When Private Information Isn’t Private

By Maggie Gorini

We smartphone owners volunteer countless bits of information into the apps that rule our lives. Do we all carefully read the privacy policy for a new app before clicking the “agree” button? Probably not. Some information is hardly sensitive, from recipe searches to cat videos. Some information, however, is incredibly private: passwords, bank statements, or medical results, and every day more of it becomes digitized. 

While there is a wide variety of health information apps on the market, from exercise trackers to glucose monitors, a growing number of menstrual cycle tracking apps have been developed to record users’ sexual history, pregnancy intention, pregnancy status, and other intimate details. Millions of women worldwide have downloaded a menstrual tracking app in recent years, but how comfortable are they with the possibility of their information becoming public? 

App developers for Natural Cycles, Flo, and dozens more are not medical providers in the traditional sense and not legally obligated to adhere to health information privacy laws. The rules set down in the Health Insurance and Portability and Accountability Act (HIPAA) do not automatically apply to these “femtech” companies, so called because they focus on software and hardware products geared specifically for women’s health. In fact, many health apps are not covered by (i.e. obligated to comply with) HIPAA despite behaving similarly to covered “health care clearinghouses.” Additionally, even if some companies decide to become HIPAA-compliant such as the period tracker Glow in 2017, those changes are largely voluntary. 

For example, the Natural Cycles privacy policy states that the company shares user information with third party partners who process data points for user benefit. As most app-users would agree, it is fairly reasonable to expect some sort of analysis from an app claiming to be birth control. However, giving data to external groups means user data protection is no longer controlled by Natural Cycles alone.

Some clauses within the policy are decidedly less reasonable. The company keeps personal and sensitive data for up to 5 years from the moment someone stops using their app. The company may disclose that data to regulators or use them in legal proceedings to protect the company and its partners. Formally requesting the data be erased does not ensure it will be deleted. There are cases where the company will not honor the request or will delay deletion. Natural Cycles also reserves the right to continue to process a user’s data if they have a “compelling legitimate reason…that outweighs [a user’s] interest, rights or freedoms,” or if they are involved in a legal case that requires the information. 

Like many companies worldwide, they also take liberties with users’ data if the data are anonymized (personally identifiable information is removed) and aggregated (the data are pooled together in a big batch). The Natural Cycles privacy policy says in legalese that they allow affiliates, sublicensees, partners, designees, and assignees of the services to “use, reproduce, distribute, modify, adapt, prepare derivative works of, publicly display, publicly perform, communicate to the public, and otherwise utilize and exploit a user’s Anonymized Information.” In a nutshell, this means users agree to let their information be used broadly by a variety of other entities as long as it is anonymized.

While it is tempting to believe that anonymized information cannot be traced back to individuals, there are recent advances in data science that suggest otherwise. Researchers from the UK and Belgium have devised an algorithm that can re-identify almost all Americans using 15 pieces of demographic information from a data set. The code and model to this algorithm has been posted publicly as a way to advance data privacy research and alert organizations to potential privacy threats. However, that does not mean femtech companies have adjusted their business models accordingly to protect users.

Most of Natural Cycles’s social media is understandably focused on menstrual education or app promotion. Occasionally, however, they post privacy-related content explaining that they do not (currently) sell user data to third parties. But their privacy policy doesn’t prevent them from doing so. Natural Cycles fails to make clear in their marketing materials that any information could be transferred or sold if the company, or even a segment of the company, were to be bought by a larger one. These data could become the property of a health insurance company if it purchased Natural Cycles (or even part of it) tomorrow, causing real repercussions for how an individual is treated as they try to buy a plan. It could also mean someone is skipped over for a promotion because their employer acquired information confirming they are trying to become pregnant.

We highlight Natural Cycles because its FDA clearance as a contraceptive can give users a false sense of security about the app’s safety (and effectiveness), but these privacy issues are endemic. Perhaps the most alarming example is the Femm app, a fertility tracking app developed by abortion and contraception opponents and promoted through religiously affiliated “crisis pregnancy centers.” Stay tuned for upcoming commentary on Femm and what using an developed to promote a right-wing ideology might mean for your private health information.

While we are not recommending you wall yourself off from all new health applications, it is worth knowing exactly what you are agreeing to when you create yet another account on a platform. We hope you will consider what a new product means to you, read the privacy policy, and make the best decision you can given all the facts.

Maggie Gorini is the NWHN Policy Fellow