Issue Brief
Commercial Data Practices for Reproductive Privacy

Protecting Your Business, Consumers & Employees from Legal Risk

December 2025
Reproductive Rights

By Jaclyn Dean, Ashley Kurzweil, Erin MacKay, Jesse Matton and Becca Stern

Introduction

In a world where people’s lives are deeply connected to smartphones and mobile devices, American consumers are becoming increasingly aware of the need for greater data privacy and less trusting of companies that collect and use their personal data. 38% of Americans are “privacy actives,” meaning “they say they care about privacy, are willing to act to protect it, and most importantly, have taken action by switching companies or providers over their data policies or data-sharing practices.”

Consumers and employees want accountability, transparency, and control over their data:

  • 94% of consumers value having control over the usage of data they provide to companies.
  • 77% of consumers said that data transparency practices impact their purchasing decisions.
  • 64% of employees said recent scandals over the misuse of data have led them to question whether their own personal data is at risk.

Americans are especially concerned about their health data. Over 92% of survey respondents believe that privacy is a right and their health data should not be available for purchase. Studies show that people do not trust social media sites, employers, and technology companies with their personal health data. In the wake of the Dobbs v. Jackson Women’s Health Organization decision overturning the federal right to abortion in Roe v. Wade, American women have significant concerns about the privacy practices of mobile health apps related to their reproductive health data, especially given the risks of data access by law enforcement and third parties.

State authorities may be able to weaponize abortion bans, “personhood” laws that grant fetuses legal rights and protections, and a range of other criminal statutes to investigate and prosecute people for their reproductive health decisions and pregnancy outcomes. Law enforcement officials can use electronic data to try to establish intent and as evidence of civil or criminal liability in legal proceedings against people for seeking or helping someone else obtain abortion care, or in cases of stillbirths and miscarriages.

It is more important than ever for companies to evaluate partnerships and practices and strengthen their own policies regarding the collection, storage, management and sharing of data, especially sensitive health data. Companies should act proactively to protect their customers’ and employees’ data given the heightened risks of health care criminalization and liabilities for companies handling sensitive data. Data minimization is key to reducing the likelihood that the data that companies collect could be used in prosecutions and civil lawsuits related to reproductive health care.

Consumer Privacy

In recent decades, consumer data has become a profitable product for companies across a variety of sectors – but the collection, retention, and sharing of that data carry legal risks for consumers and create liabilities for companies.The growth of the data broker industry, in particular, has incentivized businesses of all kinds to collect, track, sell, and leverage their customer’s personal data. Law enforcement already purchases troves of electronic information from data brokers – and post-Dobbs, law enforcement and civil litigants increasingly turn to companies to obtain data that could help prove that a person sought, aided, or provided abortion care.

From personal information such as name, address, and email to detailed specifics such as location, advertisement clicks, purchase history, and health information, companies amass digital information that can serve as the body of evidence for reproductive health prosecutions. Data like location history, hotel and rideshare records, credit card transactions, online messages, and menstrual health data from period tracking apps may be used to implicate people who seek or help others access abortion care. Meanwhile, most Americans misunderstand companies’ complex, often intentionally confusing privacy policies – and don’t realize their data is being shared and sold. As reliance on free digital tools grows, so does the prevalence of data-for-service models. Consumers may accept these terms because the product is free, but that “choice” cannot be considered informed without clear disclosures on data use.

Companies can take steps to mitigate their chances of exposure to law enforcement and civil litigants’ requests for data for reproductive health investigations and prosecutions. The following measures can help companies reduce compliance burdens surrounding data requests and stay ahead of the regulatory curve as more jurisdictions enact strong data privacy policies. It is critical for companies to consider these actions to protect consumer data:

  1. Design with Privacy in Mind: Privacy protections should be embedded into the design of apps and services. Design decisions and new processes must be grounded in a privacy-first approach that delivers both usability and strong privacy protections. Companies should set default privacy settings to the highest level, making consumers opt-in rather than opt-out of data collection and sharing. Contextual opt-in, in particular, is user-centric and prioritizes transparency and relevance. By providing clear, situation-specific consent options, businesses build trust with their users and can protect sensitive data.
  2. Minimize Data Collection and Sharing: Companies must start by undertaking due diligence to identify the consumer data they are collecting, storing, and sharing. The most effective way for companies to avoid having to handle data requests and reduce vulnerability to data breaches is to not have the data in the first place. Companies should minimize unnecessary data collection and implement purpose-based data retention. Companies should also have purpose limitations and not sell sensitive data to third parties, especially reproductive health data and location data that may show visits to reproductive health facilities. Even if data that companies sell is de-identified, risks remain as it can be re-identified when merged with other data sets. Data should only be collected, shared, and retained if directly necessary to provide business services. When data is no longer needed to provide the direct service or product requested, it should be deleted permanently. Given the threat of exposure that persists with de-identified data, providing contextual opt-in versus blanket consent – paired with consumer-centered data retention and deletion protocols – will minimize unnecessary data, and thus risk for consumers and businesses.
  3. Increase Transparency and User Control: Individuals should know what data is being collected, stored, and shared, as well as how long that data is stored and with whom it is shared. Consumers should also have the right to access and delete their sensitive data, especially their health data. Companies should notify consumers, when possible and in a timely manner, that their data has been sought and disclosed to law enforcement or a civil litigant.
  4. Enable Message Encryption and Deletion: Companies should deploy end-to-end encryption on private messaging services. Only consumers and their intended message recipients should be able to access message data. Consumers should have control over how long their message data is retained and when it is deleted.
  5. Build a Legal Response Plan which includes Education and Training for Front-Line Employees: Front-line, customer-facing employees (e.g., pharmacy staff, bank tellers) must be trained on how to handle legal requests to access consumer data. Employees should have regular trainings on proper data handling, confidentiality, compliance, and data rights to mitigate unnecessary disclosures and protect consumer data privacy.

