ICO to investigate data security of period and fertility tracking apps


The ICO has recently launched a review of period and fertility tracking apps, focusing on concerns over data security and transparency.

The review follows a poll by the ICO in which a third of women said they used apps to track periods or fertility and over half expressed concern over the security of their data and how it was being used. The survey sought specific feedback on whether users had noticed an increase in online advertising of baby or fertility-related products and services since signing up: over half agreed that they had, with some describing this as distressing.

In response, the ICO is engaging with 11 period and fertility tracking apps available in the UK to explore how these apps process users’ personal information and their potential for harm and negative impact on users. Some potential harms identified by the ICO include complicated and confusing privacy policies; apps requesting or storing excess amounts of user data; and/or users receiving unwarranted and potentially upsetting targeted advertising. The ICO has also issued a survey inviting users to share their experiences of using period and fertility tracking apps and plans to commission focus groups and user testing in the near future.

It is interesting to see the ICO actively engaging with the femtech sector, which is seen to be a rapidly growing market. In a statement accompanying the press release, the ICO acknowledged that the misuse of period and fertility data is a significant concern for women and emphasised that it ‘will not hesitate to take regulatory action to protect the public [from misuse of women’s health data] if necessary’. The concern over harm caused by targeted advertising in this context may be related to the widely reported problem of women receiving pregnancy-related advertising following miscarriage; this has warranted several UK pregnancy and baby loss charities publishing guidance on how to avoid targeted advertising.

The ICO has historically been proactive in policing unlawful use of women’s personal information. In 2018, Emma’s Diary, a parenting club, was fined £140,000 for illegally selling personal information of more than a million women to the marketing division of Experian, who subsequently sold the information to the Labour Party to profile new mothers in the lead up to the 2017 election. Another parenting club, Bounty, was fined £400,000 in 2019 (one of the largest penalties at the time under the pre-GDPR regime) for sharing its data on new mothers and mothers-to-be with third parties without users’ permission. The third party recipients included a credit reference agency, a marketing firm, and a telecommunications company.

The ICO’s announcement is a reminder that organisations must be especially careful when dealing with special category data, which is subject to additional protections pursuant to the UK and EU GDPR. In addition to requiring a lawful basis under Article 6, processing of special category data must fulfil at least one of the conditions in Article 9 GDPR, such as explicit consent or the processing being necessary for health or social care purposes. Consequently, any use of the data for marketing or advertising purposes will almost certainly require explicit consent.

More than ever, healthtech companies are coming under increasing scrutiny on how they store and process user information, and privacy campaigners have expressed specific concerns about menstruation apps. Users are becoming increasingly aware of privacy and data-related rights, and being able to demonstrate good data protection practices may become a key differentiating factor in the femtech market.