to stop selling their data and tracking them.
The California Delete Act also offers consumers more transparency by explicitly requiring data brokers to register and specify if they collect geolocation data and if they collect reproductive health data.
Support for SB 362 by Reproductive Rights Groups
The concerns I have expressed above have led reproductive rights groups like Planned Parenthood Affiliates of California (PPAC) to voice their support for SB 362. As PPAC noted in its letter of support (note I have a PDF copy of the letter and will later post link to it):
“SB 362 will uphold privacy and autonomy by protecting personal information related to reproductive health care from being weaponized against anyone seeking or providing abortion. It will also improve transparency and oversight of data brokers by requiring audits for compliance and accountability. Most importantly, it will ensure patients can guarantee their privacy by having the power to delete any information a data broker has collected.
SB 362 is an important bill in the effort to improve and restore access to abortion and will ensure protections are in place for patient privacy as well as overall consumer privacy in the state. For these reasons, PPAC is proud to support SB 362.”
I agree with their assessment. The reality is we have entered a post–abortion rights era in America, which has significantly ratcheted up how we must account for the intrusiveness and impact of the collection of our sensitive personal data. We need to be able to take back control over our data and be able to hit the delete key if need be. SB 362 is a major leap forward in facilitating that.