RIL Guidance Memo: Responding to Reproductive Rights and Healthcare Changes in the US
What companies need to consider.
Last Updated: June 29, 2022
Tech companies operating in the US should consider the impact of last week’s Dobbs decision overturning Roe v. Wade. Five key questions companies should prepare to address:
1. [Data Governance] What user data do we collect and retain? Should we change our practices?
2. [Legal Requests] How will we respond to law enforcement requests, civil subpoenas and similar requests for user data?
3. [Platform Governance] How will we respond to misinformation, and to requests to take down information on reproductive rights?
4. [Employees] How will we support employees in states with changes?
5. [Employees] How will we lead and manage employee dialogue?
Takeaway: While the actions suggested cannot determine whether your users and employees are impacted, they can help determine how they are impacted. Proactive consideration can help ensure your response is intentional and aligned with your values.
The US Supreme Court Dobbs decision overturning Roe v. Wade has an immediate impact across the country. In at least 13 states, abortions have become immediately unlawful. And at least 20 states drafted at least partial bans on abortion in anticipation of the Dobbs decision. Bans will vary, but may carry criminal penalties for people who seek abortions, health care workers who perform them, and others who provide assistance. Consequently, leaders of tech companies will face a unique set of challenging data, legal, and employee questions, and immediate pressure to determine and communicate how, if at all, they will respond.
Abortion is a legally and morally complex topic on which there are widely varied and strongly held views; this guidance is not premised on a political stance. Rather, we provide operational considerations for leaders of tech companies to address implications of the Dobbs decision.
What others are doing:
Companies are taking action and reaffirming prior commitments in response. Many have offered to help with travel expenses for out-of-state medical procedures including reproductive care (see here and here). Other types of responses include:
Airbnb: Financial support for Airbnb hosts who face legal charges
Clue: Vowed to not hand over users’ personal data to law enforcement
Duolingo: Indicated it would grow elsewhere if its HQ state bans abortion
Google: Permits employees to apply for relocation without justification
Salesforce: Offered relocation help to employees impacted by state law bans
Stardust: End-to-end encryption of user data in case requested by law enforcement
Twilio: Stated its belief on human rights and steps in support of employees
Yelp: Wrote on women’s rights to choose and gender equality at work
A common factor across multiple responses was weighting access to reproductive care as a part of attracting talent and building diverse and inclusive companies; in addition, support for medical travel costs and related healthcare benefits were consistent as noted above.
Questions to Consider:
1. What data do we collect and retain about our users, and should we change our data practices?
Many tech companies collect data about location, search history, health, banking, payment, schedule, communications, etc., all of which could be linked to a particular user for prosecution in states where abortion is unlawful.
This data may be accessed by law enforcement or government officials for prosecution, surveillance, denial of health benefits, or collateral impacts on housing, immigration (including deportation), and other essential services. With these new implications, the lack of uniform policies around data sharing and use may raise new privacy concerns, pose new liability questions, and/or jumpstart investigations by local and/or federal agencies. While these questions arise in the context of reproductive rights, and will impact millions of people, they are similar to questions companies must consider regarding data collected about marginalized groups in countries all over the world.
The following provide a framework to consider data governance issues within companies:
A. What data do we currently collect, and how can it be tied to users?
Before companies can address questions about data management, they need to account for what kinds of data they collect and store. Companies that are compliant with GDPR or CCPA will likely have mapped user data, but if not–or if it needs to be updated–now is the time.
Early-stage companies should at a minimum know the key kinds of personally identifiable user data that you collect and where and how you store it, use it, and share it with others. Be particularly sensitive to location, schedule, health, search history, chat history, and other data that may have particular legal salience (where we refer to sensitive data throughout this document, we will generally be referring to any of this data). For example, geolocation data could provide information on individuals’ movements, search history can include related terms, and photos could suggest pregnancy status or location. After you have reviewed your data map, consider how any sensitive data might be used to investigate or prosecute your users.
B. How can we protect user privacy through our collection, retention, and notification policies?
The key things to focus on now:
Collection: Perhaps most importantly, consider not collecting sensitive data, unless it is essential to deliver a service that is well understood by your user. Minimization of data collection will reduce operating costs and is the single most important step that can be taken to avoid your service being used as a source of information for prosecutions.
Deletion: Proactively search for, and if possible remove or anonymize, any sensitive data from your systems that could be used to derive information about reproductive cycles, orders of day-after contraception, or related searches.
Transfer and Sale: Some companies transfer or sell user data for various purposes, including for ad targeting. Make sure you understand whether and how your company might be doing this, and how the recipients safeguard data, further transfer it, or use it. If you don’t have certainty that users are protected, consider suspending data transfers or sales.
Using AI. Consider turning off AI customizations or suggestion engines that may–intentionally or unintentionally–identify pregnancy status.
For more very useful areas to consider, see this article with suggestions from EFF.
