For any person facing the challenges of navigating period irregularity, predicting fleeting windows of fertility while trying to fall pregnant or anticipating the whirlwind that is PMS – a period tracking app in your pocket that takes the legwork out of understanding your body’s cycle can feel like a God-send.

If you’ve never delved into the world of period tracking apps, they essentially exist to do one thing; paint a crystal clear picture of our menstrual cycles and provide a better understanding of our bodies, so we can take better take care of them.

Not such a bad thing, right?

The seedier problem lurking in the shadows of the positive empowerment that period tracking apps afford, is that many of their privacy polices give the big green tick to sharing your most sensitive and intimate information about your body, emotions and sexual health third-party organisations.

We’ve all been guilty of hastily tapping ‘I agree’ on applications privacy T&Cs before, but if we knew that our sensitive information could potentially affect our future employment, promotions, targeted advertising and even your ability to apply for credit, we might be a little more thorough before signing up.

Here’s why data privacy is such a prevalent issue when it comes to the abundance of period tracking apps that Kiwi women (and women around the world) are using.

Why doesdoes the information we log into period tracking apps need to be sensitive?

While controlled by the user to an extent, the intimate information recorded by period tracking apps is become increasingly in depth and potentially problematic. Each application’s functionality varies slightly, but for most apps, they offer the ability to record:

·       The frequency, duration and ‘heaviness’ of menstruation

·       When users have sex

·       If users are trying to get pregnant

·       The types of contraception (if any) someone is using and whether they’re using them effectively

·       Physical symptoms such as blood pressure, swelling, acne, headaches, or cramps

·       Emotional symptoms such as mood swings, sensitivity, or fluctuating energy levels

Over time, the app will collate data to predict how and when menstruation will affect you. This is some of the most sensitive information a person could offer about their body, and you’d expect that apps collecting it would treat it with a proportionate degree of sensitivity.

Unfortunately, recent whistle-blowers both in the US and here in New Zealand have uncovered that this is not the case. This sensitive information is being shared with third-party organisations – and there are a lot of people who are buying that data. 

Who areare the third-party organisations interested in menstrual cycle data?

First and foremost, your data is being collected and sold for advertising.

A study conducted by Consumer Reports showed that popular apps, including BabyCenter, Clue, Flo, My Calendar, and Ovia share their users’ data with third-party partners who then use the information to target you on digital advertising channels. This is how the app developers monetize their platforms, as users can use them for free.

A recent New Zealand Herald article reported that multiple period tracking apps are sending data to tech giant, Facebook;

When Maya [a period tracking app] asks you to enter how you feel and offers suggestions of symptoms you might have — suggestions like blood pressure, swelling or acne — one would hope this data would be treated with extra care,” the report said. “But no, that information is shared with Facebook.”

This is happening right on our doorstep, too. In fact, in her Mirror article, Kiwi woman Talia Shadwell says she finds the idea of her technology knowing she is pregnant before she does "unsettling".

It became clear Facebook actually thought I was pregnant. Like many women, I use a period tracking app to chart my monthly cycle. Yesterday, I opened the app to make an update, only to find an alert flashing at me. It was informing me that my period was very, very ‘late’… I had simply forgotten to log last month’s cycle properly, and, because I have notifications for that app turned off, I hadn’t noticed when I didn’t complete the entry… I corrected my cycle, and almost instantly the baby ads just stopped.”

The misuse of information doesn’t stop at advertising, either. According to Daniel Markuson, US digital privacy expert at NordVPN, massive amounts of highly personal data logged in period trackers is not protected under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that restricts with whom healthcare providers can share it.

Insights into potential diseases provide financial institutions with information about higher risk customers before entering into a deal with them. Higher risk means higher prices and thus less chances to get life or health insurance.

Dena Mendelsohn, CR’s senior counsel on privacy and technology policy notes that having your personal health information disseminated could have serious repercussions.

“It could, for instance, affect your ability to obtain life insurance and how much you pay for that coverage, increase the interest rate you’re charged on loans, and even leave you vulnerable to workplace discrimination. And because you usually don’t know who has your data, you may never know if you’ve experienced any of those harms.”

Fortunately, some apps such as Flo have stopped sharing user information with Facebook after the Wall Street Journal revealed last February that the app shared detailed personal data, such as whether a user intended to become pregnant with Facebook. 

Are New ZealandZealand Privacy Laws protecting us?

Fortunately, here in NZ, there are laws in place to protect us from the types of data exploitation that occurs with some period-tracker apps. Just this year, key changes to the Privacy Act 2020 were passed in parliament, with the intention of more heavily regulating the information that companies could collect. As our lives are now lived in-part online, our data policies have changed to reflect this.

The Act now includes a new privacy principle to regulate the way personal information can be sent overseas and clearly states that it has extraterritorial effect. This means that an overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, which is particularly relevant to period-tracking apps that have been created offshore.

Application developers are also required to comply with certain Privacy Act requirements from day one of development, including being open and transparent about how your data will collected and used, collecting and keeping only the data that you need and obtaining meaningful consent.

In saying that, there are some loopholes you need to be aware of if you’re looking to use these apps, despite our New Zealand Privacy laws that are protecting us.

  • ·First and foremost, if you don’t read the privacy policy when you download an app and hit ‘agree’, this could be considered as ‘meaningful consent’ and the period tracking app will have control of your sensitive data.

  • The Privacy Commissioner doesn’t have the ability to dish out the massive fines like you’d see in the UK, EU and USA, so the consequence for big corporations like Clue, Flo and My Calendar are almost worth the risk. As global law firm DLA Piper states;

    “This means the Privacy Act remains a bit of a ‘toothless tiger’ relative to other global data protection laws.”

  • Finally, individuals don’t have the same rights as data subjects in other countries, such as the ‘right to be forgotten’ or the right to data portability. That means once you’ve agreed to sharing your data on an application like a period tracker, it’s nearly impossible to reverse.

How can youyou keep your data and information private?

If you want to keep yourself protected from having sensitive information like the last time you had sex, the heaviness of your period flow and the frequency of your cycles safe from third-party applications, there are a few things you can do.

  1. Be careful when setting up privacy controls. If you can reduce the amount of access you give an app to your phone (like photos, microphones, and location services) you reduce the amount of data it can collect from you.

  2. Always carefully check with whom the app is sharing their data and modify the list whenever possible. You should be able to do this within the app settings, and if you can’t, that’s a red flag in itself.

  3. Protect your app with a password. Password managers, such as LastPass, can help you generate very secure passwords and save them for you through an online extension.

  4. Log your data in privacy by allowing apps only to log data when a VPN connection is enabled.

  5. Do not use the same email address for correspondence and app logins and avoid logging in through Facebook or your Google Account. If you can use an unassociated email address that can’t trace back to you.

After all, as eloquently put by privacy expert Daniel Markuson;

“Data logged in period apps should be treated the same way nudes are. When in the wrong hands, it can have financial implications and even lead to cyberstalking or harassment.”