Is Your Data Safe in Period Tracking Apps?

Consumers have been using convenient mobile apps to keep track of their menstruation cycle, sexual activity, fertility, and more.

But privacy experts are expressing concerns about the dangers of using such apps to track sensitive, personal information post-Roe v. Wade—and they're warning users that this data could one day be used against them. 

Period trackers and reproductive health apps such as Flo, Clue, and Cycle Tracking in the Apple Health App seek to provide valuable health insights for people to understand and control their healthcare decisions, according to Bethany Corbin, ESQ, LLM, a femtech and privacy attorney at Nixon Gwilt Law. 

To do this, users have to willingly sacrifice their data privacy in exchange for health predictions. They volunteer highly personal information, such as cycle length and menstrual symptoms, to receive (sometimes inaccurate) predictions produced by the app’s algorithm.

While some use this data to inform important decisions about their reproductive health, Corbin said most users are unaware of how little data privacy and security these apps afford them, a factor that could lead to serious consequences if abortion is outlawed where they live.

Serious Privacy Concerns

Many femtech companies—which target women's health needs—fall through the cracks of federal privacy regulations, according to Corbin. This means a majority of period tracking apps on the market are not required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which dictates individual health privacy in the United States.

“If a woman gave the same data to her licensed healthcare provider who bills insurance and to a femtech app, the data would be HIPAA protected by the provider, but not the femtech application,” Corbin said. “It’s the same exact data, but different levels of protection apply based on the context in which the data is provided.”

As a result, Corbin said these health apps can and do sell sensitive reproductive health data to third parties. In most circumstances, the practice is only restricted by state laws, Federal Trade Commission rules on unfair and deceptive practices, and the health app’s own privacy policy. 

“If the femtech app’s privacy policy accurately and transparently discloses how and when user data may be disclosed or sold downstream, and the user has consented to that privacy policy, then the user has forfeited those rights to her data,” she said.

These apps may therefore be compelled to disclose their users’ reproductive health data to law enforcement when faced with a legal request or subpoena, Corbin added. Law enforcement could request data from an app as evidence to prosecute someone for having an illegal abortion. The information could also be sold downstream to data brokers who can then sell that data to any public or private party, including law enforcement officials.

In other words, data from femtech apps could be used to help prosecute people for crimes. 

Hackers are also a concern considering the value of reproductive health data will likely increase now that Roe v. Wade is overturned, Corbin added. They might hold the data for ransom or threaten to expose individual data to law enforcement.

“A lot of women’s health apps are in the startup stage and don’t have the funds to invest in robust cybersecurity protections at the outset," she said. "This makes them relatively easy targets for hackers who are trying to steal data."

How to Protect Yourself

While some femtech apps do protect data to an extent, Corbin said there’s no easy way for consumers to compare the options on the market based on privacy and security standards. 

Still, she said users should always evaluate the privacy policy in their app and be aware that most apps have default privacy settings that can be manually enhanced by the user once an account is created. 

“Oftentimes, privacy is not top of mind for consumers, so they fail to update these default settings,” she said. “Check to see if enhanced privacy settings are offered for your app and, if so, use the strictest settings you can.”

When reading privacy policies, Corbin said users should focus on the data use and disclosure section in particular, as this explains how the app will use or disclose data downstream and to third parties. Although many are used to clicking the “I agree” box without actually reading its accompanying policy, it’s essential to know where sensitive health data is going and how it will be used. 

Corbin added that users are more likely to see data disclosure with free applications because it’s a way for companies to earn revenue, so looking into a paid app may be a safer option. 

Using apps that involve local data storage on a device—like a phone or tablet—rather than the cloud, may also better protect against cyberattacks, she said.

But ultimately, Corbin said there is no entirely foolproof way to ensure private data is protected once it’s been digitally inputted.

“I always caution women not to input any data into an app that you wouldn’t be comfortable publicizing on the Internet,” she said. “Because the odds are that the data will get out at some point—whether through a cyberattack, downstream disclosure, or sale.”

Matt Voda, CEO of OptiMine and a consumer privacy advocate, reiterated this point, explaining that apps often track and store location data. Even if you think you've opted out of app tracking, he said some apps continue to collect sensitive data about you.

“It is very difficult to stop leaving a digital trail and move into truly private use of your devices, and unfortunately there is no way to completely turn off all tracking that occurs on our devices,” Voda said. “I think this is a real wake-up call as to why our privacy matters so much, and how little privacy we have today.”