The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?

Recent activity by the FTC suggests that some of them may not be:

  • On May 18, 2023, the FTC proposed amendments to strengthen and modernize the Health Breach Notification Rule specifically clarifying that it is applicable to health apps and similar technologies which are not covered by HIPAA. We’ve previously written on this topic here.
  • On May 17, 2023, the FTC settled an enforcement action against Easy Healthcare Corporation, the developer of the Premom ovulation tracker app. The FTC alleged that Premom broke its privacy promises to consumers by disclosing user’s sensitive health data to Google and AppsFlyer and by sharing other personal information with two firms in China.
  • On June 22, 2021, the FTC finalized a settlement with Flo Health, Inc., another fertility tracking app, requiring it to obtain affirmative consent of users before sharing their personal health information with third parties.

Therefore, with the FTC actively scrutinizing reproductive health apps, developers of these apps should be re-examining their app’s data collection process, data usage practices, and data retention timeline. Moreover, just as importantly, developers should ensure that the representations about their data practices that they make to the women who use them are accurate, especially following last year’s U.S. Supreme Court decision in Dobbs v. Jackson, overruling Roe v. Wade. Some of the data collected by these reproductive health apps is highly sensitive, and may include many of the following data points: phone numbers, emails, postal addresses, gender, device ID, IP address, menstrual cycle length, date of last menstrual period, sexual activity, pregnancy due dates, doctor’s appointments, and pregnancy symptoms. This type of data (and the app developers that hold it) may be targeted by certain states that have banned abortions since the Dobbs decision was issued on June 24, 2022.

Following Dobbs, at least 4 states have enacted laws that criminalize abortion care.  Therefore, the unauthorized disclosure of reproductive health data stored on these health apps may not only jeopardize a woman’s privacy but could also now risk her (and/or her provider’s) liberty too. Following the enactment of the Texas “bounty hunter” statute in 2021 (where private citizens can file a civil lawsuit to obtain $10,000.00 in damages against anyone who knowingly aids and abets an abortion in Texas), it is not difficult to envision law enforcement officers requesting this health information to prosecute women and their health care providers in states where abortion is now illegal. Unfortunately, App developers that hold sensitive reproductive health care data could find themselves in the middle of this battle.

Currently, many reproductive health apps have privacy policies that are unclear or that do not detail how each company uses the data it collects, how long such data is kept, and how users can delete it from the app. Further, many of these apps don’t have clear guidelines on when and how much user data will be shared with law enforcement.

For all of these reasons, reproductive health app developers should update their privacy policies to more clearly identify what happens to data inputted into the app, whether it is shared with third parties and under what circumstances, how and for how long it is stored, how it can be deleted, and the specific circumstances under which it might be disclosed to law enforcement and whether notice will be provided to the app user prior to such disclosure. 

This type of clarity and accuracy in the app’s privacy policy will not only better inform app users about the risk to their sensitive data but will also provide clear-cut parameters as app developers navigate possible disclosures to law enforcement.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.