Editor’s note: Katherine Yao is a writer studying Molecular Biochemistry and English at Yale University. Megan Ranney, MD, MPH, is a professor of emergency medicine and academic dean in the Brown University School of Public Health. The views expressed in this comment are their own. Read more opinion on CNN.
CNN
—
The very first question new users of Flo, a popular period tracking app, are asked is, “Are you pregnant?” People who are keen to start using the app probably don’t think too much before asking this question respond. But they should.


As we face a probable future in which Roe v. Wade is struck down by the Supreme Court are privacy experts and lay consumer Equally concerned that this and other digital data collected by period tracking apps could be used to track women seeking or having an abortion.
According to Emergen Research, a market research and strategy consulting firm, the “femtech” industry — a term coined by Ida Tin, founder of another menstrual tracking app called Clue — is projected to reach $60 billion globally by 2027 grow.
And no wonder! Our friends tell us that digital health apps, including period tracking apps, increase knowledge, help them manage premenstrual symptoms, and help with fertility tracking. Our patients often pull out their menstrual app to show us they can’t possibly be pregnant, or to remind us of the date of their last menstrual period. These apps are simply empowering.
But there is also a possible dark side. The mere fact that many of these apps collect and store your data in the cloud or on a server – instead of on your phone – is cause for concern.
Most of the well-known period tracking apps collect data on intimate details ranging from users’ menstrual cycles to their sex life to their medication intake. In 2020, Privacy International (PI), a non-profit advocacy group, asked five period tracking apps for the data they collected about a PI employee who agreed to use the apps for the project.
An app was found that stores answers to the most intimate questions on the company’s server, such as “What kind of relationship are you currently in?”. Another was found to collect approximate location data when the user interacted with the app. Other independent assessments came to similar conclusions.
This stored information is rarely under your control. Most digital health apps, including period tracking apps, are exempt from federal health privacy laws that govern healthcare providers. Period tracking apps are therefore fundamentally free to choose who they share your health data with – as long as they let you know about their privacy policies.
Flo specifically states in its privacy policy that it does not sell any personally identifiable information and does not collect such information without informing its users. According to the app, third-party providers help process users’ non-health-related personal data, mainly for marketing and functional purposes, and they ask users for consent according to their privacy policy before sharing some of this data. Some third parties provide basic services like web hosting and payment processing, while others are responsible for app analytics and ad targeting.
But just last year, the Federal Trade Commission (FTC) reached a settlement with Flo after discovering the company was sharing consumers’ fertility data with third parties like Facebook and Google. In so doing, the FTC claimed, Flo broke its promise to keep users’ health records private. According to the complaint filed by the FTC, Flo has not restricted how these third parties can use the data it received. Flo said in a statement that the settlement was “not an admission of wrongdoing.”
The FTC case showed us that while the role of third parties seems rather benign, the lack of federal regulations limiting the personal and health information that can be shared with them is problematic.
Equally, if not more problematic, is the possibility that data from period tracking apps could be subpoenaed and used as evidence to prove a criminal abortion. Whether non-health data could be used to indicate that a woman had an abortion is unclear. But the possibility of menstrual-related data from these apps being used in court as evidence that a woman terminated a pregnancy is a growing concern for lawyers and users. It’s worth noting that if you use other apps like a calendar to track your period, that data can be preloaded as well.
Imagine having your period every 28 days for years. Then, a month later, your period is gone. Then, either because you continue to miss your period or simply forgot to enter your menstrual data, you do not enter anything for the following months – only to continue with the period registration a few months later. This information could be preloaded. Then who says you didn’t have an abortion or miscarriage?
Eric Perakslis, chief science and digital officer at Duke Clinical Research Institute, points out that “loss of privacy is not harmful in and of itself… It’s only when someone does something bad with your data that things go wrong. “If you don’t have a comprehensive data protection law,” says Perakslis, “you at least need protection from these bad things.”
Unfortunately, this protection does not exist. And ample evidence from the healthcare sector – including reproductive health – suggests how easy it is to access sensitive data for “bad things”.
As Halle Tecco, an investor and women’s health advocate, points out, existing protective measures are inadequate. “Especially since women may have less confidence in the system because they have faced gender stereotypes and medical gaslighting throughout their lives, it’s important that we protect and respect privacy,” Tecco said.
At the political level, the federal government can and should strengthen digital health care. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) were intended to provide comprehensive protections of personal health information. However, these protections are outdated and do not take into account a rapidly evolving healthcare system in which digital health apps are playing a growing, integral role. Government safeguards must expand to cover more healthcare facilities, including period-tracking apps, and explicitly prioritize and enforce individual privacy protections, rather than allowing organizations to simply rely on a user-consent model.
In the meantime, we – the end users – have a voice.
Both Perakslis and Tecco recommend users of period tracking apps ask the companies to fix it. In Perakslis’ words: “Tell them you can do better. Lock down your apps. Make your privacy policy clear. And create a policy that protects your users, not just your business.”
Of course, not all period tracking apps are bad. Piraye Yurttas Beim, Founder and CEO of Celmatix, a women’s health biotech, reminds us that “if it’s responsibly developed by good companies that are both working with regulators and committed to good privacy, there’s a positive Result. I would hate if women who use apps developed by quality companies gave them up.”
So: know what you are using. Before signing up for an app, read its privacy policy carefully and use nonprofit resources like the Electronic Frontier Foundation to educate yourself. Consider creating an anonymous email when signing up for the app. If possible, choose an app that stores all your data on your phone, which offers a much higher level of privacy.
And if you have doubts about the privacy of your data in the app you use, you should consider going back to what women did 15 years ago: track your periods with pen and paper.