It’s estimated that millions of people in the U.S. use period-tracking apps to plan ahead, track when they are ovulating, and monitor other health effects. The apps can help signal when a period is late.
After Politico published on May 2 a draft opinion from the Supreme Court indicating that Roe v. Wade, the landmark decision that guarantees the constitutional right to an abortion, would be overturned, people turned to social media. They were expressing concerns about the privacy of this information — especially for people who live in states with strict limits on abortion — and how it might be used against them.
Supreme Court abortion draft creates tangle of issues for big hospital systems
Health insurers can roll with a Roe reversal
Many users recommended immediately deleting all personal data from period-tracking apps.
“If you are using an online period tracker or tracking your cycles through your phone, get off it and delete your data,” activist and attorney Elizabeth McLaughlin said in a viral tweet. “Now.”Many users recommended immediately deleting all personal data from period-tracking apps.
Similarly, Eva Galperin, a cybersecurity expert, said the data could “be used to prosecute you if you ever choose to have an abortion.”
That got us wondering — are these concerns warranted, and should people who use period-tracking apps delete the data or the app completely from their phones? We asked the experts.
Is your period-tracking app data shared?
Privacy policies — specifically, whether the apps sell information to data brokers, use the data for advertising, share it for research, or keep it solely within the app — vary substantially among companies.
“Does it encrypt? What’s its business model?” said Lucia Savage, chief privacy and regulatory officer for Omada Health, a digital therapeutics company. “If you can’t find terms of service or a privacy policy, don’t use that app.”
Period-tracking apps are often not covered under the Health Insurance Portability and Accountability Act, or HIPAA, though if the company is billing for healthcare services, it can be. Still, HIPAA doesn’t prevent the company from sharing de-identified data. If the app is free — and the company is monetizing the data — then “you are the product” and HIPAA does not apply, Savage said.
A 2019 study published in the BMJ found that 79% of health apps available through the Google Play store regularly shared user data and were “far from transparent.”
When it comes to marketing, a pregnant person’s data is particularly of high value and can be hard to hide from the barrage of cookies and bots. Some period-tracking apps, which often ask for health information besides menstrual cycle details, take part in the broader internet data economy, too.
“The data can be sold to third parties, such as big tech companies; or to insurance companies, where it could then be used to make targeting decisions, such as whether to sell you a life insurance policy, or how much your premium should be,” said Giulia De Togni, a health and artificial intelligence researcher at the University of Edinburgh in Scotland.
Flo Health, headquartered in London, settled with the Federal Trade Commission last year over allegations that the company, after promises of privacy, shared health data of users using its fertility-tracking app with outside data analytics companies, including Facebook and Google.
In 2019, Ovia Health drew criticism for sharing data — though de-identified and aggregated — with employers, who could purchase the period- and pregnancy-tracking app as a health benefit for their workers. People using the employer-sponsored version must currently opt in for this kind of data-sharing.
Ovia’s roughly 10,000-word privacy policy details how the company may share or sell de-identified health data and uses tracking technologies for advertisements and analytics on its free, direct-to-consumer version.
For European residents, companies must comply with the stricter General Data Protection Regulation, which gives ownership of data to the consumer and requires consent before gathering and processing personal data. Consumers also have the right to have their online data erased.
Companies have the option of extending those rights to people living in the U.S. via their privacy policies and terms of services. If they do so, the FTC can then hold the companies accountable for those commitments, said Deven McGraw, Invitae’s head of data stewardship and the former deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights.
The period-tracking app Cycles, which is owned by Swedish company Perigee, falls into this category. The company promises its users that it does not do any advertising or selling of data to third parties. Instead, it makes money solely through subscriptions, spokesperson Raneal Engineer said.
Concerned customers have been reaching out to another health app, Clue, developed by a company based in Berlin. “We completely understand this anxiety, and we want to reassure you that your health data, particularly any data you track in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe,” Clue co-CEO Carrie Walter said in an emailed statement.
Some states, such as California and Virginia, have state-level laws that give users ownership over their information and whether it is sold to third parties.
Data brokers trade in other types of information, such as location-tracking data for people who visited Planned Parenthood, which potentially could be purchased by law enforcement or government officials. Earlier this month, SafeGraph halted selling cellphone-tracking data mapping the movements of people visiting Planned Parenthood, how long they stayed, and where they went afterward, after Vice reported buying a week’s worth of data for $160.
Also of concern is a company’s level of data security, and how susceptible it is to a breach. “Hacking is criminal, there’s no question about it,” Savage said. “But once it’s hacked, information can be released.”