We extend a special thanks to our external reviewer Sara Geoghegan from the Counsel Electronic Privacy Information Center (EPIC) reviewer for their feedback.
EXECUTIVE SUMMARY
A year and half post-Roe, ad tech companies continue to surveil abortion seekers on abortion scheduling and abortion advocacy websites.
While ad tech companies make it incredibly difficult to avoid tracking, medical providers and advocacy organizations should take steps to minimize tracking on abortion scheduling and patient-facing informational pages.
Abortion seekers should not let these concerns stop them from seeking care, and the risk to any one individual is likely low at this stage, but the long-term implications are dire.
I. PR Instead of Privacy
Soon after the U.S. Supreme Court eliminated constitutional abortion rights in 2022’s Dobbs decision, Google’s parent company Alphabet proclaimed that it would protect abortion seekers by deleting abortion clinic location data rather than letting it fall into the hands of police.[1] “Privacy matters to people—especially around topics such as their health,” Google declared.[2] But nearly two years later, the company’s actions raise questions about how much our health privacy matters to Google.[3]
Despite aggressive public relations efforts, Google, Meta (owner of Facebook, Instagram, and WhatsApp), and fellow ad tech companies have continued to track traffic to abortion websites, collecting data that could be easily weaponized by police against abortion seekers and providers. The companies even track abortion appointments booked online. On Planned Parenthood’s website, abortion seekers are asked: where are you, how long have you been pregnant, and what medical service are you seeking?[4] Questions like these may be routine in most medical intake forms, but when captured by ad tech platforms, they provide police a digital dragnet for identifying thousands of abortion seekers.
Tech companies routinely snap up data from abortion scheduling webpages on an enormous scale and without patients’ consent to monetize our health data. A full year and a half after Dobbs, this problem persists, with ad tech firms still lurking on abortion advocacy sites and scheduling pages, quietly collecting user data and putting abortion seekers at risk.
II. Trackers, Trackers Everywhere
Shortly after Dobbs, many abortion advocates were shocked to find out that Planned Parenthood, the nation’s largest, most trusted provider of abortion care, had embedded commercial trackers that could identify visitors to its website.[5] But rather than this being an effort to “tell” Google and Facebook about abortion seekers, as some framed the issue, it spoke to the breadth of commercial surveillance built into modern internet platforms.[6] Regardless of the cause, the importance of the tracking is hard to overstate. Prosecutors in abortion-banning states could subpoena ad tech companies for abortion-related data to confirm that individuals sought abortions and to identify yet-unknown abortion seekers. Easier yet, they could buy that data from brokers known for selling compromising lists identifying pregnant people.[7] Overnight, Planned Parenthood moved to boot ad tech companies from its appointment scheduling pages.[8] But sadly, eluding surveillance capitalism isn’t that easy.
While Planned Parenthood was able to remove a large number of commercial trackers for a time, a follow up review in January 2024 found that they and many other leading abortion providers were leaking visitor data. In fact, S.T.O.P.’s survey of nine major abortion advocacy organizations’ websites reveals trackers on every group’s website (see Table 1 below). This includes both ad trackers, which send data on a website’s visitors to advertisers, and third-party cookies, which build personal profiles on a website’s visitors as they continuing to browse the internet.
