As period tracker apps grow in popularity and utility, so does concern about what happens with the personal information users input. Unlike medical records held by doctors and hospitals, the information collected by health-focused apps isn’t covered by the Health Insurance Portability and Accountability Act (HIPAA), a 1996 federal law that limits where healthcare providers can share your health information.
That means health app makers are mostly free to do what they want with the data they collect. For instance, they may work with companies that analyze how users interact with the app to improve its design or function. Or they may share information with digital ad and marketing partners who use it to send personalized ads to users for, say, baby products, or to recruit new users. These partners may be giant tech companies like Facebook and Google, small tech firms you never heard of, or both.
Those external partners may then have a relationship with data brokers, who collect, aggregate, and combine personal information about you from a variety of sources to create a profile on you and in turn sell it to others. And there’s no way to really know who is getting that profile. A recent study by an advocacy group called the Norwegian Consumer Council examined 10 popular apps including Clue and found that they were collectively feeding personal information to at least 135 companies.
What’s more, even when your data is de-identified by removing identifiable information such as your name or email address, it can be combined with other information—such as your location, contacts, or unique identifiers in your phone—and traced back to you, research suggests.
“It is the ability of a mobile app to collect far more data about you than you’re telling it that can be harmful,” says Jennifer King, director of consumer privacy at Stanford Law School’s Center for Internet and Society.
While consumers may shrug at such sharing as a trade-off of the digital age, there’s emerging evidence of harm. Last March, for instance, the Department of Housing and Urban Development sued Facebook for housing discrimination, saying that the social media giant allowed advertisers to restrict who can see housing-related ads based on race, religion, sex, or disability. This information was gleaned from Facebook’s data mining activities, and then handed over to advertisers.
While the Facebook suit isn’t related to personal health data, it’s not hard to imagine that the information collected by period trackers—especially with some employers and health insurers licensing the apps to use as part of corporate wellness programs—could be used in ways that harm women, King says.
CR’s Mendelsohn agrees. “With issues like pregnancy discrimination still a concern for many women, those using reproductive health apps will want to be sure their private information stays private,” she says.
There’s a bipartisan effort in the Senate to address the problem with the Protecting Personal Health Data Act, introduced in June by Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska). The proposed law, which CR supports, would require that mobile health technologies such as health apps and fitness trackers allow users to review, change, and delete health data collected by companies. Some states are also taking action. For example, the California Consumer Privacy Act of 2018, which went into effect this month, gives consumers similar protections.