24 October 2023
The “femtech” revolution has grown to encompass a wide range of technology-enabled and consumer-centric products and apps designed to enable better outcomes for female patients and consumers. One example is Flo, a women’s health app which invites its more than 100 million global users to enter daily – and personal - details about their menstrual cycles with a view to tracking their periods and fertility.
In September 2023, the UK Information Commissioner’s Office (ICO) announced that it was reviewing period and fertility apps following a poll which revealed that over half of women using them had concerns over data security. The poll also showed that over half of the women who use the apps believed they had noticed an increase in baby or fertility related adverts since signing up.
|
To kickstart the consultation, the ICO invited women to respond to a three question survey, in one of which respondents were asked to give details “of any positive or negative experiences around the use of your personal information by period tracking apps or fertility tracking apps”. Respondents were also asked to name the app or apps involved.
The ICO has confirmed that it is considering whether users may experience harmful consequences from, or be negatively impacted by, the way their personal information is used or shared with these apps. It is also considering whether there may be examples of “good practice” in the way these apps handle personal information and, more generally, whether app privacy policies are unnecessarily complicated or confusing, leaving users uncertain about what data they have consented to sharing.
Privacy concerns
The ICO’s review raises questions about these apps, what they are doing with users’ data, and the extent to which users are entitled to assume that their personal health data remains private.
In the US, internet non-profit Mazilla studied more than 20 pregnancy and period tracking apps for privacy and security features and described the results as “grim”, with many apps failing to meet minimum security standards and offering unclear policies surrounding user data. Of particular concern in the US is the extent to which the data held by these apps may be used by law enforcement to prosecute women seeking abortion in states where this is now illegal.
Between 2016 and 2019, Flo Health, Inc. (the company behind the Flo app) passed on certain intimate health details of its users to marketing and analytics companies like Facebook, Google and AppsFlyer, resulting in a complaint by the Federal Trade Commission. The app eventually stopped sharing the data, but only after its practices were exposed in the US media.
Flo’s current privacy policy (as it applies to users based in the UK) states that Flo will not share personal data with third parties except as specified below:
- with users’ consent, it may share non-health personal data with AppsFlyer (a mobile marketing platform) for marketing and promotional purposes (the policy states that non-health data includes technical identifiers (IP addresses, etc.), as well as the user’s age group and subscription status);
- in some situations, Flo engages other companies to process personal data on its behalf. Amazon Web Services, Inc., and Cloudflare, Inc. are cited as examples;
- the app uses Google reCAPTCHA services in payment pages on its website;
- the app may aggregate, anonymise or de-identify personal data so that it cannot reasonably be used to identify users; and
- in what is described as “special circumstances”. This is said to include the provision of personal data in response to court orders or legal processes.
On the face of it at least, the policy reflects the concerns raised by the Federal Trade Commission and suggests that whilst the app is processing users’ personal health data, that information is not shared with third parties. It will be interesting to see what is the outcome of the ICO consultation and whether this aligns with users’ overall experience. Targeted marketing may well be as a result of a user’s age group being shared, rather than because the app has shared details of a user’s menstrual cycle.
Other period tracker apps – for example Clue, which is based in Germany and has over 12 million monthly users – are open about the fact that they provide scientific institutions with information, stripping the personal data of unique identifiers that could be traced back to users, all on a non-commercial basis. Clue’s privacy policy explicitly states that the company works with scientific researchers and offers users the option to opt out of sharing their data.
This raises a different set of questions about the balance between privacy concerns and scientific advancement within women’s health (in particular, these apps can provide invaluable insight into a number of conditions including PCOS and the impact of the Covid-19 vaccine on menstrual cycles), as well as broader questions about whether period tracker apps are “wellness” apps or are in fact health apps which should be subject to greater scrutiny and regulation.
Privacy policies
In view of the above, it is worth taking a step back and revisiting what is the purpose of a privacy policy and what should be included.
Privacy policies are required for any company that processes information about people. The length and complexity of a privacy policy will depend on the size of the company, as well as the volume and nature of information being processed. The UK GDPR specifies that companies or organisations that process personal data need to tell individuals when their personal data is being collected. There are some types of information that must always be provided; others are circumstance specific.
As a starter for ten, a privacy notice will at the very least need to include:
- the types of personal data being collected;
- where the data has come from;
- what is being done with the data;
- what is the lawful basis for processing the data;
- who the information is being shared with;
- how long the information is being held; and
- the contact details of an individual within the organisation to whom data related queries can be directed.
The issue of consent should be at the forefront of any company or organisation that processes personal data. Consent requires offering individuals a real choice and control over how their data is used. It must be freely given and consent requests must be prominent, unbundled from other terms and conditions, concise, easy to understand, and user-friendly. Whether period tracking apps meet this threshold remains to be seen. The closing data for the ICO’s survey was 5 October 2023 and the outcome is awaited with interest.
In the meantime, more information in relation to privacy notices can be found on the ICO’s website, at Make your own privacy notice | ICO.
If you have queries in relation to an app you are using or developing, or require assistance with the drafting of a privacy policy, please contact our Technology and Data Protection team.
Lauren McFarlane, Associate: lmf@bto.co.uk / 0131 222 2939