Need to know
- Fertility apps often collect extremely sensitive and intimate data, then keep it for too long or share it with others, exposing it to 're-identification' and data breach risks
- Their privacy policies are confusing and claims such as 'we never sell your data' are potentially misleading
- Many apps are not transparent about the data they trade with and collect from other companies.
Fertility apps collect extremely sensitive and intimate data about our cycles, health, pregnancies, and sex lives.
There is growing concern over the handling of this data, which is often kept for too long (exposing it to data breach risks) and disclosed to other companies on a supposedly 'de-identified' basis (when there are real risks of re-identification).
The apps' privacy policies, messages and settings are often confusing and potentially misleading. An app might claim "we never sell your data", but the fine print might say the whole database can be sold to another company as a business asset.
An app might claim 'we never sell your data', but the fine print might say the whole database can be sold to another company
And many are not fair or transparent about the data they trade with other companies, including extra information they collect about the consumer from data brokers and the disclosure of your usage data, which can allow companies to predict sensitive information about your health and circumstances.
What is a fertility app?
We use the term 'fertility apps' to cover mobile apps that assist consumers in tracking their menstrual cycles, ovulation and potential fertile windows if they're attempting to conceive, and stages of pregnancy up to birth.
How we compare
We examined the privacy terms of 12 of the most popular fertility apps used by Australian consumers (taking into account downloads, apps installed and active usage).
We examined the privacy policies and in-app messages and settings for each of these apps in February and March 2023, to determine the extent to which they protect the consumer's privacy, having regard to the quality of the privacy information and choices they give consumers, and the extent to which they indicate that they restrict the collection, use and disclosure of personal data to limit the risk that the consumer will be humiliated, excluded, exploited or exposed to data breaches.
The privacy policies, messages and settings are often confusing and potentially misleading
We did not include apps that depend on the consumer buying a wearable device, like an Apple watch or a FitBit, that tracks biometric data directly using sensor technology; or apps that track a baby's development from birth. These raise different and important issues, which deserve to be considered separately.
We have grouped the apps into three categories – apps to avoid, apps to be cautious of and one that stands out from the others but could still be improved.
Apps to avoid
BabyCenter is a pregnancy app that was bought by Everyday Health Inc, which also owns the What to Expect app. This is why their privacy policies are identical and equally focused on sharing users' data for profit. Everyday Health Inc is owned by US marketing technology company, Ziff Davis, which includes its tracking technologies in the app.
Glow Fertility, Glow Nurture, Eve by Glow
Glow Inc operates several apps, which allow users to track their periods, sex lives, and pregnancies. Glow's privacy terms and settings generally indicate that it gives users less privacy by default to serve its commercial purposes.
In 2020, Glow settled a lawsuit brought by the Attorney General of California alleging breach of medical privacy and data security laws concerning "clear basic security flaws that put its users' data at risk".
Ovia Fertility and Ovia Pregnancy
The Ovia ovulation and pregnancy apps are owned by a company that is part of the US drug development corporate group, Labcorp.
The apps ask for remarkably wide-ranging and sensitive information in its "Health Questionnaire" and sell "de-identified" health information to other companies.
What to Expect
What to Expect is a pregnancy app owned by Everyday Health Inc, which later bought the BabyCenter app. This is why their privacy policies are identical and equally focused on sharing users' data for profit. Everyday Health Inc is owned by US marketing technology company, Ziff Davis, which includes its tracking technologies in the app.
Apps to approach with caution
The Clue app is renowned for its founder's goal to use the health data collected for research purposes.
It collects extensive highly personal information, such as data about reproductive health conditions, masturbation, use of sex toys, orgasms and painful intercourse, and does not give confidence that this information will be adequately de-identified before it is disclosed to others.
Flo is the most popular fertility app in Australia and invests heavily in advertising that it respects your privacy. The app developer faced a complaint by the US Federal Trade Commission in 2020 alleging it misled consumers regarding privacy practices, which led to two class actions against it in the US.
The app is now operated by a company of the same name subsequently set up in the United Kingdom by the same founder as the US company.
While Flo settled the complaint brought by the US Federal Trade Commission regarding alleged privacy breaches and denied wrongdoing, we await the outcome of the US class actions that allege Flo made misrepresentations about its data sharing with Google and Facebook.
My Calendar provides some options that can assist users in protecting their privacy, but it takes a disturbingly hands-off approach, for example by claiming that it is "not responsible for circumvention of any privacy settings or security measures". (It should be responsible if it has not taken reasonable steps to secure your data.)
Period Calendar is one of three apps marketed by Hong Kong-based Abishkking Ltd, "a fitness and health mobile apps development company". It provides some options that can assist users in protecting their privacy, but diminishes users' privacy in other ways, for example by sharing revealing usage data with Google Analytics, which can be used for Google's "own advertising network".
The Pregnancy+ app is owned by a company in the Philips Avent consumer goods group. Philips creates a profile of your preferences, behaviour and characteristics from tracking your activities in the app and says this profile is disclosed to other companies such as its "affiliates".
Preferred (but not perfect) apps
The Natural Cycles app does not have perfect data privacy terms, but it stands out as an app that makes a real effort to give clear information and choices about your data as you open and set up the app.
The app is operated by a Swedish company that focuses on reproductive health and is governed by the stricter privacy laws of the European Union.
Privacy reform urgently needed
Potentially misleading privacy claims and settings in fertility apps deserve scrutiny by our regulators under both the Privacy Act and the Australian Consumer Law. We also need urgent reform of our Privacy Act to protect the highly sensitive information held by such app developers, including:
- stricter security obligations, such as rules requiring companies to specify a limited retention period after which personal information will be deleted to avoid unnecessary data breach risks and obligations to protect "de-identified" information
- a requirement that companies' collection, use and disclosure of our data should always be "fair and reasonable", rather than expecting consumers to try and police companies' data practices themselves
- clarification that technical identifiers and "usage data" connected to an individual are "personal information" covered by the Privacy Act obligations.
CHOICE consumer data advocate Kate Bower says "Australia's Privacy Act is woefully out of date and this research shows the potential harms to consumers of not having law that is fit for purpose.
"Stronger consumer protections are urgently needed to ensure that the highly personal and sensitive data collected by these apps is protected and that businesses can't exploit the data for profit."
The research for this project was funded by a grant from the UNSW Allens Hub for Technology, Law and Innovation. You can read the full report here.
Stock images: Getty, unless otherwise stated.