And make sure you’re doing the basics. Many of the most important steps you can take to protect your users are part of ordinary good privacy practice. These include:
Clear Policies: Clearly and simply tell your users what data you collect about them, how long you retain it (and for what purposes) and how they can have it deleted. Tell them under what conditions you will disclose it to law enforcement, private litigants or other third parties and how your process for doing that will work. Also consider notifying your customers that you have collected sensitive data and allowing them to view it in an easily understandable form and allowing them to expunge it from your systems. If for legitimate reasons data cannot be deleted, explain what data you keep and why you retain it.
Transparency. Develop a practice of publicly reporting what kinds of data you disclose to law enforcement or private litigants, how frequently, and in which jurisdictions. EFF’s periodic Who Has Your Back report catalogs what a number of major service providers do and is useful context if you are getting started.
Encrypting Data in Transit. Make sure that the data being transmitted by your website or application is encrypted so that intermediaries can’t read it.
Storage and Anonymization: If you must keep user data that could be useful to prosecute your users, encrypt it at rest and consider implementing steps that could help protect user privacy and make it less useful to litigants or law enforcement, such as one-way hashing, anonymization or pseudonymization.
2. How will we respond to law enforcement requests, civil subpoenas or similar requests for user data?
Think it Through. Be prepared to get law enforcement or civil litigant requests for sensitive data you collect or retain, or requests to remove or block certain material. Requests may take the form of warrants, civil subpoenas or criminal subpoenas, each of which have different requirements. Some may come from vigilante litigants; this resource provides questions your team can use to map possible scenarios.
Have a Policy. Proactively consider your strategy and policies now, to handle potential legal process requests (see section B above for more details).
Have a Procedure. Also consider and document your internal procedures and practices for opposing legal process requests that are overbroad or illegitimate. In many cases, you will have the opportunity to fight to not only protect your user’s information from disclosure, but also your users’ access to accurate health information.
Practice It. Document who will be involved in legal process requests, and run a “tabletop exercise” or simulation to practice what you would do, including how to identify those that are illegitimate or overreaching. Know who your outside legal counsel would be.
Think About Other Kinds of Law Enforcement Access. If you provide a front-end service accessible on smartphones, consider security protocols that help protect user privacy if the phone is taken by police. Notable approaches include making app icons discrete, allowing users to unsend messages and screenshot blocking.
3. How to respond to misinformation, and to requests to take down information on reproductive rights?
Monitor User-Generated Content. If your product or service supports user-generated content you will need to consider both your responsibility for the content shared on your service and what you will do if you are asked to block, censor, or remove content. Types of related information could be shared on your platform, such as:
Content related to reproductive care and the decision to have an abortion (pro or anti), including non-professional medical advice or warnings about abortion risks and Do-it-Yourself content related to abortion
Advertisements related to reproductive care (verifiable care or misleading)
Hate speech toward groups in this context (ex. pro or anti, religious, etc.)
Identify and Address Misinformation. Think about your product or service’s potential role and how it could be misused in the development and spread of misinformation. Questions to consider:
Should we discontinue selling ads to organizations with the intent to mislead or divert users from information related to reproductive care?
Should we tag content related to reproductive healthcare to give a sense of the source and medical validity of the content?
Do we have resources to assemble a medical or health advisory/review board to help provide guidance on our policies and moderation (similar to what companies did for COVID-19 related information)?
How can we protect access to the UN’s universal right to health including sexual and reproductive health information?
Live by Your Values. Consider what your team will do proactively and what aligns with your company’s values. Be prepared to monitor and respond to changes in the law as relevant to your business.
4. How will we support our employees in states with reproductive rights changes?
If you have employees in impacted states, consider how your company will support ongoing access to essential healthcare and protect their privacy. This could include explanation of existing benefits or changes to them, such as out-of-state procedures if unavailable locally or travel cost reimbursement to reach in-network providers. This should also be on the radar of companies with remote employees in the US.
If you plan to reimburse employees who need to travel to access reproductive healthcare, note that messages, HR records, and other reimbursement information could be subpoenaed. Requiring as little information as possible to access these benefits is essential to both respect your employee’s healthcare privacy, and protect them from legal prosecution. If operating in a state or states where abortion is illegal, consider giving employees the ability to download and use alternative tools such as browsers to protect privacy.
5. How will we lead and manage employee dialogue?
Be Proactive and Lead. Your employees will look to company leadership for clarity about your positions, for support and direction. In many cases, they may be divided in their views. It will be important to establish an inclusive and respectful way for employees to express themselves. As a CEO or founder, your team will appreciate clear communication of your values and support. Work to set a tone of respect, empathy and kindness. Your team will remember what you do in these historic times.
Be Empathetic and Listen. Keep in mind that employees most directly impacted by these decisions may feel marginalized and vulnerable. If you are thinking through changes to your benefits or services for employees, see this article about what others are doing, or this for your HR team. Also, consider how even well-meaning efforts to support employees (e.g., by reimbursing interstate travel or out-of-pocket health care costs) may have privacy implications as employees are required to disclose private health and reproductive matters to colleagues to avail themselves of benefits. Think about how you can minimize those burdens.
If you need help working through your response, please contact us. This is a developing situation and we will update this document if we learn more information that may be helpful.