Table 1. Ad Tech on Abortion Advocacy Websites
Analysis conducted in January 2024 using The MarkUp’s Blacklight tool: https://themarkup.org/blacklight
Google collects data on nine out of nine organizations’ websites, and even on two organizations’ abortion-finding pages.[9] Facebook Pixel, which serves targeted ads on people’s Facebook pages, comes in second, with five of nine websites. Everyone from household names like X (formerly Twitter) and Microsoft to more obscure ad-tech players pile onto the “all you can track” cookie buffet. Planned Parenthood’s website interacts with the most ad tech companies, likely reflecting the scale of its healthcare operations (providing more than 374,000 abortions and 9 million individual health services in 2022) and its national advocacy work (which may involve outreach to website visitors).[10]
Alarmingly, trackers appear on the most sensitive website pages: sites’ abortion finders and patient-focused abortion resources. Google Analytics’ ad tracker appears on Planned Parenthood’s abortion finder, where prospective patients reveal their zip codes, pregnancy dates, and desire to book an abortion.[11] Such details likely have little value to the vast majority of advertisers, but they are priceless to abortion seekers. Notably, other organizations we evaluated avoid this issue by hosting abortion finders on separate domains without trackers. Facebook Pixel and Google Analytics also lurk on less sensitive but potentially incriminating pages such as Planned Parenthood’s “Abortion: Information About Your Options” and the National Women’s Health Network’s detailed abortion resources page. [12] Police and prosecutors can use visitor data for these webpages to make a circumstantial case that someone sought or obtained an abortion.
III. Ad Tech on Anti-Abortion Websites
Notably, some of the first groups in line to buy data identifying abortion seekers are anti-abortion organizations. Far too frequently, abortion seekers searching for help find promoted content for “crisis pregnancy centers” instead: facilities that can provide propaganda and pressure, but no medical services.[13] Historically, crisis pregnancy centers targeted abortion seekers with deceptive ads in college newspaper ads and on roadside billboards.[14] Today’s bait-and-switch happens online and is much more profitable. Google made over $10 million in two years by showing ads for crisis pregnancy centers to people searching online for abortion pills and abortion resources.[15] These centers also embed ad tech on their own websites, with 300 such clinics using Facebook’s Pixel.[16] As of January 2024, we found Google on every single crisis pregnancy center website that we checked (see Additional Ad Tech column in Table 2 below).
Table 2. Ad Tech on Crisis Pregnancy Center Websites
Analysis conducted in January 2024 using The MarkUp’s Blacklight tool: https://themarkup.org/blacklight
Google’s ad trackers and analytics and other companies’ creepy cookies aren’t just invasive—they are the most powerful marketing technologies on the internet. These trackers are built into many of the tools that make digital organizing possible, enabling the mass movements that can drive millions to take action.[17] For those both providing abortion services and fighting abortion restrictions, this creates a catch-22. The exact same technology that helps power protests and push through abortion protections is also collecting data that can be used to put your patients in jail. And even for medical providers who don’t engage in activism, these platforms help engage with prospective and current patients digitally, turning an unwieldy mess of web traffic data into useable insights.[18]
Unfortunately, the digital deck is stacked against reproductive rights groups. Abortion advocates always have to operate under the threat police will target them or their clients, whereas crisis pregnancy centers work hand in hand with police, expanding the criminalization of evidence-based medicine. Because crisis pregnancy centers have less to lose than abortion advocates and providers if their data is leaked, purchased, or even seized with a warrant, they operate online with a structural advantage, able to leverage invasive marketing tools without the fear of harming those they seek to talk out of getting care.
IV. $250 per Health Care Record
Notably, ad tech’s appetite for our health data goes far beyond abortion. Google tracks over 98% of U.S. hospitals’ homepages, while Facebook monitors 55%.[19] Facebook even collects appointment scheduling data from an estimated third of hospital websites.[20] Even worse, when these trackers are found to violate federal or state privacy protections, it is health providers (not tech companies) who have been left holding the bag. In 2022, two Massachusetts hospitals settled with patients for $18.4 million after Google, Facebook and other ad tech companies scooped up private patient data.[21]
If Google and Facebook had to buy health records on the open market, their cost would be prohibitive. An identified individual’s healthcare record cost $250, on average, in 2021—50 times the cost of an identified individual’s credit card data (~$5) and 500 times the cost of an identified person’s social security number (~50 cents).[22] Free, tracker-sourced data is an essential component of these companies’ business models.
