Trump Win Prompts States to Protect Reproductive Data Privacy

Some say getting bipartisan support for such bills won't be easy. However, Texas Rep. Mihaela Plesa, a Democrat who introduced a reproductive health privacy bill in an abortion-restrictive state, told us she doesn’t think it’s unrealistic to find Republican support. “Texans pride themselves on their freedom” and “their need and want for privacy."

Electronic Frontier Foundation staff attorney Lisa Femia said it's "pretty impossible to get reproductive health care without leaving some sort of digital or data trail,” including a history of visited locations. Even if one’s location data is de-identified, it can be combined with other personally identifiable information from apps to figure out who someone is, said Femia, who urged legislative action in a Dec. 4 EFF blog post. With many states restricting abortions and eyeing abortion information from other states, “what was often benign data before is now potential criminal evidence.”

Dobbs v. Jackson, the Supreme Court’s 2022 decision overturning Roe v. Wade -- along with subsequent abortion restrictions in various states -- has produced a “steady drift” of legislative efforts aimed at protecting reproductive health data, said Felicity Slater, a Hintze Law privacy attorney who co-wrote a Jan. 30 IAPP article on the issue. Dobbs “really prompted a groundswell of attention around this issue.”

Trump’s win in the 2024 election added momentum, Slater added, noting New York’s quick passage of a similar health privacy measure last month (see 2501280023). The bill had appeared in previous sessions without success, but after Trump won, New York lawmakers slotted it into a group of priority legislation for 2025, she said.

New York state legislators timed passage of the health privacy bill with the anniversary of Roe. Last week, the Virginia legislature passed SB-754, which would update the Virginia Consumer Protection Act to prohibit obtaining, disclosing, selling or disseminating personally identifiable reproductive or sexual health information without a consumer’s consent. Both bills still need gubernatorial approval.

Other states with pending reproductive health privacy bills include California, Hawaii, New Mexico, Texas and Vermont. Also, North Carolina Gov. Josh Stein (D) last month ordered state agencies to protect women’s medical privacy (see 2501170059).

Some states crafted bills that are narrowly focused on reproductive health data, including one in Michigan that stalled late last year. Beyond health-specific bills, Connecticut’s broader privacy law includes reproductive health data as a type of sensitive data, a category subject to higher protections, and Delaware’s privacy law includes pregnancy as sensitive data.

States’ current approach to privacy laws may not go far enough, said Evîn Cheikosman, science and technology policy fellow at the Aspen Institute. “The legal framework and the laws that are being put together to protect” what’s under attack aren't “necessarily taking into consideration the surveillance apparatus that President Trump's administration is going to continue to take advantage of when it comes to reproductive rights,” Cheikosman said.

For example, while California may have a strong privacy law, the state also makes significant use of surveillance tools like geofence and keyword reverse warrants, said Cheikosman, who wrote a Jan. 15 op-ed on the topic for Tech Policy Press. Additionally, she's concerned the federal government could try pressuring states to hand over abortion data by threatening to take away government support like Medicaid.

Texas Bill

Plesa said her legislation (HB-2831) responds to a post-Trump-win “uptick” in Texas women searching online for whether they should delete period-tracking apps. Such apps collect data about menstrual cycles, sex life and medication, among other sensitive information, she noted. In addition, Plesa said Texas Attorney General Ken Paxton (R) has aggressively enforced the state’s abortion restrictions.

The bill is modeled after Michigan’s legislation, Plesa said, focusing narrowly on reproductive health data, as opposed to health data broadly, because she thought it was important to be “very specific and very intentional.”

Vice chair of the Texas House Democratic Caucus, Plesa thinks it’s “very realistic” to pass a reproductive health privacy bill in red Texas. Not only do Texans support privacy, but period-tracking apps aren’t just for pregnancy, said the legislator: They’re also critical for women undergoing thyroid procedures or diagnosed with cervical or ovarian cancer.

