The U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org to overturn Roe v. Wade, and the subsequent criminalization of abortion in several states, has led to a number of privacy-related questions and concerns. In particular, there is a real concern that the data collected by health apps, including period-tracking apps, along with internet search history and geographic location information, could be used in certain states to prosecute individuals who seek to terminate a pregnancy.
The data collected and stored by these apps is valuable beyond the cycle-tracking features intended for the end user. This data can provide third parties the ability to know which individuals are pregnant, trying to get pregnant, or trying not to get pregnant. This is valuable data to marketers, to be sure, but with the potential for criminal liability in some states for terminating a pregnancy, many are questioning whether it is wise to continue using these apps at all.
Cycle-tracking apps have become extremely popular due not only to their cycle and fertility prediction capabilities but also for their convenience. One such app, Flo — the self-proclaimed “No. 1 period and cycle tracking app” — reports that it has been chosen”by over 230 million users globally. For better or worse, these apps provide far more robust tracking capabilities than the age-old paper tracking systems: marking cycle dates on a paper calendar.
In a typical cycle-tracking app, users can enter information about the start and end of their period, how heavy or light it may be on any given day, their methods of birth control, their physical and sexual activity, mood, and other symptoms. The apps then use this information to predict when a user’s next period may come, when the user might be most fertile, and if the user has missed a period and should take a pregnancy test. Some apps then continue to track the baby’s development based on the time of conception, and guide users through a countdown to their due date.
Many individuals incorrectly believe that the information collected by cycle-tracking and other health apps is protected under the Health Insurance Portability and Accountability Act (HIPAA). However, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has issued guidance stating that HIPAA generally does not protect the privacy or security of a person’s health information when it is accessed through or stored on a personal mobile device. This means that a person’s internet search history, geographic location, and other information voluntarily shared online would not be protected under HIPAA and could therefore be shared with third parties.
In addition, HIPAA does not apply to an app, or the information collected by that app, unless it is provided by a covered entity or business associate — a category in which most cycle-tracking apps do not fall. The guidance also cautions that simply downloading or using a health app may be enough to give the developer permission to collect, retain, or sell the user’s information with data brokers, marketing and analytics firms, law enforcement personnel or others.
While there have been no reported cases of law enforcement requesting information from period-tracking apps in the prosecution of someone who has had an abortion, parallels have been drawn between this (currently) hypothetical scenario and the common practice of tech companies cooperating with law enforcement requests for information, particularly in cases of child exploitation.
When requesting such information from an individual directly, law enforcement would need a warrant. But when requesting the information from a third party — such as from a cycle-tracking app — only a subpoena is needed. The same is true for internet search history and location data. In fact, Google specifically states in its privacy policy that it “will share personal information outside of Google if [it has] a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to meet any applicable law, regulation, legal process, or enforceable governmental request.”
It is difficult to fully shield oneself from a system designed to gather as much information about a person as possible and then to monetize that information by sharing it with other third parties. Even the most privacy-centric companies — such as Apple — can be forced (or simply persuaded) to release data they have collected and stored regarding an individual being investigated by law enforcement.
The solution, then, is for a user to limit the amount of information tracked or collected by an app or website in the first place. In today’s digital world, this is not easy, but users can be more selective in the apps they use — making sure to select apps with strong privacy policies and practices — and in the information they provide to apps and websites. This includes turning off location sharing except when an app is in use and only if needed for the app’s functionality.
Unfortunately, this does not completely solve the problem so users — especially those living in states where abortion is or could be a criminal offense — may want to consider whether to revert to the low-tech paper and pen tracking system.
Elam’s passion for technology is the driving force behind her digital risk advisory and cybersecurity practice at BakerHostetler. She works closely with clients to guide them through incident response and data breach investigations, including coordinating digital forensic investigations of data security incidents, determining breach notification obligations, and overseeing implementation of restoration efforts. As a Certified Information Privacy Professional with a Master’s degree in Information Technology, Elam bridges the gap between legal, business and technology perspectives for clients.
Stupart is an Associate at BakerHostetler and a member of the Digital Risk Advisory and Cybersecurity team. His practice focuses on helping clients avoid potential data security breaches, as well as guiding them through the response process if an incident occurs. He is a Certified Information Privacy Professional with a degree in Business Administration and Computer Information Systems. As a former prosecutor and defense attorney, Stupart has a unique perspective that enables him to better advise his clients and prepare them for various situations that might arise.