24 October 2023
The “femtech” revolution has grown to encompass a wide range of technology-enabled and consumer-centric products and apps designed to enable better outcomes for female patients and consumers. One example is Flo, a women’s health app which invites its more than 100 million global users to enter daily – and personal - details about their menstrual cycles with a view to tracking their periods and fertility.
In September 2023, the UK Information Commissioner’s Office (ICO) announced that it was reviewing period and fertility apps following a poll which revealed that over half of women using them had concerns over data security. The poll also showed that over half of the women who use the apps believed they had noticed an increase in baby or fertility related adverts since signing up.
To kickstart the consultation, the ICO invited women to respond to a three question survey, in one of which respondents were asked to give details “of any positive or negative experiences around the use of your personal information by period tracking apps or fertility tracking apps”. Respondents were also asked to name the app or apps involved.
The ICO has confirmed that it is considering whether users may experience harmful consequences from, or be negatively impacted by, the way their personal information is used or shared with these apps. It is also considering whether there may be examples of “good practice” in the way these apps handle personal information and, more generally, whether app privacy policies are unnecessarily complicated or confusing, leaving users uncertain about what data they have consented to sharing.
The ICO’s review raises questions about these apps, what they are doing with users’ data, and the extent to which users are entitled to assume that their personal health data remains private.
In the US, internet non-profit Mazilla studied more than 20 pregnancy and period tracking apps for privacy and security features and described the results as “grim”, with many apps failing to meet minimum security standards and offering unclear policies surrounding user data. Of particular concern in the US is the extent to which the data held by these apps may be used by law enforcement to prosecute women seeking abortion in states where this is now illegal.
Between 2016 and 2019, Flo Health, Inc. (the company behind the Flo app) passed on certain intimate health details of its users to marketing and analytics companies like Facebook, Google and AppsFlyer, resulting in a complaint by the Federal Trade Commission. The app eventually stopped sharing the data, but only after its practices were exposed in the US media.
- with users’ consent, it may share non-health personal data with AppsFlyer (a mobile marketing platform) for marketing and promotional purposes (the policy states that non-health data includes technical identifiers (IP addresses, etc.), as well as the user’s age group and subscription status);
- in some situations, Flo engages other companies to process personal data on its behalf. Amazon Web Services, Inc., and Cloudflare, Inc. are cited as examples;
- the app uses Google reCAPTCHA services in payment pages on its website;
- the app may aggregate, anonymise or de-identify personal data so that it cannot reasonably be used to identify users; and
- in what is described as “special circumstances”. This is said to include the provision of personal data in response to court orders or legal processes.
On the face of it at least, the policy reflects the concerns raised by the Federal Trade Commission and suggests that whilst the app is processing users’ personal health data, that information is not shared with third parties. It will be interesting to see what is the outcome of the ICO consultation and whether this aligns with users’ overall experience. Targeted marketing may well be as a result of a user’s age group being shared, rather than because the app has shared details of a user’s menstrual cycle.
This raises a different set of questions about the balance between privacy concerns and scientific advancement within women’s health (in particular, these apps can provide invaluable insight into a number of conditions including PCOS and the impact of the Covid-19 vaccine on menstrual cycles), as well as broader questions about whether period tracker apps are “wellness” apps or are in fact health apps which should be subject to greater scrutiny and regulation.
As a starter for ten, a privacy notice will at the very least need to include:
- the types of personal data being collected;
- where the data has come from;
- what is being done with the data;
- what is the lawful basis for processing the data;
- who the information is being shared with;
- how long the information is being held; and
- the contact details of an individual within the organisation to whom data related queries can be directed.
The issue of consent should be at the forefront of any company or organisation that processes personal data. Consent requires offering individuals a real choice and control over how their data is used. It must be freely given and consent requests must be prominent, unbundled from other terms and conditions, concise, easy to understand, and user-friendly. Whether period tracking apps meet this threshold remains to be seen. The closing data for the ICO’s survey was 5 October 2023 and the outcome is awaited with interest.
In the meantime, more information in relation to privacy notices can be found on the ICO’s website, at Make your own privacy notice | ICO.
Lauren McFarlane, Associate: email@example.com / 0131 222 2939