A ‘data buffet’: Mozilla’s review of pregnancy and period trackers sheds light on data privacy concerns
Amid growing concerns about how data might be used to prosecute women looking for abortion care following the Supreme Court’s overturning of Roe v. Wade, a new report from Mozilla shows just how many ways pregnancy and period trackers collect and share advertising-related data and other info that also might be shared with law enforcement.
According to a review of 25 period and pregnancy tracking apps and devices conducted by Mozilla, researchers determined that 18 did not meet expectations for privacy and security standards. Instead, they found a “data buffet” of phone numbers, addresses, device IDs, IP addresses, unique advertising IDs — such as Apple’s IDFA and Android’s Google Advertising ID — along with sensitive info about menstrual cycles, sexual activity, doctor appointments and pregnancy symptoms. The report, released on Wednesday, also described how companies collect and share data for personalizing ads while most apps didn’t offer clear policies about sharing data with law enforcement.
“It’s the tip of the iceberg,” said Jen Caltrider, lead researcher for Mozilla’s Privacy Not Included initiative. “Literally everything can be used to track somebody seeking reproductive health care now … When abortion was illegal 50-something years ago, the internet didn’t exist. Now, literally, our whole lives online are being tracked and exist in the cloud. Yes, these raise concerns, but so many things raise concerns right now.”
The findings come as part of Mozilla’s “Privacy Not Included” initiative, which aims to help consumers make more data-conscious decisions when choosing various products and services by giving warning labels to apps they might want to think twice about using. For years, the Mozilla Foundation has focused on educating people about privacy issues while also using the topic as a differentiator for its Firefox browser. The new report also provides detailed explainers about each app’s policies and practices while offering tips for how users can better protect themselves by changing a variety of preferences.
As Roe v. Wade was being overturned, Mozilla’s team decided it should also look at period and pregnancy tracking apps, especially in a world where abortion is becoming illegal in some states. The report follows a similar review of mental health apps in May during Mental Health Month, which Caltrider said also revealed “horrible” examples of data collection and sharing.
Although federal law regulates personal health data in the context of health care providers, it doesn’t protect health data in the context of apps; The Health Insurance Portability and Accountability Act was enacted in 1996, just over a decade before the first iPhone was released. However, growing awareness and concern about how sensitive data could be used against women has made passing a federal data privacy law an even higher priority. The topic has also been part of discussions for the American Data Privacy and Protection Act (ADPPA), which last month reached a major milestone in Congress by moving past the committee stage.
“I think there’s been so much heightened awareness of the privacy risks associated with sharing health data since the Dobbs decision came down,” said Caitlin Fennessy, vp and chief knowledge officer at the International Association of Privacy Professionals. “It did add impetus to the ADPPA and we saw a focus on how it addresses sensitive data and the extent to which that would bring in protections for individuals.”
Some apps have already faced legal and regulatory scrutiny. Last year, the Federal Trade Commission settled a case against Flo Health after the app shared user data with marketing analytics firms including Facebook and Google after promising to keep information private. Meanwhile, a class action lawsuit filed last year alleged Flo secretly collected data about users’ pregnancy attempts that was then shared with third-party companies. (The same lawyers also filed a separate lawsuit against Meta last month alleging the platform showed personalized ads based on existing health issues.)
Most of the apps flagged by Mozilla did not respond to Digiday when asked for a response about the findings. However, a spokesperson for Flo said in an email that the company doesn’t share health data externally and that making revenue from user data “would go against our core promise to our users.” (The spokesperson also noted Flo completed an “external, independent” privacy audit in March and announced a new “Anonymous Mode” in late June that will let users remove identifiers from their profiles.)
“Our Sprout Pregnancy app has always been privacy-focused and is one of the only pregnancy apps on the market that does not require an account to use the app (no username or password),” the Sprout spokesperson wrote. “And the app data is only backed up to the user’s personal iCloud or Google Drive account.”
In the case of Maya, the period tracker claims it won’t share identifiable information but does share “anonymized” information with advertisers. But Mozilla also noted a Privacy International report in 2019 that found Maya was sharing sensitive info with Facebook including mood and sexual activity. Other apps’ ad capabilities seem more limited. For example, with Philips Digital-owned Pregnancy+ app, Mozilla noticed that the app encourages people to choose the “Gold” version for customized features including personalized advertising.
Mozilla isn’t the first organization to review pregnancy and period app privacy policies. Last month, the Organisation for the Review of Care and Health Apps (ORCHA)—an independent organization in the U.K. that reviews health care apps for government agencies—found that 84% of the 25 trackers and 24 app developers it reviewed shared data with third parties. While 68% shared data for marketing purposes such as contact lists, just 40% did so for research or to improve the app.
Alessandro Acquisti, professor of information technology and public policy at Carnegie Mellon University, described Mozilla’s findings as “a perfect example of how pervasive and yet insidious the costs of [losing] privacy can be.” That’s because personal information and the value of data changes depending on the context.
“Losing one’s privacy therefore may mean as little as being served online ads you find intrusive, or as much as losing your reproductive rights,” Acquisti said via email. “In fact, the costs of losing privacy can be so diverse that they are hard to anticipate until they eventually materialize. This makes it difficult for all of us to fully realize the value of privacy ex ante.”
More in Marketing
TikTok has officially launched its new e-commerce platform, TikTok Shop, earlier this month on August 1. Using the new e-commerce platform, brands and creators can sell products directly on the platform, potentially creating new revenue streams, and tap into the short-form video platform’s growing popularity.
‘The influencer industry can be really vile’: Confessions of an influencer marketer on the industry’s unfair hiring practices
While the influencer industry might sound exciting and like it’s full of opportunities, one marketer can vouch for the horrific scenarios that still take place behind the scenes.
After a tumultuous 12 months, marketers are getting a clear picture of how they really did during a time of true uncertainty. And, as it turns out, it wasn’t all that bad.
Ad position: web_bfu