It鈥檚 estimated that millions of people in the U.S. use period-tracking apps to plan ahead, track when they are ovulating, and monitor other health effects. The apps can help signal when a period is late.
After Politico published on May 2 from the Supreme Court indicating that Roe v. Wade, the landmark decision that guarantees the constitutional right to an abortion, would be overturned, people turned to social media. They were expressing concerns about the privacy of this information 鈥 especially for people who live in states with strict limits on abortion 鈥 and how it might be used against them.
Many users recommended all personal data from period-tracking apps.
鈥淚f you are using an online period tracker or tracking your cycles through your phone, get off it and delete your data,鈥 activist and attorney . 鈥淣ow.鈥
Similarly, Eva Galperin, a cybersecurity expert, could 鈥渂e used to prosecute you if you ever choose to have an abortion.鈥
That got us wondering 鈥 are these concerns warranted, and should people who use period-tracking apps delete the data or the app completely from their phones? We asked the experts.
Is Your Period-Tracking App Data Shared?
Privacy policies 鈥 specifically, whether the apps sell information to data brokers, use the data for advertising, share it for research, or keep it solely within the app 鈥 vary substantially among companies.
鈥淒oes it encrypt? What鈥檚 its business model?鈥 said Lucia Savage, chief privacy and regulatory officer for Omada Health, a digital therapeutics company. 鈥淚f you can鈥檛 find terms of service or a privacy policy, don鈥檛 use that app.鈥
Period-tracking apps are often not covered under the Health Insurance Portability and Accountability Act, or HIPAA, though if the company is billing for health care services, it can be. Still, HIPAA doesn鈥檛 prevent the company from sharing de-identified data. If the app is free 鈥 and the company is monetizing the data 鈥 then 鈥測ou are the product鈥 and HIPAA does not apply, Savage said.
A 2019 study found that 79% of health apps available through the Google Play store regularly shared user data and were 鈥渇ar from transparent.鈥
When it comes to marketing, a pregnant person鈥檚 data is particularly of high value and can be hard to hide from the . Some period-tracking apps, which often ask for health information besides menstrual cycle details, take part in the broader internet data economy, too.
鈥淭he data can be sold to third parties, such as big tech companies; or to insurance companies, where it could then be used to make targeting decisions, such as whether to sell you a life insurance policy, or how much your premium should be,鈥 said , a health and artificial intelligence researcher at the University of Edinburgh in Scotland.
Flo Health, headquartered in London, over allegations that the company, after promises of privacy, shared health data of users using its fertility-tracking app with outside data analytics companies, including Facebook and Google.
In 2019, Ovia Health for sharing data 鈥 though de-identified and aggregated 鈥 with employers, who could purchase the period- and pregnancy-tracking app as a health benefit for their workers. People using the employer-sponsored version must currently opt in for this kind of data-sharing.
Ovia鈥檚 roughly 10,000-word details how the company may share or sell de-identified health data and uses tracking technologies for advertisements and analytics on its free, direct-to-consumer version.
For European residents, companies must comply with the stricter , which gives ownership of data to the consumer and requires consent before gathering and processing personal data. Consumers also have the right to have their online data erased.
Companies have the option of extending those rights to people living in the U.S. via their privacy policies and terms of services. If they do so, the FTC can then hold the companies accountable for those commitments, said Deven McGraw, Invitae鈥檚 head of data stewardship and the former deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights.
The period-tracking app Cycles, which is owned by Swedish company Perigee, falls into this category. The company promises its users that it does not do any advertising or selling of data to third parties. Instead, it makes money solely through subscriptions, spokesperson Raneal Engineer said.
Concerned customers have been reaching out to another health app, Clue, developed by a company based in Berlin. 鈥淲e completely understand this anxiety, and we want to reassure you that your health data, particularly any data you track in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe,鈥 Clue co-CEO Carrie Walter said in an emailed statement.
Some states, such as and , have state-level laws that give users ownership over their information and whether it is sold to third parties.
Data brokers trade in other types of information, such as location-tracking data for people who visited Planned Parenthood, which potentially could be purchased by law enforcement or government officials. Earlier this month, SafeGraph halted selling cellphone-tracking data mapping the movements of people visiting Planned Parenthood, how long they stayed, and where they went afterward, after
Also of concern is a company鈥檚 level of data security, and how susceptible it is to a breach. 鈥淗acking is criminal, there’s no question about it,鈥 Savage said. 鈥淏ut once it’s hacked, information can be released.鈥
Could This Data Be Used in a Criminal Prosecution?
The short answer is yes.
鈥淚t鈥檚 almost surreal that in some states using a period app could get you into trouble,鈥 said McGraw. 鈥淏ut if an abortion is a crime, it could be accessed in building a case against you.鈥
This depends on where you live, but there are no federal protections against that happening from a privacy standpoint, she added. Last year, Sen. Ron Wyden (D-Ore.) introduced the , which would prohibit data brokers from selling personal information to law enforcement or intelligence agencies without court oversight. But the legislation has yet to make it to a vote.
