September 26, 2022

OAKLAND – In the face of unprecedented threats to reproductive freedom, California Attorney General Rob Bonta today emphasized health apps’ obligations under California law to protect and secure reproductive health information. The Confidentiality of Medical Information Act (CMIA) applies to mobile apps that are designed to store medical information, including some fertility trackers, and establishes privacy protections that go beyond federal law. In today’s alert, Attorney General Bonta urges health apps to adopt robust security and privacy measures to protect reproductive health information. At a minimum, these apps should assess the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare rights.

“California has strong laws in place protecting reproductive freedom, including the right to safe and legal abortion,” said Attorney General Bonta. “Apps collecting medical information, particularly reproductive health information, need to comply with our state laws and protect such information from risks like improper disclosure or a data breach. Sensitive health data must remain secure and never be used against individuals seeking critical healthcare and exercising their right to abortion.”

The CMIA is a state law that applies to businesses that offer a mobile application or other related device, like wearable technology, that is designed to maintain medical information, even if these businesses do not have similar obligations under federal health privacy laws. Businesses that may need to comply with CMIA include health apps, such as some fertility trackers, and other types of pregnancy-related connected products that store details about a user’s sexual activity, ovulation, and fertility test results. The CMIA requires businesses to preserve the confidentiality of medical information and prohibits the disclosure of medical information without proper authorization.

In 2020, the California Department of Justice (DOJ) secured a landmark settlement with Glow Inc. (Glow) for the company’s failure to comply with the CMIA because it stored data related to sexual and reproductive health and had basic security flaws that put its users’ data at risk. DOJ’s settlement with Glow included a groundbreaking injunctive term requiring the company to consider how privacy or security lapses may uniquely impact women. 

In the face of new threats to reproductive rights and privacy, Attorney General Bonta encourages health apps to adopt similar measures to protect the privacy of reproductive health information. Specifically, health apps should: 

  • Develop and maintain an information security program designed to protect the security, integrity, availability, and confidentiality of reproductive health information against unauthorized access and disclosure;
  • Protect the information it stores by using strong authentication protocols, and, at a minimum, require two-factor authentication;
  • Obtain affirmative consent from users prior to sharing or disclosing personal, medical, reproductive or otherwise sensitive information, and allow users to revoke previously granted consent; and
  • Provide internal employee training on online threats and privacy issues related to reproductive rights.

Even if some health apps do not fall under the CMIA other California laws require that health apps secure the personal information that they store, and that they honor requests from users to not sell their personal information.

For example, the California Consumer Privacy Act (CCPA) requires businesses to comply with consumer requests involving personal information, including deletion and stopping the sale of personal information. The CCPA has been in effect since January 1, 2020, and the Attorney General has been enforcing the law. Health apps must have sufficient processes in place to allow consumers to exercise their rights under the CCPA. Health apps must also comply with California law requiring a business to implement and maintain reasonable security procedures and practices to protect personal information, including medical information, from unauthorized access, destruction, use, modification, or disclosure. Failure to do so may result in enforcement under the Unfair Competition Law for injunctive relief and civil penalties. 

Californians who believe they have information relating to potential violations of the law should report it at oag.ca.gov/report.