Period-tracking apps can be a lifesaver for users who want to track their symptoms, view predictions about upcoming cycles and even plan whether they want to conceive or not. In a world in which Roe v. Wade is overturned, privacy experts are concerned that those apps could be forced to hand over some of users’ most private ovulation information.
This isn’t a new worry: Researchers have long waved the privacy flag over the collection of data around people’s sexual lives, medication intake and more. Some period-tracking apps, like FEMM, openly state that third-party platforms could use their data for targeted advertising. Other data has reportedly been used for academic studies and by data analytics providers. But if states outlaw abortion altogether, those apps could be subpoenaed for data on individual users, and that data could then be used as evidence against people who choose to terminate their pregnancies.
It’s a dystopian fear, but not out of the realm of possibility. In fact, it’s happened before: A woman was charged with second-degree murder after a prosecutor used her online searches for abortion pills to imply motive after she lost her pregnancy (although the charges were later dropped). There aren’t many laws preventing period-tracking data from being purchased or requested by police once a user consents to data collection, though some apps limit the collection of information or store it locally on a user’s device.
When users install period-tracking apps and start logging their cycles, they agree to a certain loss of privacy. After all, they have to hand over some information for the apps to effectively predict future cycles, estimate ovulation windows and help monitor their period symptoms. Most users expect that data to remain private, but there’s no guarantee. Most period-tracking apps collect data that can then be shared with advertisers.
“Anything that could be shared with advertisers can be shared with law enforcement,” India McKinney, the director of Federal Affairs at the Electronic Frontier Foundation, told Protocol.
Cycle-tracking apps — and health apps in general, for that matter — aren’t protected by the same privacy protections as patient privacy rules under HIPAA, meaning apps aren’t prevented from sharing this data. McKinney said that makes health-tracking apps of interest to third parties. “Abortion services? Maybe not profitable, but certainly of interest,” she said.
McKinney said in states where restrictive abortion laws have gone into effect, that information could be turned over to a third party if subpoenaed. Say, for example, you live in a state where miscarriages are illegal (there are none, but some state laws are so vague that people have been arrested after pregnancy loss). McKinney said if law enforcement was investigating whether a miscarriage took place and had reason to believe a period-tracking app might have evidence, they could request that data. Even if the app anonymized data, McKinney said it’s easy to re-identify users.
Popular period-tracking apps like FEMM, Flo, Ovia Health and Clue collect a range of personal information, like the length of someone’s period and whether a person had protected and unprotected sex, as well as identifying information like emails and IP addresses. The data is self-reported, but users might not realize that the benefits of tracking their periods might open them up to legal action if abortion is outlawed. Some apps, like Flo, say they don’t hand over any user data to third parties, but McKinney said the fact that they own this user data means it could be requested by law enforcement, and that’s not an uncommon ask. What is unusual is the amount of deeply personal health data that could be exposed if abortion becomes criminalized.
A representative for Clue said health data is “kept private and safe.” The app is required to comply with the EU’s General Data Protection Regulation law, which sets guidelines for collecting and processing personal information, although it’s unclear if those protections extend to U.S. users.
“All our users’ health data is stored on servers in the European Union,” a spokesperson told Protocol.
Representatives for period-tracking apps FEMM and Ovia Health did not return requests for comment.
It’s unclear what kinds of privacy changes these apps might implement if abortion laws become more restrictive.
Evan Greer, deputy director of the nonprofit advocacy group Fight for the Future, said the ability for apps to collect data that could be used by third-party platforms or law enforcement highlights the need for users to better understand consent when using these apps. People may allow an app to collect this sensitive data without realizing it could be used elsewhere.
“Many people just don't actually know what risks are associated with handing over sensitive data to these companies,” Greer told Protocol.
Greer said an important factor is the way an app stores data — some store it in the cloud, where it can be analyzed and shared with advertisers, and some store information locally on a user’s phone. User data in Planned Parenthood’s period-tracking app, Spot On, is stored locally. “No one but you has access to it — not even our developers,” the organization said in 2019. Period-tracking app Euki has the same policy.
At the core of this issue is a lack of federal privacy protections that would require apps to encrypt data and store it locally on a user’s device, said Carrie Baker, a professor of gender, law and public policy at Smith College. The U.S. doesn’t have any singular law that accounts for all types of data collection.
“Our laws around privacy, generally, are not written for the current technological environment,” Baker told Protocol. “They’re not anticipating the kinds of issues with regard to security and privacy that people need to be thinking about today. And I think the abortion issue is just one very frightening example.”