The privacy of individuals who use mobile health apps — in particular, menstrual health and similar apps — was thrust into the spotlight with the U.S. Supreme Court’s decision to overturn Roe v. Wade, with users concerned about how their sensitive health information might be shared and for what purposes. This concern is driven by the fear that states which ban and criminalize abortion may seek relevant health data from app providers to identify and prosecute individuals who obtained an abortion out of state or otherwise circumvented their home state’s statute. As a result, mobile health apps are now responding to a flood of user concerns and forced to analyze the implications to user data and their respective services in order to protect and maintain users — and their business.
While the implications of overturning Roe v. Wade will undoubtedly evolve with time, these are the top six privacy impacts of the decision on mobile health apps:
1. Privacy Notices May Need to be Amended
Recent changes in privacy laws both in the U.S. and globally have led to increasingly complex privacy notices. Companies often draft broad notices that give the business as much flexibility as possible in terms of the data they collect, how they may use it and who they may share it with. Not only does this approach give the business some flexibility regarding how they can leverage user data in the future, but it also provides some legal cover. Specifically, the FTC’s general position on privacy — based on Sec. 5 of the FTC Act — is “do what you say and say what you do.” By including broad data collection, usage and sharing rights in their privacy notices, companies mitigate the risk of processing data in the future in a manner not initially disclosed to consumers. With the decision to overturn Roe v. Wade, app providers may want to reconsider this approach and instead, limit their processing activities (actual or potential) to give users comfort that their data will be used only for specific and limited ways — and only the minimum information necessary will be collected and maintained (as discussed in point 2 below). A first, and critical, step in giving users this comfort is updating the privacy notice to reflect the new, limited scope of processing.
2. Data Collection May Need to be Limited
Unless specifically limited by law, mobile app data collection practice generally includes collecting more data than necessary. While there can certainly be benefits to this approach to data collection, it may expose a user to further scrutiny and risk if their sensitive data is subpoenaed. Mobile health apps should consider scrutinizing data collection and analyzing the benefits of such collection versus the risk to a user if such data was obtained and shared. If a mobile health app does limit data collection to what is necessary, disclosure of such a practice may provide users with the comfort they need to continue use of the mobile health app.
3. Location Tracking May Need to be Disabled
Although location data can be utilized to support marketing or other consumer analysis, enabling location tracking may increase the risk of user data being linked to a specific location if their data is subpoenaed. Mobile health apps should consider disabling location tracking or only collect it with the user’s informed opt-in consent. When location data is collected, it should be permanently deleted as soon as the data is no longer relevant or the purpose for collecting it has been achieved.
4. Data Disclosures Should be Scrutinized
Where a mobile health app shares or sells collected user data with a third-party, these third parties should be closely scrutinized to ensure their data practices are in alignment with the mobile health app’s practices and that users are fully aware of the contemplated sharing and consent to it. For example, if sold to or shared with certain third parties, a user’s health app data may be combined with other data to obtain a more complete user profile than intended. Where mobile health apps do enter into any sort of data sharing agreement, these privacy concerns and agreements should be clearly outlined in their contract. Further, avoid selling or sharing sensitive health data whenever possible.
5. Consumer Education Should be Provided
User education is an important piece of data privacy. Users should be educated about their own responsibility to protect their data through responsible sharing. One such example may be to prompt users to use browsers with private networks when clicking any link in an app that may lead to an external link.
6. Data Security Practices Should be Reviewed and May Need to be Increased
Mobile health apps should scrutinize their data security practices, analyzing both their own security as well as the security of any third party through whom user data or the mobile health app platform can be obtained. Especially in states that ban and/or criminalize abortion, there is growing concern of cyber attackers seeking to obtain relevant health data from app providers in an effort to expose or identify and report individuals who have sought an abortion out of state or through other means. Where mobile health apps contract with third parties, they should ensure their contracts address data security to protect sensitive user data.
We will continue to monitor any changes in this area, including any guidance directly intended for mobile health apps.