V. Harm/Surveillance Reduction Strategies
Mass digital communications almost always involve privacy and usability tradeoffs. Unfortunately, many of the most usable, scalable platforms are also inextricably intertwined with tracking technologies that leak users’ data to third parties.[23] Simply abandoning these platforms is completely unworkable for most smaller organizations, and even the largest advocacy groups would struggle to completely cut out these technologies. The same exact tools that are a threat to abortion seekers are invaluable to advocates organizing political campaigns and public communications strategies. Without these systems, many would be left completely cut off from any understanding of how their messaging resonates with the public.
As a starting point, organizations can audit their websites, minimizing the number of trackers throughout. This process should be repeated frequently throughout the year to look for new plugins and features that might inadvertently leak users’ information. Advocacy groups that provide abortion services should go a step further, specifically protecting information on the portions of their websites that are used for obtaining abortion access or which otherwise demonstrate the intent to obtain an abortion.
The National Network of Abortion Funds and Power to Decide both accomplish this by completely siloing abortion-finding resources on a second, tracker-free website. Both organizations use the types of trackers that are common for all political advocacy organizations on their main websites but redirect users to a second tracker-free domain for help finding and paying for an abortion. Other organizations stop short of creating an entirely separate domain for abortion access but limit the number of trackers on pages dedicated to abortion scheduling and access.
VI. Health Privacy Laws
American privacy laws are notoriously lax, but a growing array of new privacy laws, regulations, and administrative interpretations of existing protections could create liability for organizations that fail to adequately protect user data. Both tech companies and abortion advocacy and provider organizations could face litigation and fines.
The 2022 settlement with two Massachusetts hospitals is far from the only case.[24] The same year, two proposed class actions alleged that Facebook illegally captured users’ medical information, with one naming a hospital as a defendant.[25] Separately, a proposed class action targets Google for tracking Planned Parenthood’s abortion-scheduling website.[26] Planned Parenthood is not a defendant, but plaintiffs still claimed it illegally “disclosed Plaintiff’s and Class members’ medical information.”[27] Notably, California’s Confidentiality of Medical Information Act requires patients’ written consent prior to releasing their medical records.[28]
Providers could minimize liability by obtaining informed consent for sensitive health data. Such an approach would satisfy new regulatory guidance on the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).[29] Alternatively, providers can use HIPAA-compliant trackers that don’t collect health information. However, such trackers cannot magically detect what information is and is not protected by HIPAA. Instead, it is a labor-intensive task for website operators to ensure that they are only providing the tracker the appropriate non-health data.[30]
Unfortunately, many of these strategies are far more effective at limiting website operators’ liability than they are at protecting users’ data. If providers choose instead to reduce the data collected and shared, particularly health data from abortion scheduling pages, they can much more effectively eliminate the need to obtain users consent for specialized trackers in the first place. For the most sensitive uses, the best practice would seem to be doing away with trackers entirely, eliminating the possibility of errant trackers creeping back onto an abortion scheduling page. A number of abortion-finding resources, including those mentioned previously, demonstrate that it is possible to provide abortion information without ad tech and completely separate from any abortion advocacy organization’s primary website.
VII. Conclusion
Surveillance capitalism has baked tracking into nearly every element of our digital lives, making it slow and expensive for organizations to engage online in privacy-preserving ways. While there are no easy answers for those providing life-saving medical services and crucial campaigns against the rollback of reproductive rights, there are harm reduction strategies to mitigate the risk of tracking.
More importantly, this is a moment of accountability for the tech giants that built the web as we know it. Either we can continue to put profit above privacy, or we can protect democracy. While these companies have been quick to make press releases about their “values,” they are slow to make any changes that impact their profits. While Google has taken some steps to reduce geolocation data in response to Dobbs, Google and Facebook must urgently reassess every type of data they collect from abortion providers. In addition, states can go much further to enforce health privacy protections against the ad tech industry overall. Ultimately, the only safe way, for abortion seekers and their advocates, is to take on health surveillance capitalism entirely.
-
[1] “Protecting People’s Privacy on Health Topics,” Google, July 1, 2022, updated May 12, 2023, https://blog.google/technology/safety-security/protecting-peoples-privacy-on-health-topics/.
