Many popular reproductive health apps are lacking when it comes to protecting users’ data privacy, according to a new report that highlights the potential legal risk to those seeking an abortion.
After studying 20 of the most popular period and pregnancy tracking apps, researchers at the nonprofit Mozilla Foundation found that 18 of them had data collection practices that created privacy or security concerns. The report also considered five wearable devices that track fertility, but raised no concerns about their data collection.
Many of the apps had vague privacy policies that didn’t specify what data could be shared with government or law enforcement agencies, said Jen Caltrider, principal investigator of Mozilla’s “Privacy Not Included” buyer’s guide to connected consumer products, which published the report.
Ideally, she said, companies would publicly commit to address data requests from law enforcement by seeking a court order or subpoena before handing over data, working to limit requests and alerting users to any requests, she said.
Glow Inc., which makes four of the apps reviewed by Mozilla with privacy or security concerns, said in a statement that the company does not share personal information with anyone and “will never sell” user data. The company also said it has a “comprehensive” set of features to protect user data, undergoes annual privacy and security reviews conducted by a third party, and employees receive privacy and security-related training.
Other companies listed in the report emphasized their commitment to data privacy in response to questions from The Times. Clue, which received an unfavorable privacy and security rating, said in a statement from May that “we will never transfer your personal health information to an authority who could use it against you.” Apple, whose Apple Watch was not assessed as a privacy concern, said health data is encrypted when synced to iCloud or when a phone is locked with Face ID, Touch ID, or a passcode. And Natural Cycles, one of the few apps to receive a favorable privacy and security rating, said in a statement that the company “is of the mindset that every app — even if they have strong privacy protections like ours — should work even harder to protect data on behalf of their user.”
“It gets very gray and very slippery very quickly,” Caltrider said. “It’s really hard to be sure what exactly is being shared and with whom.”
That could be a concern in states that began banning abortion following the Supreme Court’s reversal of the historic Roe vs. Wade decision.
California residents, where abortion is still legal, will receive some protection from state privacy laws. Californians have the right to access, delete, and opt-out of the sale and sharing of their personal information.
“Small health apps that collect health information or even the Fitbit your doctor tells you to wear may not be HIPAA, but they are most likely subject to California law,” said Ashkan Soltani, executive director of the California Privacy Protection Agency, which says the implement and enforce state consumer privacy laws.
And starting next year, Californians will have additional protections, such as restrictions on a company’s ability to collect data for purposes other than its primary function.
These laws apply only to California residents, not to out-of-state travelers who come to California for an abortion. However, it could provide California consumers traveling to other states with additional protections for their data, Soltani said.
Consumers often want to but don’t know how to protect their privacy or see no immediate harm from not doing so, Caltrider said. But as monetization from user data continues to grow, consumers should see this as a “tipping point,” she said.
“The last time abortion was illegal, we had no internet. Digital surveillance played no role,” Caltrider said. “It’s very bad now. It’s time we really realized that there is harm when our privacy is violated.”