Be careful,” a White House spokesperson advised in July 2022, less than a month after the Dobbs decision to overturn Roe v. Wade had been officially published. The spokesperson was warning women who lived in abortion-unfriendly states to take care when using period-tracking apps or searching for reproductive care online: a message echoed by headlines and politicians who also urged women to delete these apps, citing privacy and safety concerns.

As of 2019, one third of American women used period-tracking apps to help them predict the date of their next period, highlight their most fertile time, track any period- or pregnancy-related symptoms, and if they were pregnant, educate them around the stage of the fetus as it grows and develops. But, after the Dobbs decision, these apps, once used for help, could be used for harm; the data stored on them could be bought, sold, hacked, or leaked – and compromise the woman’s privacy and safety as a result. For example, collected and sold data from a period-tracking app might reveal that a women missed her period and is pregnant. If that woman then seeks an abortion in a state which has now outlawed the procedure, her digital data might be used as prosecution evidence.

A study conducted in early 2023 by Secure Data Recovery, puts some of these concerns in numbers. Out of the top 10 apps that respondents felt were the most untrustworthy, five were women’s health apps that tracked periods and pregnancy, topping user’s concerns about trustworthiness more than most banking, dating, security, and social media apps.

However, Secure Data Recovery found that mistrust to be semi-misplaced. It noted that respondents felt a low concern around the trustworthiness around apps like YouTube, Target, Gmail, and Google Maps – despite the high amount of data that these apps capture. In contrast, the women’s health apps that respondents felt were most untrustworthy capture a relatively low level of user data.

Women’s health apps also aren’t the only type of apps that can collect personal, intimate data. These apps might collect data about the dates a woman’s period stopped or started, its lightness or heaviness, her diet, her exercise, and her sleep – but fitness apps can collect similarly sensitive data. For example, they might collect data not only around diet, exercise, and sleep but also alcohol use, medications, weight fluctuations, blood pressure, and any existing or emerging health conditions. Even a game could be collecting – and selling – data about you as a user. Playing a game on your phone while waiting in line at the grocery store could be menial. Playing that same game might have consequences if played while waiting in an emergency room or at a cancer treatment center or at a clinic that offers abortions. In each of those cases, the game may have data about where you are and what you might be doing there.

While you, as an individual user, have to evaluate your own level of concern regarding your digital privacy, asking these three questions can help you make informed choices about the apps you use – including, but not necessarily limited to, any healthcare ones.

1. What laws guide the app?

Healthcare users might be familiar with The Health Insurance Portability and Accountability Act of 1996 (HIPAA): a federal law that protects a patient’s sensitive health information from being disclosed without that patient’s knowledge or consent. A medical app must be HIPAA liable if the data entered in it includes personal health information (PHI): data that can be used to identify a user personally, like his or her physical or mental conditions, healthcare services utilized, and payments for care.

Most mobile health apps, though, do not have to be HIPAA compliant because they are for individual, personal use (not for a doctor or other medical professional), and they collect consumer’s health information (not personal health information which can be used to identify an individual specifically). Since these mobile health apps, such as period trackers, do not have to adhere to HIPAA, the companies behind them can decide whether they want to sell or share users’ data without any federal regulations.

Apps that aren’t based in the United States have their own guidelines and laws. For instance, Clue, a period-tracking app, and Natural Cycles, a birth control app, are based in Germany and Sweden respectively and thus have to adhere to the European Union’s data privacy law: the General Data Protection Regulation (GDPR). This law protects any personal data – healthcare or otherwise – that can lead to the direct or indirect identification of legal and living individuals. Names, medical records, and IP addresses are all among the data that the GDPR protects.

2. How does the app store and share data?

Most apps store data either locally or in a cloud or server. Apps that store data locally allow your data to stay on your phone or other device and, subsequently, to be owned and to be accessible only by you, the user. Cycle, Drip, Euki, and Periodical are all women’s health apps that store their users’ data locally. Data that is stored in a cloud or server, meanwhile, can be sold, shared, or accessed through a hack or other security breach.

The type of storage isn’t the only way that data can shared, though; apps that allows third-party tracking are giving permission to other sites, companies or even government agencies, to track your behavior while you’re on the app. Third-party tracking may be one of the reasons if not the main reason, that some women have seen online advertisements for baby formula, bottles, diapers – before they even know that they’re pregnant. Those organizations may have been given third-party access to the user’s app, allowing them to see whether a woman has missed her period, whether she has been to an OB/GYN lately, or what she has inputted in her fertility tracker. They can then target their advertisements accordingly.

If your app allows for third-party tracking, your data is not yours alone. Instead, it can be bought, sold, and out of your control completely.

3. What are the app’s deletion rights?

Deletion rights refer to whether or not the app’s data can be deleted and when it will be deleted. For Consumer Reports, a non-profit dedicated to consumer product testing, research, and education, data deletion rights are a central part of The Digital Standard that it uses to evaluate users’ privacy. Consumer Reports recommends apps that give users a clear way to delete their data and a timeline in which that deletion will take place. Some women’s health apps, such as Period Plus, say that they will delete a user’s data when that user deletes the app. Others have data deletion grace periods, which can last a month, a couple of years, or an unspecified amount of time.

Concerns around data sharing are serious; as Secure Data Recovery reported, 61% of its respondents have deleted an app specifically because of data collection and/or privacy concerns,

But Secure Data Recovery also found that “more people reported having concerns with [women’s health] apps than people who actually reported using the apps.” In other words, the perceived concerns around the security of period or pregnancy-related apps could be at odds with reality – and could be holding back potential users from using not only those apps but also any women’s health apps: a challenge to future innovations in major market and their ability to offer services to women in need.

App usage doesn’t have to be an all-or-nothing decision, though. Asking questions about what laws guide the app, how it stores and shares data, and whether and when it allows users to delete their data can help educate you as a user, ease any distrust, and let you decide for yourself what apps – healthcare or otherwise – you trust to keep you healthy and to keep your data safe.

Related Posts