100 Days Post-Roe: This FemTech Lawyer Broke Down Everything You Need To Know About Data Privacy And Period Tracking Apps To Protect Yourself Online

Consequently, states with abortion access have subsequently received an influx of patients. In August, clinics in Illinois reported that 86% of patients came from out of state, with the increase in patients causing three-week wait periods. 

FYI: Femtech is a portmanteau of "female health technology," such as period tracking apps. The term was coined in 2016 by Danish entrepreneur Ida Tin, the founder of the period- and fertility-tracking app Clue. According to McKinsey, femtech has since "grown to encompass a range of technology-enabled, consumer-centric products and solutions," with estimates of its current market size ranging from $500 million to $1 billion.

In fact, the Nebraska case isn’t the first time something like this has happened (though it is since Roe has been overturned). Back in 2017, Mississippi police used a woman’s phone data and search history for abortion pills to charge her with second-degree murder.  

Similarly, it's less likely that law enforcement officers would know to subpoena data from your period tracking app. "They have to have reasonable suspicion in order to issue that subpoena or court order to get your data," Bethany explained. "Where are they going to find that? It's likely going to be more mainstream channels, like social media and Google searches."

So then why the heat on period tracking apps? Well, probably because they’re the ones openly collecting reproductive health data. If Clue or Eve were subpoenaed for user data, it’s more likely to be for a case involving reproductive health than if a big tech company were subpoenaed. 

To give you a better idea, between Jan.–June 2021 in the US, Google received more than 50,907 government requests for user data and produced data for 82% of requests, while Meta received more than 63,657 government requests for user data and produced data for 89% of requests.

For certain apps, the service is the data, like your internet searches on Chrome or your geolocation on Uber. "Truthfully, we're just in an environment in which that data can be used, sold, and disclosed, without any further consumer say," Bethany commented. "You don't have a meaningful way to negotiate that data or to negotiate how it's going to be used or to opt in."

Essentially, the FTC requires companies to disclose how they collect and use your data in transparent, accurate privacy policies. So if a company wants to sell your data to a third party, they can so long as it's clearly stated in their privacy policy. What that third party then does with your data is irrelevant — it's on you to read their privacy policy. Plus, privacy policies are not absolute. Companies can and must update them whenever they change their data practices, so read all updates too. By continuing to use the app, you're consenting to the updated privacy policy.

For a real-life example: In 2019, the FTC filed a complaint against Flo for misleading users after the Wall Street Journal reported that the period tracking app had been sharing users' data with marketing and analytics firms, including Facebook and Google, despite Flo's privacy policy stating it wouldn't send such information to third parties. "Flo could have legally sold data to Facebook if it had just said that in its privacy policy. It was the fact that it said it was not dealing with that express action that got it in trouble with the FTC," Bethany explained.

Beyond femtech, HIPAA-covered entities — like your healthcare provider with whom you share your medical history — can still be subpoenaed. "A lot of people don't realize there's a permissible disclosure in HIPAA for law enforcement and court orders. So, technically, if your provider got a subpoena to turn over your data, they could do it lawfully," she added.

This is, in part, why activists — from Black Lives Matter activists to sex worker activists — have been calling for encrypted data and messaging for years.  

On that note, in recent years, Facebook Messenger has begun offering an encrypted messaging feature that users can opt in to for individual chats. You can activate encrypted messaging per chat by selecting the "i" icon in the top-right corner, and then choosing, "Go to secret conversation" under the "More actions" section.

"In today's world, there's very little that cannot be reidentified if somebody tries hard enough and has the right technology. It might be anonymous until it gets into the wrong hands," Bethany cautioned. In fact, a 2019 study found that 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes (such as age, zip code, birthdate, marital status, etc.).

If you’re curious about how data can be deidentified and reidentified, consider the data that an app could collect about you: name, birthdate, address, email, phone number, geolocation, gender, etc. Obviously, data like your name or address could directly identify you, whereas data like your zip code or gender could indirectly identify you. By scrubbing certain identifiers, data can be anonymized, and indirect identifiers — though ambiguous separately — can reidentify users when properly combined.

"Unless you’ve gone through and physically deleted all of the data off your phone — which, to be honest, probably also lives in some type of a backup online — law enforcement is going to get access to that data," Bethany said.  

For instance, New York has enacted laws to protect patients and healthcare providers from states "looking to impose their policies" and "punish providers beyond their borders." This involves preventing law enforcement from cooperating with out-of-state agencies, i.e., enforcing out-of-state subpoenas or court orders. Connecticut has similarly enacted "safe harbor" laws, while California, Oregon, and Washington have banded together to launch a "multi-state commitment” defending reproductive healthcare access and protecting patients and healthcare providers alike from punitive states. 

These protective laws are in stark contrast to "bounty hunter laws," such as Texas’s Senate Bill 8 (SB8 for short). Passed in 2021, it incentivizes citizens to sue anyone who’s helped someone have an abortion by rewarding them a cash “bounty” if they win. SB8 has inspired similar laws in Idaho and Oklahoma.   

You can find state laws around abortion via the Guttmacher Institute’s State Legislation Tracker here and their interactive map of US abortion policies here.  

Pre-Roe, a 2019 report by Trustwave found that a healthcare data record is worth up to $250 on the black market, while a payment card, the second most highly valued record, is worth $5.40. 

"It's because there's so much information in there that somebody can go and use to steal your identity. You can't change your health data like you can change your credit card number," Bethany explained. And with states banning abortion, the value of health data has skyrocketed.  

In a fight for the right to bodily autonomy — in a society that simultaneously denies reproductive healthcare, refuses reproductive health education, stigmatizes reproductive health resources, and places the onus of bodily regulation and pregnancy entirely on those with a uterus — technology that enables us to privately educate ourselves and autonomously manage our health is villainized. 

And while limiting the data you enter into a period tracking app may provide a greater chance of privacy, the apps naturally work best and make the most accurate predictions when you provide more information.