Plesa has had “great conversations” with House Public Health Committee members and plans talking with members of the bipartisan IT caucus. She confirmed she’s talked to Republicans, too. “Your Freedom Caucus people -- the people who believe in freedom to privacy … haven't had anything bad to say on it.”

Legislative process could be the greater hurdle, Plesa said. The Texas House recently reduced its committees from 40 to 30, which greatly expanded the Public Health Committee, she said: As a result, that panel will likely get “bogged down with hundreds” of bills. Her concern now isn’t whether her colleagues will want to pass the bill, but rather if it will get a hearing, she said.

Varying Approaches

While reproductive health privacy measures vary, they largely have fallen into two buckets, Slater said: shield laws and consumer health privacy bills. More than 20 states have broad shield laws that include privacy protections prohibiting data about reproductive procedures obtained lawfully in one state from being turned over to law enforcement in a state where the same procedures are illegal, she said, citing a University of California-Los Angeles Law report from September 2024.

Washington state’s 2023 My Health My Data Act was the first consumer health privacy law covering reproductive health data, Slater noted. “That law was really motivated by similar concerns as those shield laws” but focused more on what’s revealed by consumers’ app activity and browsing and shopping habits, she said. While there had already been interest in making such policies, the Dobbs decision “really helped get some of these laws over the finish line.”

However, Cheikosman said more transparency and checks on surveillance technology are needed because shield laws don’t necessarily “take into consideration that there are other ways in which these folks coming from out of state can still be criminalized for the abortion, even though in privacy legislation, they are protected.” While California may prohibit a medical provider in the state from sharing information about abortion procedures with a different state that criminalized abortion, the restrictive state still “can access that information through a fusion center,” which is a state-operated center for sharing threat-related information among state, federal, local and tribal law enforcement, or through reverse warrants, she said.

Washington’s health privacy law was a “great start,” but it has “so many loopholes,” said Cheikosman. One strength is its broad definition of health data, including telehealth and period-tracking apps, she said. But small businesses not accustomed to handling sensitive data may struggle to implement its required actions, she said. The law’s effectiveness in cracking down on data brokers will depend on how well it’s enforced, she added. “Companies might still find workarounds.”

EFF supports New York’s health bill and has “seen a lot of really good provisions” in various measures, Femia said. Banning the sale or sharing of health data “out of state is obviously super key,” as is data minimization, opt-in consent and a consumer right to quick data deletion, she said. Comprehensive privacy laws that treat locations as sensitive data may actually be more effective than more targeted measures, she added. “You don’t need to make it reproductive health-specific.”

Michigan’s failed 2024 reproductive health bill limited the scope of its location privacy protections to sensitive areas like health clinics or family planning centers, Femia noted. “In an ideal world, we would see broader protection than that, because otherwise you just have a sensitive location bubble over specific reproductive health clinics. Just having your location disappear when you go into that bubble doesn't really leave that much to the imagination.”

For businesses seeking to comply, a comprehensive privacy law that covers reproductive health data may be more “natural” to integrate into a preexisting privacy program, Slater said. “You can address that within your existing privacy policy.” Stand-alone health bills “are more challenging because they require the entity to make a new assessment about what data falls within the scope of that law and … implement a new set of internal processes and procedures for compliance.”

Cheikosman sees a possible role for the California Privacy Protection Agency, which “has taken steps to enforce the state's privacy laws, but I think that this concept could be expanded to explicitly focus on reproductive health data.” The Aspen fellow envisions “a dedicated state agency that proactively monitors and detects and counters federal surveillance overreach on health care data.”

Protecting health data privacy is “ever more urgent” under the Trump administration, which has been “pretty hostile to reproductive rights,” Femia said. “I hope that the urgency of the situation inspires [state] legislators to take quick action.” That’s more likely in Democratic-controlled states, she acknowledged. “But you never know, because every time we’ve seen reproductive rights come up on a ballot in red and blue states, it is popular.”