In 2019, Privacy International (PI) investigated several popular period-tracking apps across the world to examine how they handle users' privacy, particularly the sharing of users' period data with Facebook. We performed a dynamic analysis of ten popular period tracking apps using our data interception environment (DIE), which allowed us to see whether and where these apps were sharing user data. The most popular apps we looked at did not appear to share data with Facebook, but the other apps we examined that still boasted millions of downloads appeared to engage in some extensive sharing of sensitive user cycle data with third parties including Facebook. Our research exposed serious concerns around these apps’ compliance with data protection laws, as well as around companies’ responsibility and accountability when it comes to third-party data-sharing.
Since then, data protection and privacy regulations have been ramping up, with increased expectations for user privacy protection in the form of regulations like the European Union (EU) Digital Services Act, the AI Act and continued enforcement of the General Data Protection Regulation (GDPR).
Considering these changes over the past several years in the privacy and political landscape, as well as technological changes such as the expansion of cloud-based services and the AI industry, we undertook another technical investigation into how period tracking apps are handling user data five years later and the implications for users’ privacy.
As we will expand on below, our research found that, overall, period tracking apps were not sharing users’ cycle data as egregiously with third parties as we found for some apps in 2019. Though in the course of our investigation, we did observe several categories of third parties that many apps were integrating for different purposes, such as advertising software development kits (SDKs) or application programming interfaces (APIs) to service certain app functionalities, and these third parties often processed some degree of the user's personal or device data. The various technical approaches that period tracking apps utilise to service their app warrant scrutiny in a politically volatile realm. In our report, we explore the various technical methods built into period tracking apps, such as integrating third party deployers and storing user data on servers, and we conclude with how these practices raise crucial questions for the future of privacy in the femtech space.
Building on our findings from our previous research, we sought to investigate the data management and sharing practices of menstruation apps with third parties beyond Facebook, as well as to assess whether some of the apps we looked at the first time around had improved their practices as they have claimed.
The WomanLog app, developed by Pro Active App SIA, is a Latvia-based period tracking app with over 10 million downloads that features an 'Intelligent Assistant' chatbot.
Stardust is a New York-based astrology-themed period tracking app that has recently risen in popularity, having received a spike in downloads in the U.S. following the overturning of Roe v. Wade.
Read our analysis of our research findings, including the limitations of the method, the use of advertising and analytics SDKs, other third-party developer tooks, content delivery networks, non-local storage, data minimisation, and the future of privacy.
Our research has introduced questions about the right to privacy when apps have the potential to share a range of user-related data. This is a particular concern for people using apps in countries where there are restrictions on access to abortion. In the US, after the overturning of Roe v Wade
In 2019 PI undertook dynamic analysis of various menstrution apps using its own data interception environment to look at the data they share with Facebook.