Case Studies

Communication Data

A woman in an abortion-restrictive state communicates with her friend over a non-encrypted messaging platform about her interest in having a medication abortion. A month later, she experiences a pregnancy loss. The circumstances of her miscarriage are investigated. State authorities subpoena the messages from the communications company to build a case against her and her friend.

Note: This case is very similar to a real case that happened in Nebraska.

Financial Data

A resident of an abortion-restrictive state uses their credit card to order abortion pills online from a pharmacy that only sells medication abortion. Law enforcement requests information about the individual’s credit card transactions from their financial institution to investigate the circumstances of the pregnancy termination.

Health Data

A person uses a period tracker app to track their menstrual cycle. They get pregnant and continue to input their data into the app. The person is later investigated for self-managing their abortion. Law enforcement subpoenas the cloud data from the period tracker company.

Hotel Data

A woman (Woman A) in Texas (a state that bans abortion) travels eight hours to Kansas (a state with some reproductive health care protections) with her friend (Woman B) to get an abortion. After her initial appointment, a mandatory 24-hour waiting period requires them to stay overnight in a hotel. Woman B drove her to Kansas and made the hotel reservation. Woman A’s boyfriend, angry about her decision, seeks to sue Woman B for “aiding and abetting” her abortion. He calls the hotel to get information to confirm his girlfriend’s stay and build his case.

HR data

An employee in an abortion-restrictive state is pregnant and needs to request additional breaks during her shift, a reasonable accommodation supported by the Pregnant Workers Fairness Act (PWFA). The woman experiences a stillbirth at home and the circumstances of the pregnancy loss are investigated. Law enforcement subpoenas her HR records, which include her PWFA reasonable accommodations paperwork, to target her for “improper disposal” of fetal remains.

Employee Privacy

The rise of supportive workplace policies – from comprehensive health plans and abortion travel policies to workplace wellness programs and mental health initiatives – underscores that when employers invest in employee well-being, they also assume a responsibility to ensure that employee information is properly managed, stored, and protected. Although personal health information has been historically protected in regard to employer-sponsored plans, increased attacks on reproductive health care may create gaps and vulnerabilities in privacy protections.

Currently, employers can choose to collect data from employees about their health care decisions to administer employer-sponsored health plans. Health data moves through employer systems in various ways depending on the company and insurance plans. Protecting employee data privacy, especially when some data (including abortion data) is highly politicized, is critical but not guaranteed in the current health-hostile environment.

Legal, policy, and insurance experts have explored the data privacy risks that may arise when companies provide health coverage or assistance to receive reproductive health care. If a company employee submits a claim for reproductive health care, who processes the claims? Do company employees have access to the claim or reimbursement information? How does this access change depending on if a company is self-insured or uses a fully-insured health plan? Conditions of access to employees’ health data by the employer and/or other company employees are complicated and often unclear to the employees. Given the risks of reproductive health criminalization, employers should assess and limit how and by whom employees’ data could be accessed.

Robust workplace data privacy protections are essential to employee safety, particularly as privacy laws come under scrutiny and uncertainty grows over who controls health data, how it is used, and where it is stored.

Several federal laws restrict disclosure of various types of data – like certain health information in the Health Insurance Portability and Accountability Act (HIPAA), financial information in the Gramm-Leach-Bliley Act, and telecommunications information in the Stored Communications Act.

HIPAA protects individually identifiable health information generated and transmitted by covered entities and their business associates. HIPAA covered entities include health care providers, health plans (including employer-sponsored group health plans), and health care clearinghouses. To be clear, HIPAA does not cover all health information or all entities and businesses that handle health-related information. For example, most health and fitness apps, period tracking apps, wearable devices, and search query history are not covered under HIPAA, even when they contain or collect sensitive health information. These gaps leave consumers vulnerable to the misuse of their personal health information amid the broader landscape of reproductive health criminalization.

