The early instinct to distinguish “informational privacy” from “decisional privacy” can be found in some of the first Supreme Court cases to acknowledge the rights of individuals to make their own reproductive choices, including Griswold v. Connecticut (1965) and Roe v. Wade (1973). This distinction made sense during the 1960s and 1970s, when the concept of computers, networks and databases was rather quaint when compared with our current reality.
Today, our data is invisibly collected in ways we no longer even consciously consider. For example, our location history, including the detailed location data constantly generated by our smartphones, presents a “comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” The metadata collected about our telephone conversations and text messages can be just revealing by presenting who we communicate with, when, and how often. The applications and devices we choose not only collect information about their use, but may be gathering data in ways we may be unaware of and using it in ways we may not approve of. All of this information paints a very detailed picture of our lives and the personal choices we make.
When the Dobbs court overturned Roe, states became able to criminalize abortion, and the broad system of information collection enabled by the technologies we regularly use can potentially be mined to provide evidence in related police investigations. Some states may follow the example set by Texas, which effectively put a bounty on the heads of those seeking abortion care. They may further attach civil penalties to anyone who may have aided that person, including family, friends and even the Lyft driver who dropped them off at the clinic.
And while the majority in Dobbs signaled otherwise, Justice Thomas, in his concurrence, explicitly called for the Court to reconsider all such decisional privacy cases going back to Griswold, which could endanger protections for birth control and same-sex sexual relationships and marriage. No such challenges are currently before the court, but one can see how our own technologies could further betray us should those precedents also fall.
As the boundaries between informational and decisional privacy blur, external threats to our personal decisions also escalate. Anti-abortion groups have long made it a practice to publicly identify abortion providers, often explicitly calling for their physical harm. Now imagine what such a group could do with the data made available for purchase through multiple data brokers. In fact, we do not have to imagine. And while much of the data available for purchase has been “anonymized,” it is not all that difficult to “de-anonymize” that data through basic analytic techniques.
Privacy law in the United States is a patchwork, at best, either protecting data within specific industry silos, such as certain financial or educational data, specific segments of the population, such as children, or storage and use of data by government agencies. In the recent executive order on abortion rights, President Biden directed additional federal actions to protect sensitive data relating to reproductive health care in such laws as the Health Insurance Portability and Accountability Act (HIPAA). However, HIPAA only applies to a relatively narrow group. In far too many cases, the collection, storage, mining and sale of your personal data is just not covered by existing U.S. privacy law.
Whatever our understanding of privacy was a few decades ago, we must now face today’s reality of ubiquitous data collection. It’s time to bring U.S. privacy law into the present day. Recent bills before Congress may, if passed, move us in the right direction, but comprehensive privacy law is what is truly needed.
Individuals’ dignity and civil rights are on the line.
Jeffrey L. Vagle is assistant professor of law at Georgia State University, which is a member of the Public Interest Technology University Network. He teaches privacy law, cybersecurity law, and law and ethics of technology.