Femtech Apps Under Fire for Broad Sharing of Sensitive Data

By Mary Pieper

Women who use apps to track ovulation, menstrual cycles and pregnancy could be revealing intimate information about themselves not only to advertisers, but also to insurers and employers, privacy experts and lawmakers told Digital Privacy News.

“You have no idea” who has your data, said New York State Assemblywoman Linda Rosenthal, D-Manhattan. “This is a very in-depth invasion of your privacy if you stop to think about it.”

Allegations disclosed in recent news reports that the fertility app Premom was sharing user data without permission to Chinese advertising companies was just the latest instance of femtech apps coming under fire.

Last month, seven bipartisan U.S. senators wrote Federal Trade Commission Chairman Joseph Simons, calling for an investigation of the allegations.

The report, in The Washington Post, was based on research by the nonprofit International Digital Accountability Council (IDAC).

The council also wrote letters last month to Kwame Raoul, the attorney general in Illinois, where the app is based, as well as to Google.

“We believe there are differences between what Premom states in its privacy policies and what our technical tests reveal,” IDAC said in the letters.

The organization’s researchers said the app tracked and shared not only IP addresses, but also media access control (MAC) addresses with three Chinese advertisers, according to the Post report.

MAC addresses are unique identifiers primary assigned by device manufacturers.

Premom, after being reached by the Post, said it would no longer share information with one of the Chinese companies, Jiguang. The Guangdong-based firm did not respond to requests for comment from Digital Privacy News.

Discrimination Issues

But Premom isn’t the only popular femtech app under scrutiny by digital-privacy experts.

Consumer Reports reported in January that its digital lab studied five leading period-tracking apps — BabyCenter, Clue, Flo, My Calendar and Ovia — and found they all shared information with advertisers and marketers.

“This is a very in-depth invasion of your privacy.”

New York State Assemblywoman Linda Rosenthal, D-Manhattan.

CR researchers discovered Ovia went a step further by sharing data with insurance companies and employers through wellness programs.

This means a woman’s employer could learn if she was pregnant before she announced it publicly, or if she was trying to conceive, Assemblywoman Rosenthal told Digital Privacy News.

“You could be discriminated against because of it,” she said.

For example, if a woman was being considered for a promotion, her supervisor could decide against it because of the app’s data, Rosenthal said.

Ovia declined an interview request from Digital Privacy News.

Troubles Across the Atlantic

Last September, Privacy International (PI), the U.K. nonprofit, reported that the period-trackers Maya and MIA Fem appeared to be sharing sensitive personal information with third parties — including Facebook — before users even agreed to the apps’ privacy policies.

“This raises some serious transparency concerns,” the organization’s report said.

“Consumers need meaningful privacy protections over this data.”

Maureen Mahoney, Consumer Reports.

After PI shared its findings with Maya, the company said it had removed the Facebook core SDK and Analytics SDK software from the app.

The company said, however, that information would still be shared with the Facebook Ad SDK.

“The Ad SDK helps us earn revenue by displaying ads that our users can opt out of by subscribing to Maya’s premium subscription,” the company told PI, according to news reports.

MIA also responded to the organization’s probe but said it did not want its comments made public.

Privacy Policies

A number of femtech apps disclose in their privacy policies that user data is shared with third parties.

However, a recent Pew Research Center survey revealed that consumers typically do not read privacy policies — and of those that do, a sizable minority say that they don’t fully understand them.

“Moreover, it’s likely that many consumers assume that the sensitive health data collected by these apps are already covered by strong health privacy laws like HIPAA,” Maureen Mahoney, a Consumer Reports policy analyst, told Digital Privacy News.

The federal HIPAA law protects Americans from having their medical information shared without their consent, but it does not cover health apps.

It was passed 1996, when the concept of apps didn’t yet exist, Mahoney explained.

“There’s lots of concerns there.”

Jennifer King, Stanford University.

“Consumers need meaningful privacy protections over this data to ensure that it isn’t used or shared in ways they may not have anticipated,” she said.

Other Data Concerns

Jennifer King, director of the Consumer Privacy Center for Internet and Society at the Stanford University Law School, said that some femtech apps asked users for extremely sensitive information, including whether they used birth control.

Although apps often promise that any data they share will not be individualized, if a woman works for a small company, her supervisors easily could identify her through such app data as age, according to King.

“There’s lots of concerns there,” she told Digital Privacy News.

For example, if she’s the only woman under 30 working in a certain department, the data would be a giveaway, King said.

Legislators Taking Action

Lawmakers on the state and national levels are taking further steps to protect the privacy rights of users of femtech and other health apps.

In June 2019, U.S. Sens. Amy Klobuchar, D-Minn., and Lisa Murkowski, R-Alaska, introduced the Protecting Personal Health Data Act.

One provision would create a national task force to address the cybersecurity risks and privacy concerns of consumer products that handle personal health data.

In addition, Rosenthal consulted with Consumer Reports’ Mahoney before she introduced a New York State Assembly bill in July that would create a privacy standard for electronic health-tracking companies to keep the data from being shared without user permission.

It also would allow users to revoke the consent at any time and require the apps to destroy information when accounts are deactivated.

Mahoney also has worked with California State Assemblyman Ed Chau, D-Monterey Park, on a bill he introduced in February to extend the state’s HIPAA analogue, the California Medical Information Act (CMIA).

If the legislation is passed, Mahoney said it would provide more protection to state residents than the California Consumer Privacy Act — as Chau’s bill would have an “automatic” opt-out regarding data being shared with third parties.

“It would be privacy by default,” Mahoney told Digital Privacy News.

This is critical, she stressed, because some apps force users to go through “confusing multiple steps” to opt out of the data-sharing.

‘Emotional Damage’

Even if employers and insurers don’t obtain data from femtech apps, just having their personal information shared with advertisers can feel intrusive, Stanford’s King said.

She said women reported suddenly seeing online ads for diapers and formula after they started using a pregnancy app, for instance.

“The internet suddenly knows you’re pregnant.”

And the ads don’t stop coming even after a woman has a miscarriage, King told Digital Privacy News.

“There’s emotional damage that comes with that.”

Mary Pieper is a writer in Iowa. 

CCPA and Femtech Apps

The California Consumer Privacy Act, which took effect Jan. 1, provides some protections for femtech app users, but they are limited.

California residents now have “a handful of rights” when it comes to personal information companies collect on them, Jennifer King of the Consumer Privacy Center for Internet and Society at the Stanford Law School, told Digital Privacy News.

For example, consumers may receive a written copy of what data is being collected, she said.

They also can get companies to delete the information they have on them, as well as opt out of having their data sold to third parties.

However, these basic protections only apply if a company meets any of these conditions:

  • Has a gross annual revenue of more than $25 million.
  • Buys, receives or sells personal information of 50,000 or more California residents, households or devices.
  • Derives 50% or more of its annual revenue from selling California residents’ personal information.

The CCPA also does not apply to non-profit organizations or government entities.

Mary Pieper

Sources (external links):