In response to the threats to health care privacy and criminalization risks after the overturning of Roe v. Wade, in 2024 the Department of Health and Human Services (HHS) rolled out the HIPAA Privacy Rule to Support Reproductive Health Care Privacy nationwide. This regulation prohibited the use or disclosure of HIPAA protected health information for the purpose of investigating or criminalizing anyone for lawful reproductive health care. However, in June 2025, a district court judge in Texas struck down the privacy rule nationwide.

Without the 2024 regulation in place, covered entities must adhere to the original 2000 HIPAA Privacy Rule, which permits, but does not require, disclosures of protected health information to law enforcement. As a result, HIPAA covered entities will face even greater confusion and pressure surrounding their disclosure obligations to law enforcement. Moreover, HIPAA enforcement also relies on a single office within HHS, which has been impacted by large HHS workforce cuts.

Employers should consider the following measures to protect employee data:

  1. Limit Data Collection, Retention, and Sharing: HR personnel and health plans should only collect, store, and share the “minimum necessary” protected health information and personal data to perform their administrative functions, in accordance with HIPAA rules. Employers should also avoid collecting and retaining sensitive medical information and permanently delete it after the health insurance or other services are no longer needed. This may be pertinent when an employee asks for a workplace accommodation for health reasons, for example.
  2. Prioritize Transparency for Employee Data Privacy: Employers should establish a set of ethical principles to follow for using employee data and share it with employees. Important foundational rights in an “employee data bill of rights” may include employers’ commitment to data minimization and purpose-based retention and sharing as well as employees’ license to access, control, and delete their data.
  3. Know Your Rights and Design a Legal Risk Plan with HR-Focused Training: Companies should educate employees, especially human resource employees, on data privacy and breach prevention. Trainings must also prepare employees to handle law enforcement requests to access employee data to mitigate unnecessary disclosures. Regular training on proper data handling, confidentiality, compliance, and data rights is critical for employees to effectively respond to privacy threats. Legal and compliance teams should also follow the legal status of cases affecting privacy law, such as the attacks on HIPAA privacy protections.
  4. Utilize Trusted Third-Party Services: Companies should use third-party services to avoid handling sensitive employee data. For example, employers may use a third-party service to provide a travel benefit to employees traveling to receive medical care. It’s important to choose vendors that prioritize security and privacy, and ensure contracts clearly outline expectations, compliance requirements, and risk mitigation strategies.

Making the Case for Employer Action

Trust has a high price, for both employees and consumers.

Overall, consumer trust is at one of its lowest points in the last decade, with Gen Z being much less likely to trust organizations and companies than Baby Boomers. Consumer trust is easy to lose, especially with news coverage of data breaches and disclosures surrounding popular issues like abortion, and very hard to win back.

Beyond declining consumer trust, the rise in investigations and prosecutions of reproductive health care based on digital surveillance and data access underscores the need for proactive data privacy measures from businesses. Companies can foster trust via proactive measures to protect consumer and employee privacy. These steps will also prevent against unknowingly sharing sensitive data that could be used in the tracking and prosecution of sensitive health care, including abortion, of their consumers and employees by third parties.

Public Policy Landscape

At the national level, legislators must enact policies that set strong health privacy standards nationwide and reflect changing technological and health care landscapes. Regulators must maintain strong enforcement and oversight of federal consumer protection laws and HIPAA privacy protections.

Companies can help better protect their employees’ and customers’ privacy by ensuring consumers’ personal data is not collected or shared except as necessary to provide a good or service and supporting data minimization legislation. Companies can also support the Fourth Amendment Is Not for Sale Act, which would prevent law enforcement from bypassing court approval needed to obtain sensitive data and instead buying it from data brokers, and the My Body My Data Act, which would protect the privacy of personal reproductive or sexual health information.

At the state level, public policies protect health data and also set the standard for shaping future state and national action. California’s Consumer Privacy Act (CCPA), for instance, gives consumers more control over the personal information businesses collect and has already generated more than 360 cases, with the health care sector the most affected. Given California’s outsized role in the tech industry, these cases are setting precedents, driving trends, and capturing national attention.

This momentum – and the resulting patchwork of state laws – is expected to continue. To date, more than 20 states have enacted comprehensive consumer data privacy laws, with additional proposals under consideration. However, the variance in state laws complicates federal efforts to pass a nationwide, comprehensive privacy law that doesn’t impede progress at the state level.

A lack of foresight and action on data privacy poses business and public opinion risks for companies. As states race ahead on data privacy, businesses have a unique opportunity to lead. By working with advocates and lawmakers now, companies can help shape consistent policies that protect both employers and consumers – building trust, reducing compliance burdens, and setting the standard for the future.

Whether it’s in the headlines or your bottom line, it’s in companies’ long-term interest to protect consumer and employee data. Consumers are increasingly aware of and seeking out protections for their data privacy, prompting the growing demand for companies to prioritize privacy protection. Adding data protection and privacy to a company’s value proposition can create a business advantage through increased consumer engagement and trust.

Resource Hub:

Back to Social Impact

National Partnership for Women and Families 55th anniversary logo