84% of 25 Women’s Health Period Tracker Apps Share Data with Third Parties

ORCHA period tracker report

A research team at ORCHA, the Organization for the Review of Care and Health Apps, has examined the privacy policies of 25 period tracker apps and revealed significant flaws. This follows the US Supreme Court’s decision to overturn the constitutional right to an abortion, leaving privacy experts concerned that data from period-tracking apps could be used to penalize anyone seeking to terminate a pregnancy.

Intimate data stored in some of these apps can show details of sexual activity, contraception used, and when the user’s period stops and starts. Amongst the 25 period tracker apps from 24 app developers it examined, ORCHA discovered only one single app which kept all the sensitive data on the mobile phone or device owned by the user.

Furthermore, 84% of the apps allowed the sharing of personal and sensitive health data beyond the developer’s system, with third parties. At 68%, the majority did so for marketing, 40% for research, and 40% for improving developer services of the app itself.

Amongst those sharing data with third parties, only one single app demonstrated best practice by explicitly asking users for permission within the app itself, rather than bundling this into the Terms and Conditions, which very few people read.

ORCHA believes there is an industry-wide issue with where and when users are asked for their permission to share their data. This often comes at the beginning of the app registration process, with new users being asked to tick overall consent to the Terms and Conditions and the Privacy Policy. Having signed away control of their personal data within minutes of downloading a new app, it then becomes hard to regain control. Five of the apps tested offered no email address or telephone number for the app developer, which would have allowed users to request that their data be deleted, although this is a legal requirement.

Tim Andrews, COO of ORCHA, said: 

“It would be best practice for an app to have a ‘consent’ page that’s easily accessed from the main menu. Each individual permission could then be ticked or unticked at any time. So, a user wanting to guarantee privacy, could easily change their mind and untick the permission to share with third parties.” 

Beyond sharing data with third parties, ORCHA found other data security concerns including:

  •  Almost half of the apps tested which processed personal and sensitive data, demonstrated poor compliance with HIPAA.
  •  Only two showed evidence of conformity to best practice certifications including ISO27001 and Cyber Essentials.

Jon Warner, U.S. President of ORCHA also voiced his concerns by adding:

 “With the recent decision by the US Supreme Court to overturn the constitutional right to an abortion, there is valid concern that data from popular period-tracking apps could be shared; leading to potential penalizations for those seeking to terminate pregnancies. Safeguarding digital information is a large concern for Americans right now, and it is vital that we take the necessary steps to ensure that we’re using safe digital tools that protect people’s privacy. ” 

  • To find out more details and discover two best practice apps, access the full report here.