In the wake of this year’s Supreme Court decision in Dobbs overruling Roe v. Wade, sheriffs and bounty hunters in anti-abortion states will try to investigate and punish abortion seekers based on their internet browsing, private messaging, and phone app location data. We can expect similar tactics from officials in states that have prohibited transgender youths from obtaining gender-affirming health care. Indeed, the Texas governor ordered state child welfare officials to investigate such care as child abuse.

Many states are stepping forward to serve as health care sanctuaries for people seeking abortion or gender-affirming care that is not legal at home. These states must also be data sanctuaries. To be the safest refuge, a state that has data about people who sought abortion or gender-affirming health care must lock down that data, and not disclose it to adversaries who would use it to punish them for seeking that health care.

So it is great news that California Gov. Gavin Newsom recently signed three bills that will help meet these data privacy threats: A.B. 1242, authored by Asm. Rebecca Bauer-Kahan; A.B. 2091, authored by Asm. Mia Bonta; and S.B. 107, authored by Sen. Scott Wiener.

EFF supported all three bills. And we encourage other states to pass similar bills. They create new reproductive and trans health data exemptions from old information disclosure mandates. These laws also place new limits on how courts, government agencies, and businesses handle this data. (You can read here a more detailed explanation of these three new California laws; this post is a summary.)

New exemptions from old mandates. Many states require in-state entities to share data with out-of-state entities. States that respect the rights to abortion and gender-affirming health care must create new exemptions from these old laws, for out-of-state investigations of such health care. The new California bills do this to three old California laws that (1) require certain California digital service providers to treat out-of-state warrants like in-state warrants, (2) require California courts to assist in enforcing out-of-state judicial orders, and (3) require California health care providers to disclose certain kinds of medical information to certain kinds of entities.

New limits on judges. Under the new California laws, state judges cannot authorize wiretaps, pen registers, or search warrants, if they are for the purpose of investigating abortions that are legal in California. Also, state judges now cannot compel someone to identify a person who had an abortion, or issue a subpoena, in connection with an out-of-state investigation of an abortion that is legal in California.

New limits on state agencies. California’s state and local government agencies, including but not limited to law enforcement and prisons, are now barred from disclosing information to an individual or out-of-state agency regarding a person’s abortion or gender-affirming health care.

New limits on communication services. There is a new rule for California corporations, and corporations with principal offices in California, that provide electronic communication services. They shall not, in California, provide information or assistance in response to out-of-state court orders concerning abortions that are legal in California. However, such a corporation is not subject to liability unless it knew or should have known that the court order in question related to such an abortion.

Three cheers for California! These new data sanctuary laws are strong protections for people seeking abortion and transgender health care. Other pro-choice and pro-trans states should enact similar laws.

But more work remains.

Anti-abortion and anti-trans sheriffs will continue to seek information located in the Golden State. California lawmakers must enact new laws as needed. For example, they may need to add new exemptions to an old law that authorizes state courts to command residents to travel out-of-state to testify in criminal proceedings. Eternal vigilance is the price of data sanctuary. States should also be data sanctuaries for immigrants.

Also, Congress and the states must enact comprehensive consumer data privacy legislation that limits how businesses collect, retain, use, and share our data. A great way to stop anti-choice and anti-trans sheriffs from seizing data from businesses is to stop these businesses from collecting and retaining this data in the first place. Legislators should start with Rep. Jacobs’ My Body, My Data bill.

Finally, Congress and the states must limit how law enforcement agencies obtain our data from businesses. For example, police across the country are using “reverse search warrants” to identify all people who used particular keywords in their web searches, and all people who were physically present at a particular geolocation. These schemes violate the Fourth Amendment. Legislators must ban them. New York State legislators tried to do so last year. Anti-abortion sheriffs might use them to identify all people who searched the web for “abortion pill,” or who visited an abortion clinic. Likewise, police across the country are buying detailed location data, often without a warrant, from data brokers who got it from our phone apps. This also violates the Fourth Amendment. Legislators should ban it, too.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2022.