social media apps on phone
Why privacy experts are warning against using period-tracking apps
01:57 - Source: HLN

Editor’s Note: Katherine Yao is a writer who studies molecular biochemistry and English at Yale University. Megan Ranney, MD, MPH, is a professor of emergency medicine and academic dean at the School of Public Health at Brown University. The views expressed in this commentary are their own. Read more opinion on CNN.

CNN  — 

The very first question asked of new users of Flo, a popular period-tracking app is: “Are you pregnant?” People eager to begin using the app likely don’t think too hard before answering that question. But they should.

Katherine Yao
Megan Ranney

As we face a likely future in which Roe v. Wade will be struck down by the Supreme Court, privacy experts and lay consumers alike are concerned that this and other digital data gathered by period-tracking apps could be used to prosecute women who seek or have abortions.

The “FemTech” industry – a term coined by Ida Tin, the founder of another period-tracking app called Clue – is projected to grow to $60 billion globally by 2027, according to Emergen Research, a market research and strategy consulting company.

And no wonder! Our friends tell us that digital health apps, including period-tracking apps, increase knowledge, help them manage premenstrual symptoms and help with fertility tracking. Our patients will often pull out their period-tracking app to show us that they couldn’t possibly be pregnant, or to remind themselves of the date of their last menstrual period. These apps are, simply, empowering.

But there’s also a potential dark side. The mere fact that many of these apps are collecting and storing your data in the cloud or on a server – instead of on your phone – is reason to be concerned.

Most of the best known period-tracking apps collect data on intimate details ranging from users’ menstruation cycles to their sex lives to their medication usage. In 2020, Privacy International (PI), a non-profit advocacy group, asked five period-tracking apps for the data that had been collected on a PI employee who volunteered to use the apps for the project.

One app was found to store answers to the most intimate questions on the company’s server, such as “What type of relationship do you have at present?” Another was noted to have collected approximate location data whenever the user interacted with the app. Other independent evaluations have had similar findings.

This stored information is rarely under your control. Most digital health apps, including period-tracking apps, are exempt from the federal health information privacy laws that govern healthcare providers. Period-tracking apps therefore have essentially free rein in who they share your health data with — as long as they inform you of their privacy policies.

Flo explicitly says in its privacy policy that it does not sell any personal data, and it does not collect this data without letting its users know. According to the app, third-parties help process users’ non-health personal data, primarily for marketing and functional purposes, and, according to their privacy policy, they ask users to consent before sharing some of this data. Some third-parties provide basic services, such as web hosting and payment processing, while others are responsible for app analytics and ad targeting.

But just last year, the Federal Trade Commission (FTC) reached a settlement with Flo after it was discovered that the company disclosed consumers’ fertility data to third parties such as Facebook and Google. In doing so, the FTC alleged, Flo had broken its promise that users’ health data would be kept private. According to the complaint the FTC filed, Flo did not limit how these third parties could use the data they received. Flo said in a statement that the settlement was “not an admission of any wrongdoing.”

The FTC case has shown us that while the role of third parties seems rather benign, the lack of federal regulation limiting the personal and health data that can be given to them is problematic.

Equally, if not more problematic, is the possibility that data from period-tracking apps could be subpoenaed and used as evidence to prove a criminal loss of pregnancy. Whether non-health related data could be used to suggest that a woman had had an abortion, is unclear. But the possibility of menstrual-cycle-related data from these apps being used in court as evidence that a woman terminated a pregnancy is of growing concern among both lawyers and users. It is worth noting that if you use other apps, such as a calendar, to track your period, that data could also be subpoenaed.

Imagine that for years, you have regular periods, every 28 days. Then, one month, you miss your period. Then, either because you continue to miss your period or simply forget to input your menstrual data, you don’t enter anything for the following months – only to resume period tracking a few months later. This information could be subpoenaed. Then, who is to say you didn’t have an abortion or a miscarriage?

Eric Perakslis, the chief science and digital officer at the Duke Clinical Research Institute, points out that the “loss of privacy in and of itself isn’t harmful… It’s when somebody does something bad with your data” that things go wrong. “When you don’t have comprehensive privacy law,” Perakslis says, “you at least need protection from these bad things.”

This protection, unfortunately, does not exist. And ample evidence from healthcare – including the field of reproductive health – suggests just how easy it is to access sensitive data for “bad things.”

As Halle Tecco, a women’s health investor and advocate, points out, existing safeguards are insufficient. “Especially since women may have lower trust in the system due to a lifetime facing gender stereotypes and medical gaslighting – it is important that we protect and honor privacy,” Tecco said.

On a policy level, then, the federal government can and should strengthen digital health safeguards. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) were meant to provide comprehensive protection of personal health data. However, these protections are outdated and do not take into account a quickly-evolving health care system where digital health apps play a growing, integral role. Federal safeguards must expand to cover more health entities, including period-tracking apps, and explicitly prioritize and enforce protecting the privacy of individuals instead of allowing companies to simply rely on a user-consent model.

In the meantime, we – the end users – have a voice.

Both Perakslis and Tecco recommend that users of period-tracking apps ask the companies for better. In Perakslis’ words: “Tell them, you can do this better. Lock your apps down. Make your privacy policies clear. And make a policy that protects your users, not just your company.”

Of course, not all period-tracking apps are bad. Piraye Yurttas Beim, founder and CEO of Celmatix, a women’s health biotech company, reminds us that “when responsibly developed by good companies, that both engage with regulators and engage in good privacy protection, there’s a net positive. I’d hate for women who use apps developed by high-quality companies to abandon them.”

Get our free weekly newsletter

  • Sign up for CNN Opinion’s newsletter.
  • Join us on Twitter and Facebook

    So: know what you’re using. Before you sign up for an app, read privacy policies carefully, using non-profit resources such as the Electronic Frontier Foundation to help inform yourself. Consider creating an anonymous email when you sign up for the app. If possible, choose an app that stores all your data on your phone, which provides a much higher level of privacy.

    And if you have any doubt about the privacy of your data on the app you’re using you may want to consider going back to what women did 15 years ago: track your period with paper and pencil.