A ‘data buffet’: Mozilla’s review of pregnancy and period trackers sheds light on data privacy concerns
Amid growing concerns about how data might be used to prosecute women looking for abortion care following the Supreme Court’s overturning of Roe v. Wade, a new report from Mozilla shows just how many ways pregnancy and period trackers collect and share advertising-related data and other info that also might be shared with law enforcement.
According to a review of 25 period and pregnancy tracking apps and devices conducted by Mozilla, researchers determined that 18 did not meet expectations for privacy and security standards. Instead, they found a “data buffet” of phone numbers, addresses, device IDs, IP addresses, unique advertising IDs — such as Apple’s IDFA and Android’s Google Advertising ID — along with sensitive info about menstrual cycles, sexual activity, doctor appointments and pregnancy symptoms. The report, released on Wednesday, also described how companies collect and share data for personalizing ads while most apps didn’t offer clear policies about sharing data with law enforcement.
“It’s the tip of the iceberg,” said Jen Caltrider, lead researcher for Mozilla’s Privacy Not Included initiative. “Literally everything can be used to track somebody seeking reproductive health care now … When abortion was illegal 50-something years ago, the internet didn’t exist. Now, literally, our whole lives online are being tracked and exist in the cloud. Yes, these raise concerns, but so many things raise concerns right now.”
The findings come as part of Mozilla’s “Privacy Not Included” initiative, which aims to help consumers make more data-conscious decisions when choosing various products and services by giving warning labels to apps they might want to think twice about using. For years, the Mozilla Foundation has focused on educating people about privacy issues while also using the topic as a differentiator for its Firefox browser. The new report also provides detailed explainers about each app’s policies and practices while offering tips for how users can better protect themselves by changing a variety of preferences.
As Roe v. Wade was being overturned, Mozilla’s team decided it should also look at period and pregnancy tracking apps, especially in a world where abortion is becoming illegal in some states. The report follows a similar review of mental health apps in May during Mental Health Month, which Caltrider said also revealed “horrible” examples of data collection and sharing.
Although federal law regulates personal health data in the context of health care providers, it doesn’t protect health data in the context of apps; The Health Insurance Portability and Accountability Act was enacted in 1996, just over a decade before the first iPhone was released. However, growing awareness and concern about how sensitive data could be used against women has made passing a federal data privacy law an even higher priority. The topic has also been part of discussions for the American Data Privacy and Protection Act (ADPPA), which last month reached a major milestone in Congress by moving past the committee stage.
“I think there’s been so much heightened awareness of the privacy risks associated with sharing health data since the Dobbs decision came down,” said Caitlin Fennessy, vp and chief knowledge officer at the International Association of Privacy Professionals. “It did add impetus to the ADPPA and we saw a focus on how it addresses sensitive data and the extent to which that would bring in protections for individuals.”
Some apps have already faced legal and regulatory scrutiny. Last year, the Federal Trade Commission settled a case against Flo Health after the app shared user data with marketing analytics firms including Facebook and Google after promising to keep information private. Meanwhile, a class action lawsuit filed last year alleged Flo secretly collected data about users’ pregnancy attempts that was then shared with third-party companies. (The same lawyers also filed a separate lawsuit against Meta last month alleging the platform showed personalized ads based on existing health issues.)
Most of the apps flagged by Mozilla did not respond to Digiday when asked for a response about the findings. However, a spokesperson for Flo said in an email that the company doesn’t share health data externally and that making revenue from user data “would go against our core promise to our users.” (The spokesperson also noted Flo completed an “external, independent” privacy audit in March and announced a new “Anonymous Mode” in late June that will let users remove identifiers from their profiles.)
“Our Sprout Pregnancy app has always been privacy-focused and is one of the only pregnancy apps on the market that does not require an account to use the app (no username or password),” the Sprout spokesperson wrote. “And the app data is only backed up to the user’s personal iCloud or Google Drive account.”
In the case of Maya, the period tracker claims it won’t share identifiable information but does share “anonymized” information with advertisers. But Mozilla also noted a Privacy International report in 2019 that found Maya was sharing sensitive info with Facebook including mood and sexual activity. Other apps’ ad capabilities seem more limited. For example, with Philips Digital-owned Pregnancy+ app, Mozilla noticed that the app encourages people to choose the “Gold” version for customized features including personalized advertising.
Mozilla isn’t the first organization to review pregnancy and period app privacy policies. Last month, the Organisation for the Review of Care and Health Apps (ORCHA)—an independent organization in the U.K. that reviews health care apps for government agencies—found that 84% of the 25 trackers and 24 app developers it reviewed shared data with third parties. While 68% shared data for marketing purposes such as contact lists, just 40% did so for research or to improve the app.
Alessandro Acquisti, professor of information technology and public policy at Carnegie Mellon University, described Mozilla’s findings as “a perfect example of how pervasive and yet insidious the costs of [losing] privacy can be.” That’s because personal information and the value of data changes depending on the context.
“Losing one’s privacy therefore may mean as little as being served online ads you find intrusive, or as much as losing your reproductive rights,” Acquisti said via email. “In fact, the costs of losing privacy can be so diverse that they are hard to anticipate until they eventually materialize. This makes it difficult for all of us to fully realize the value of privacy ex ante.”
More in Marketing
In the packed DealBook conference in New York yesterday, owner Elon Musk bluntly told them to shove it.
WorkTok, or CareerTok, is in full force. Combined, those hashtags on TikTok have over four billion views and it is benefiting Gen Z.
In this week’s Digiday+ Research Briefing, we examine how brands have been upping their TikTok investments this holiday season, how Lyft and the MSG Sphere are positioning themselves as ad opportunities beyond OOH, and how publishers are committing to building their events businesses in 2024, as seen in recent data from Digiday+ Research.