Many women use health apps to track their periods, ovulation cycles, and sexual activity. However, a recent study has uncovered inconsistencies and contradictory data privacy policies among several popular apps.
Researchers in the UK identified “problematic practices, including inconsistencies” in data privacy within several female health apps. Their findings were presented this month at the Conference on Human Factors in Computing Systems in Honolulu, Hawaii, USA.
The study analysed 20 popular female health apps available on the US and UK Google Play Stores that offer services related to female reproductive health. The researchers examined the data privacy policies and practices of these apps.
They discovered that 35% of the apps had conflicting policies about sharing personal data with third parties. Additionally, it was found that user data could often be accessed by law enforcement or authorities.
Under the General Data Protection Regulation (GDPR), data regarding health, sex life, or sexual orientation is classified as “sensitive” in the EU and the UK and requires enhanced protection.
Privacy concerns have intensified, especially after the US Supreme Court’s decision in June 2022 to overturn Roe v. Wade, which had previously protected abortion rights in the country.
Lisa Malki, the study’s first author and a PhD student at University College London, said in a statement. “There is a tendency by app developers to treat period and fertility data as ‘another piece of data’ as opposed to uniquely sensitive data which has the potential to stigmatise or criminalise users.
It is vital that developers start to acknowledge unique privacy and safety risks to users and adopt practices which promote a humanistic and safety-conscious approach to developing health technologies.”
Lead investigator Dr Ruba Abu-Salma from King’s College London added: “Female health apps collect sensitive data about users’ menstrual cycle, sex lives, and pregnancy status, as well as personally identifiable information such as names and email addresses.
Requiring users to disclose sensitive or potentially criminalising information as a pre-condition to deleting data is an extremely poor privacy practice with dire safety implications. It removes any form of meaningful consent offered to users.”
Leave a Reply