Last week, reports emerged in the UK of concerned public health experts calling for public alternatives to commercial period tracking apps. Their research shows that women’s personal data is at great risk.  

More and more people who menstruate make use of period tracking apps, also referred to as ‘cycle tracking apps’ (CTAs). The European market for these apps was valued at EUR 400 million in 2023 and is expected to grow by 15% in the next 5-10 years. Part of the wider and expanding business of ‘FemTech’, period tracking apps allow users to report, monitor, and predict their menstrual cycle. In some cases, apps also make use of machine learning to predict periods and ovulation over time, as well as detect cycle irregularities (see for example Flo).  

These apps raise considerable risks and challenges to rights, including risks to data privacy. In countries where reproductive rights are threatened, it is obvious how this data, once in the wrong hands, can have serious consequences – particularly for the most vulnerable, such as those seeking safe abortion care.  

Organisations have criticised the insufficient consent acquisition of these apps, for example where users may consent to the privacy policy, but these policies are found to be inaccessible, overly long, and complicated to understand. Predatory advertising techniques may also make use of period tracking data, pushing users to purchase private fertility products or services. Further, data may be shared with third parties, which may also include location data.  

All these challenges raise serious questions as to how users’ rights are protected.  

Limited Legal Protections in the EU 

In addition to personal data protection as a human right, in the European Union (EU), menstrual data is governed by the General Data Protection Regulation (GDPR) at Art. 9, which provides extra protection to special categories of data, such as medical information. The processing of such data is forbidden, with the exceptions laid out in Art. 9(2), such as explicit consent by the user or when processing is needed to protect the user’s vital interests, for example, in case of unconsciousness.  

Despite these protections, compliance with the GDPR has been lacking. According to a 2022 audit, nearly 80% of FemTech apps failed to obtain user consent for specific personal data uses, time-bound data retention and obscured third-party partnerships in their cookie options.  

While the medicalisation of menstruation should be avoided, there are legal protections in the EU’s Medical Devices Regulation (MDR) that could serve to protect the privacy of people using period tracking apps. Under the MDR, medical devices can only enter the market when they comply with strict quality and safety rules. However, FemTech apps only fall under this legislation if they meet the conditions laid out in Art. 2 MDR. When considered medical devices, applications must undergo several steps including clinical evaluation and ongoing post-market surveillance. As a result, many applications, in general, deny having a ‘medical purpose’ and define themselves as ‘wellness’ or ‘lifestyle’ tool to avoid these regulatory requirements.

Towards a Digital Fairness Act?  

Future avenues governing the use of period tracking apps could include the upcoming Digital Fairness Act.  

In October 2024, the Digital Fairness Fitness Check was published by the European Commission. This report delved into the current state of consumer protection in the EU through the lens of the Consumer Rights Directive, the Unfair Commercial Practices Directive, as well as the Unfair Contract Terms Directive. The results show that current rules need to be adapted to specific practices that occur online. Ultimately, consumers feel that they are not always in control of their online experiences due to the use of dark patterns – deceptive practices and tactics used to manipulate consumers.  

Several of these highlighted dark patterns may also be used by period tracking apps. Practices such as unknowingly granting permissions, buried data-sharing, and ‘obfuscation through legalese’ are all examples that may lead consumers agreeing to practices that they do not fully comprehend. As a result, their data privacy may not be ensured.   

Given the highly sensitive nature of the data collected by period tracking apps, better regulation of online practices may be necessary to redress current legal gaps in regulation and implementation.  

At the time of writing, the European Commission has an open consultation on the Consumer Agenda 2025-2030. This provides the opportunity for input directly from consumers. Given the identified shortcomings and challenges that FemTech apps pose, the European Commission must seize this opportunity to provide stronger regulation of these harmful online practices and integrate health-related concerns across policies.

Authors:

For more information on HAI’s work on digital rights and health, visit our website here: https://healthai.haiweb.org/  

Tags
Print or PDF
Print this page
Download this page