Wyden told KHN he was 鈥渁bsolutely鈥 worried about the chance that people who seek an abortion could be incriminated by their phone data.
鈥淚t is really an ominous prospect of women having their personal data weaponized against them,鈥 said Wyden. 鈥淭hese big data outfits,鈥 he said, 鈥済otta decide 鈥 are they going to protect the privacy of women who do business with them? Or are they basically going to sell out to the highest bidder?鈥
In the absence of a federal law, if law enforcement does get a court-ordered subpoena, it can be difficult for a company to resist handing over data related to a specific case.
鈥淕iven the breadth of surveillance laws in the U.S., if a company collects and keeps information, that information is susceptible to being compelled by law enforcement,鈥 said , a privacy lawyer and vice president of U.S. policy at the Future of Privacy Forum. 鈥淭hey don鈥檛 necessarily have the ability to legally keep that information from law enforcement once the proper process has been undertaken.鈥
Still, even in states with strict abortion limits on the books, much depends on how those laws are structured. Last month, for instance, a murder charge against a Texas woman for a 鈥渟elf-induced abortion鈥 after the district attorney found it did not violate state law, which criminalizes providers performing abortions, not the patients.
If Roe v. Wade is struck down, 14 states have so-called trigger laws that would automatically go into effect and ban abortion outright or after set windows of time 鈥 for instance, six weeks or 15 weeks, .
鈥淚t鈥檚 really complicated under the hood, but I don鈥檛 think people should blindly assume their data is safe from legal process,鈥 Savage said. It can depend on the company鈥檚 approach to subpoenas, she added. Some will fight them while others will not.
Take Apple, for example, which unlocking iPhones for law enforcement in high-profile cases like the 2015 San Bernardino shooting. Data in Apple鈥檚 health app, which includes its period tracker, is 鈥渆ncrypted and inaccessible by default,鈥 according to the . All the health data in the app is kept on a person鈥檚 phone, not stored on servers. But at the same time, Savage said, people who are in low-income communities don’t always have an iPhone because it is an expensive piece of equipment.
Ovia鈥檚 privacy policy says the company may give data to law enforcement if required by law or subpoena. The company, however, said in a statement that it has “never provided Ovia user data to any government, nor have we ever received any government requests for access to Ovia user data.” There is also an option in Ovia鈥檚 account settings to delete account data 鈥渆ntirely and permanently.”
Despite safeguards in place under the GDRP, period trackers based in Europe can still be subpoenaed as well, said , a senior staff attorney at the Electronic Frontier Foundation.
鈥淓ven [European Union] companies are subject to the U.S. legal process, though it would take longer,鈥 said Tien. 鈥淭he U.S. has mutual legal treaties with other countries, including E.U. countries, and law enforcement knows how to exchange information.鈥
Has This Kind of Information Been Used by Public Officials or Law Enforcement Before?
Officials holding anti-abortion views have leveraged period-tracking information in the past. In 2019, former Missouri state health director Dr. Randall Williams obtained tracking the menstrual periods of women who visited Planned Parenthood in an effort to identify patients who had experienced an abortion that failed to terminate the pregnancy.
During the Trump administration, former refugee resettlement chief and anti-abortion activist Scott Lloyd admitted to in an effort to stop them from getting abortions.
鈥淲e are now thinking of period trackers the way we鈥檝e been thinking of facial recognition software for years,鈥 Savage said.
Should You Delete Your Period-Tracking App?
Experts said it鈥檚 unlikely that a period-tracking app would be the sole piece of evidence used if someone were building a case against you for seeking an abortion.
鈥淔rankly, I think if law enforcement or a civil investigator were trying to figure out who is having an abortion, there are probably several other venues that are more realistic or more immediately useful,鈥 said Stepanovich. 鈥淭hey would likely get a dump of information for the relevant data,鈥 she continued, 鈥渟uch as trying to get the location information of everyone that got dropped off close to an abortion center, which is a much smaller set of data, or getting people who called abortion hotlines at certain times.鈥
Stepanovich added that as long as someone is using a smartphone with any type of app on it there is a risk that data could be obtained and used as part of a criminal or civil prosecution. Bottom line: The only way to avoid risk altogether is to not use a smartphone.
But McGraw took a more cautious approach: 鈥淚f I lived in a state where I thought that data might end up in the hands of law enforcement, I wouldn鈥檛 track [my period] at all.鈥
Ultimately, people who use period-tracking apps should be aware of the risk of using the technology while considering the benefit it brings to their life.
鈥淵ou have to think about what you need in terms of period tracking,鈥 said Tien. 鈥淵ou have to weigh and ask yourself, 鈥楬ow much does this convenience really matter to me?鈥欌