[2] “Protecting People’s Privacy,” Google.
[3] Google has not fully deleted sensitive location data. See “EPIC, Accountable Tech Urge FTC to Investigate Google’s Failed Promise to Delete Sensitive Location Data,” EPIC - Electronic Privacy Information Center, January 14, 2024, https://epic.org/press-release-epic-accountable-tech-urge-ftc-to-investigate-googles-failed-promise-to-delete-sensitive-location-data/.
[4] See Planned Parenthood’s appointment scheduling page at https://www.plannedparenthood.org/health-center (or abortion finder at https://www.plannedparenthood.org/abortion-access). To begin booking an abortion on the appointment scheduling page, a person enters the date of their last menstrual period (confirming and dating their pregnancy), their zip code, and their desire to receive an abortion.
[5] Tatum Hunter, “You Scheduled an Abortion. Planned Parenthood’s Website Could Tell Facebook.,” Washington Post, June 29, 2022, https://www.washingtonpost.com/technology/2022/06/29/planned-parenthood-privacy/.
[6] Hunter, “You Scheduled an Abortion.”
[7] Justin Sherman, “Your Health Data Might Be for Sale,” Slate Magazine, June 22, 2022, https://slate.com/technology/2022/06/health-data-brokers-privacy.html. See also Shoshana Wodinsky and Kyle Barr, “These Companies Know When You’re Pregnant—And They’re Not Keeping It Secret,” Gizmodo, July 30, 2022, https://gizmodo.com/data-brokers-selling-pregnancy-roe-v-wade-abortion-1849148426. See also Alfred Ng, “Data brokers resist pressure to stop collecting info on pregnant people,” Politico, August 1, 2022, https://www.politico.com/news/2022/08/01/data-information-pregnant-people-00048988.
[8] Hunter, “You Scheduled an Abortion.”
[9] Counting Google Analytics and other Google ad tech, indicated as “Alphabet, Inc.” in the “Additional Ad Tech” column.
[10] “Relentless. Annual Report, 2021-2022” (Planned Parenthood, n.d.), https://cdn.plannedparenthood.org/uploads/filer_public/25/ed/25ed2675-fbbc-453b-8b35-f8ddaa025b57/281222-ppfa-annualreport-c3-digital.pdf#page=29.
[11] “Where to Get an Abortion: Find Abortion Services Near You,” Planned Parenthood, accessed January 30, 2024, https://www.plannedparenthood.org/abortion-access.
[12] “Abortion: Information About Your Options,” Planned Parenthood, accessed November 17, 2023, https://www.plannedparenthood.org/learn/abortion. See also “Since You Asked – Abortion Is Difficult to Access in My State. What Are My Options?,” National Women’s Health Network, June 24, 2022, https://nwhn.org/syaabortionaccess/.
[13] National Organization for Women (NYC), “Get the Facts: Crisis Pregnancy Centers,” Women’s Justice NOW, accessed February 15, 2024, https://nownyc.org/womens-justice-now/issues/get-the-facts-crisis-pregnancy-centers/.
[14] Justin Goldberg, “Next Stop in the Battle to End the Bait-and-Switch of Crisis Pregnancy Centers,” Center for Reproductive Rights, March 23, 2012, https://reproductiverights.org/next-stop-in-the-battle-to-end-the-bait-and-switch-of-crisis-pregnancy-centers/.
[15] “Profiting from Deceit: How Google Profits From Anti-Choice Ads Distorting Searches For Reproductive Healthcare,” Center for Countering Digital Hate, June 15, 2023, https://counterhate.com/research/google-profiting-from-fake-abortion-clinics-ads/.
[16] Todd Feathers et al., “Facebook Is Receiving Sensitive Medical Information from Hospital Websites,” The Markup, June 16, 2022, https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites.
