FemTech: Top data protection tips for period and fertility-tracking apps

For many, including myself, there are huge benefits of understanding your menstrual cycle not only for fertility but to receive predictions for the start of future cycles and to examine a variety of other cycle-related factors. These apps can provide a valuable means to doing so. Indeed, the FemTech sector has grown significantly in recent years, and currently provides a wide range of healthcare products and consumer-centred solutions for women. Encouraging as this is, the compliance of fertility and period-tracker apps with data protection law in the UK and EU has come under scrutiny, particularly with respect to their data sharing practices, and even data security.

Following the announcement by the Information Commissioner’s Office (ICO) of their review into how period and fertility-tracking apps process user information, my data protection colleagues David Hall and Robert Beveridge, carried out an assessment of the data protection compliance of a small sample of apps and provide their top tips for FemTech app providers.

The ICO reports that it recently carried out a poll of fertility and period-tracker app users, and the poll revealed that:

• 59% of respondents had concerns about how up-front, clear and open the app providers are about their use of the app user’s personal data
• 57% were worried about the security of the personal information they'd submitted
• Over half of respondents reported an increase in the number of baby or fertility-related adverts that were directed to them after they signed up with some apps. By implication, the increase was unexpected, unwanted, or both.

Users of some FemTech apps are understandably concerned about how clear and open the app providers are about data usage, and worried about data sharing (and, by extension, security). Users are concerned because they see or sense that the information given by the app providers is either missing, doesn’t evidently relate to or describe the app, is unintelligible (or tiresome), or fails to anticipate and answer the risks perceived by the users. 

Our own assessment revealed that the apps tested were lacking in compliance to varying extents and in different ways with data protection laws in the UK. If current practices continue, app providers risk being subject to regulatory action by an (evidently) watchful and alert ICO. 

So, what can FemTech and other app developers do to address these concerns? Here are our top tips for those who want to meet their user’s and the ICO’s expectations in relation to data transparency:

• Carry out a data protection impact assessment and involve a sample of your users in the exercise.  Get them to tell you what’s important from their perspective, so you can make your compliance measures more focused.
• Build the user interface so it gives information about data usage at the appropriate time, eg when the user inputs or verifies the data, or when they’re ticking preferences and other options.
• Provide a ‘headlines’ privacy notice (led by the consultation that you conduct with your users) as well as the more detailed one. Consider using graphical elements to make your messaging more instantly accessible and intelligible, a little like attaching brand names and logos to special product features.
• Don’t lay yourself open to the charge of hiding behind detail in privacy notices, and carefully avoid missing out information that’s a priority to users or is required by law.
• If you rely on consent, ask for it. Make sure the app records the user’s decision, and that the app and recipients of the user’s data (if any) respect the decision.
• Encourage your marketing, operational and technical teams to work more closely with the legal team. If you find that the lawyers tend to say ‘no’ or lack confidence or sufficient technical insight, change them (or encourage the in-house team to take a steer from external experts).
• If your business model for the app relies on revenue from data sharing, find a way to either give users the option of paying for the service in a different way, or to inform the user so they can make a decision early on to use a different app or use yours with discretion.

The ICO’s findings are true of many other types of app, so it’s a real shame that the criticism has landed in this, of all technology segments. However, FemTech app providers have an opportunity to react strongly and show other developers the way forward.

If you are an app developer and would like to know more about how your app can better meet your user’s expectations and comply with ICO’s expectations in relation to data transparency and UK data protection law, please get in touch with David Hall or Robert Beveridge.