On May 26, 2022, California Attorney General Rob Bonta issued a press release reminding health app providers that California’s Confidentiality of Medical Information Act (“CMIA”) applies to mobile apps that are designed to store medical information, which includes health apps such as fertility trackers. The press release reminds health app providers that the CMIA requires businesses to preserve the confidentiality of medical information and prohibits the disclosure of medical information without proper authorization. It also urges mobile app providers to adopt robust security and privacy measures to protect reproductive health information. According to the press release, this should include, at a minimum, “assess[ing] the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare rights.”
The press release touts California’s strong protections of reproductive freedom and states that “[s]ensitive health data must remain secure and never be used against individuals seeking critical healthcare and exercising their right to abortion.” Attorney General Bonta specifically encourages health apps to adopt the following practices to protect the privacy of reproductive health information:
- developing and maintaining an information security program to protect reproductive health information against unauthorized access and disclosure;
- using strong authentication protocols, including two-factor authentication;
- obtaining affirmative consent from users prior to sharing or disclosing health or other sensitive information, and allowing users to revoke previously granted consent; and
- training employees regarding online threats and privacy issues related to reproductive rights.
Attorney General Bonta also points out that, even if the CMIA does not apply to certain apps, other California laws with strong privacy protections may apply, such as the California Consumer Privacy Act, which has been in effect since January 1, 2020, and was recently amended by the California Privacy Right Act, which is set to take effect on January 1, 2023.