[17] David Karpf, “Analytic Activism and Its Limitations,” Social Media + Society 4, no. 1 (February 1, 2018), https://doi.org/10.1177/2056305117750718. See also Alfred Ng and Maddy Varner, “Nonprofit Websites Are Riddled With Ad Trackers,” The Markup, October 21, 2021, https://themarkup.org/blacklight/2021/10/21/nonprofit-websites-are-riddled-with-ad-trackers.
[18] Edwin Lauritz Fundignsland Jr. et al., “Methodological Guidelines for Systematic Assessments of Health Care Websites Using Web Analytics: Tutorial,” J Med Internet Res 24, no. 4 (April 15, 2022), https://doi.org/10.2196/28291.
[19] Ari B. Friedman et al., “Widespread Third-Party Tracking On Hospital Websites Poses Privacy Risks For Patients And Legal Liability For Hospitals,” Health Affairs 42, no. 4 (April 2023): 508–15, https://doi.org/10.1377/hlthaff.2022.01205.
[20] Based on a smaller sample of hospital websites. See Feathers, “Facebook Receiving Medical Information.”
[21] Jessica Bartlett, “Mass General Brigham, Dana-Farber to Pay $18.4M Settlement over Privacy Allegations,” Boston Business Journal, January 6, 2022, https://www.bizjournals.com/boston/news/2022/01/06/mass-general-brigham-dana-farber-to-pay-184m-se.html.
[22] Class Action Complaint & Demand for Jury Trial, Doe v. Meta Platforms, Inc. et al., No. 3:22CV04293, 2022 WL 2952446 (N.D. Cal. July 25, 2022), https://dockets.justia.com/docket/california/candce/3:2022cv04293/398434.
[23] Luis Hestres, “Tools Beyond Control: Social Media and the Work of Advocacy Organizations,” Social Media + Society 3, no. 1 (June 12, 2017), https://doi.org/doi.org/10.1177/2056305117714237. See also Adam William Chalmers and Paul Alexander Shotton, “Changing the Face of Advocacy? Explaining Interest Organizations’ Use of Social Media Strategies,” Political Communication 33, no. 3 (July 2, 2016): 374–91, https://doi.org/10.1080/10584609.2015.1043477.
[24] Bartlett, “$18.4M Settlement over Privacy.”
[25] Class Action Complaint & Demand for Jury Trial, Doe v. Meta Platforms, Inc. et al., No. 3:22CV04293, 2022 WL 2952446 (N.D. Cal. July 25, 2022), https://dockets.justia.com/docket/california/candce/3:2022cv04293/398434. See also Class Action Complaint & Demand for Jury Trial, Doe et al. v. Meta Platforms, Inc., No. 3:22CV03580, 2023 WL 5837443 (N.D. Cal. June 17, 2022), https://www.documentcloud.org/documents/22125076-meta-pixel-class-action.
[26] Class Action Complaint & Demand for Jury Trial, Doe v. Google LLC., No. 5:23CV02343, 2023 WL 3466228 (N.D. Cal. May 12, 2023), https://scott-scott.com/wp-content/uploads/2023/05/COMPLAINT-against-Google-LLC-1.pdf.
[27] Class Action Complaint & Demand for Jury Trial, Doe v. Google LLC.
[28] Class Action Complaint & Demand for Jury Trial, Doe v. Google LLC.
[29] Office for Civil Rights (OCR), “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” Text, November 18, 2022, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.
[30] “HIPAA Enablement - What You Need to Know and Do” (New Relic Documentation), accessed January 28, 2024, https://webcache.googleusercontent.com/search?q=cache:eva3IjaTvSEJ:https://docs.newrelic.com/docs/security/security-privacy/compliance/hipaa-readiness-new-relic/&hl=en&gl=us. See also “HIPAA BAA FAQ” (New Relic Documentation), accessed January 28, 2024, https://webcache.googleusercontent.com/search?q=cache:jXkluHGefhwJ:https://newrelic.com/termsandconditions/hipaabaafaq&hl=en&gl=us.
Social Media Graphics
