Tech companies operating in the US should consider the impact of last week’s Dobbs decision overturning Roe v. Wade. Five key questions companies should prepare to address:
1. [Data Governance] What user data do we collect and retain? Should we change our practices?
2. [Legal Requests] How will we respond to law enforcement requests, civil subpoenas and similar requests for user data?
3. [Platform Governance] How will we respond to misinformation, and to requests to take down information on reproductive rights?
4. [Employees] How will we support employees in states with changes?
5.[Employees] How will we lead and manage employee dialogue?
Takeaway: While the actions suggested cannot determine whether your users and employees are impacted, they can help determine how they are impacted. Proactive consideration can help ensure your response is intentional and aligned with your values.
The US Supreme Court Dobbs decision overturning Roe v. Wade has an immediate impact across the country. In at least 13 states, abortions have become immediately unlawful. And at least 20 states drafted at least partial bans on abortion in anticipation of the Dobbs decision. Bans will vary, but may carry criminal penalties for people who seek abortions, health care workers who perform them, and others who provide assistance. Consequently, leaders of tech companies will face a unique set of challenging data, legal, and employee questions, and immediate pressure to determine and communicate how, if at all, they will respond.
Abortion is a legally and morally complex topic on which there are widely varied and strongly held views; this guidance is not premised on a political stance. Rather, we provide operational considerations for leaders of tech companies to address implications of the Dobbs decision.
Companies are taking action and reaffirming prior commitments in response. Many have offered to help with travel expenses for out-of-state medical procedures including reproductive care (see here and here). Other types of responses include:
A common factor across multiple responses was weighting access to reproductive care as a part of attracting talent and building diverse and inclusive companies; in addition, support for medical travel costs and related healthcare benefits were consistent as noted above.
Many tech companies collect data about location, search history, health, banking, payment, schedule, communications, etc., all of which could be linked to a particular user for prosecution in states where abortion is unlawful.
This data may be accessed by law enforcement or government officials for prosecution, surveillance, denial of health benefits, or collateral impacts on housing, immigration (including deportation), and other essential services. With these new implications, the lack of uniform policies around data sharing and use may raise new privacy concerns, pose new liability questions, and/or jumpstart investigations by local and/or federal agencies. While these questions arise in the context of reproductive rights, and will impact millions of people, they are similar to questions companies must consider regarding data collected about marginalized groups in countries all over the world.
The following provide a framework to consider data governance issues within companies:
--> What data do we currently collect, and how can it be tied to users?
Before companies can address questions about data management, they need to account for what kinds of data they collect and store. Companies that are compliant with GDPR or CCPA will likely have mapped user data, but if not–or if it needs to be updated–now is the time.
Early-stage companies should at a minimum know the key kinds of personally identifiable user data that you collect and where and how you store it, use it, and share it with others. Be particularly sensitive to location, schedule, health, search history, chat history, and other data that may have particular legal salience (where we refer to sensitive data throughout this document, we will generally be referring to any of this data). For example, geolocation data could provide information on individuals’ movements, search history can include related terms, and photos could suggest pregnancy status or location. After you have reviewed your data map, consider how any sensitive data might be used to investigate or prosecute your users.
--> How can we protect user privacy through our collection, retention, and notification policies?
The key things to focus on now:
For more very useful areas to consider, see this article with suggestions from EFF.
--> And make sure you’re doing the basics. Many of the most important steps you can take to protect your users are part of ordinary good privacy practice. These include:
Think it Through. Be prepared to get law enforcement or civil litigant requests for sensitive data you collect or retain, or requests to remove or block certain material. Requests may take the form of warrants, civil subpoenas or criminal subpoenas, each of which have different requirements. Some may come from vigilante litigants; this resource provides questions your team can use to map possible scenarios.
--> Have a Policy. Proactively consider your strategy and policies now, to handle potential legal process requests (see section B above for more details).
--> Have a Procedure. Also consider and document your internal procedures and practices for opposing legal process requests that are overbroad or illegitimate. In many cases, you will have the opportunity to fight to not only protect your user’s information from disclosure, but also your users’ access to accurate health information.
--> Practice It. Document who will be involved in legal process requests, and run a “tabletop exercise” or simulation to practice what you would do, including how to identify those that are illegitimate or overreaching. Know who your outside legal counsel would be.
--> Think About Other Kinds of Law Enforcement Access. If you provide a front-end service accessible on smartphones, consider security protocols that help protect user privacy if the phone is taken by police. Notable approaches include making app icons discrete, allowing users to unsend messages and screenshot blocking.
--> Monitor User-Generated Content. If your product or service supports user-generated content you will need to consider both your responsibility for the content shared on your service and what you will do if you are asked to block, censor, or remove content. Types of related information could be shared on your platform, such as:
--> Identify and Address Misinformation. Think about your product or service’s potential role and how it could be misused in the development and spread of misinformation. Questions to consider:
--> Live by Your Values. Consider what your team will do proactively and what aligns with your company’s values. Be prepared to monitor and respond to changes in the law as relevant to your business.
If you have employees in impacted states, consider how your company will support ongoing access to essential healthcare and protect their privacy. This could include explanation of existing benefits or changes to them, such as out-of-state procedures if unavailable locally or travel cost reimbursement to reach in-network providers. This should also be on the radar of companies with remote employees in the US.
If you plan to reimburse employees who need to travel to access reproductive healthcare, note that messages, HR records, and other reimbursement information could be subpoenaed. Requiring as little information as possible to access these benefits is essential to both respect your employee’s healthcare privacy, and protect them from legal prosecution. If operating in a state or states where abortion is illegal, consider giving employees the ability to download and use alternative tools such as browsers to protect privacy.
--> Be Proactive and Lead. Your employees will look to company leadership for clarity about your positions, for support and direction. In many cases, they may be divided in their views. It will be important to establish an inclusive and respectful way for employees to express themselves. As a CEO or founder, your team will appreciate clear communication of your values and support. Work to set a tone of respect, empathy and kindness. Your team will remember what you do in these historic times.
--> Be Empathetic and Listen. Keep in mind that employees most directly impacted by these decisions may feel marginalized and vulnerable. If you are thinking through changes to your benefits or services for employees, see this article about what others are doing, or this for your HR team. Also, consider how even well-meaning efforts to support employees (e.g., by reimbursing interstate travel or out-of-pocket health care costs) may have privacy implications as employees are required to disclose private health and reproductive matters to colleagues to avail themselves of benefits. Think about how you can minimize those burdens.
If you need help working through your response, please contact us. This is a developing situation and we will update this document if we learn more information that may be helpful.