Georgetown Law
Technology Review

With the overturn of Roe v. Wade, users of “femtech”—apps used to track reproductive health, menstrual cycles, and fertility—should be concerned that their data could be weaponized against them.

These apps collect deeply personal information, including a woman’s age, dates of past periods, sexual activity, birth control usage, and pregnancy. When this data is aggregated together, it becomes clear whether she has had an abortion. For example, proof that a woman was in an early stage of pregnancy one month, and then resumed a regular menstrual cycle the next, could be evidence that she chose to abort that pregnancy. The fear is that in a post-Dobbs world, this could be used as evidence to prosecute her. (And it could also lead to civil liability in states like Oklahoma or Texas, where citizens can sue people who provide abortions or assist others in doing so.)

What are the current regulations in place that protect this data?

U.S. privacy law leaves femtech—and how it collects, stores, and discloses data—largely unregulated.  That is because the law governing healthcare privacy, the Health Insurance Portability and Accountability Act (HIPAA), doesn’t apply.  Femtech falls outside of the scope of HIPAA, which regulates only health plans, health plan clearinghouses, and healthcare providers—or their associates—that transmit protected health information.

The Federal Trade Commission doesn’t meaningfully protect a user’s data either.  Femtech apps are subject to the FTC’s Act—which prohibits “unfair or deceptive acts or practices”—and the Health Breach Notification Rule.  Taken together, these ensure that femtech’s data practices are governed only by their own privacy policies.

Because of the lack of federal regulation, many are looking to the states to act.  The measures states implement should directly respond to the ways in which law enforcement can access this personal data.

How would law enforcement access this data?

First, law enforcement can obtain this data from a femtech company directly, if equipped with the right paperwork, like a subpoena, court order, or search warrant.

But because of the lack of privacy and security regulations, there are other ways in which law enforcement can get ahold of this deeply personal information without a warrant.

Second, law enforcement could purchase this data from femtech companies directly, or any third parties who have access to it—and there are many that do.  An example of this occurred in January 2021, when the FTC ordered Flo Health, the company behind the popular “Flo Period Tracker” app, to notify its users that it shared unrestricted access to their data with marketing services like Google and Facebook. These services would then target consumers more effectively by matching health information with their profiles. The app did this despite promising users their information was kept private.

And there is evidence that police departments are already purchasing data from third-party companies to gather information in criminal investigations, often with little public accountability.  The Associated Press reported last month that over two dozen police agencies had contracted with a service called Fog Reveal to track people’s movements for “months back in time.”   Like in the case of Fog Reveal, femtech companies—or any purchasers of this data—could sell it to law enforcement for a profit.

Third, cyberhackers could steal the data and reveal it to law enforcement.  There is proof that this type of information has already been the subject of ransomware-fueled cyberattacks, which are on the rise.  Just last month, cyberhackers broke into the data reserves of Medibank, an Australian health insurer, and released lists of customers who had obtained abortions to the dark web.  A victim of the attack described it as “completely horrific” because of the breach of privacy.  In a jurisdiction where abortion is illegal, anyone listed could be criminally liable.

Recommendations for preventing law enforcement from accessing this data

Individual states—or the federal government—could pass legislation to make this data inadmissible in abortion prosecutions by amending their rules of evidence.  This is akin to the rape shield law, which bars the use of evidence of “other sexual behavior” against a victim in a rape case.  Similar to this law, a woman’s data from her femtech app—revealing her fertility, sexual behavior, and menstrual cycles—would be inadmissible against her in an abortion prosecution.

This approach, either at the federal or state level, would get to the heart of the issue: ensuring that a woman’s personal data gathered by femtech apps cannot be used to criminalize her. Even if the government were to subpoena femtech companies for this information, her data would still be inadmissible in a courtroom.

There are lower protections, too, that should be taken to ensure law enforcement does not access this data without a warrant, such as purchasing it from femtech apps and brokers, or cyberhackers who reveal it online.

First, Congress could expand the current definition of “covered entities” under HIPAA, bringing femtech under its scope.  User data would then be protected under the law’s privacy and security protections.  These outline how entities can disclose personal health data to third parties, preventing apps from selling user data without consent. This also would ensure that the apps implement safeguards against security threats, such as cyberattacks and ransomware raids.  That way, law enforcement would be prevented from purchasing the data directly, or be made aware of it because of cyberhackers.

Second, states should step in to close the gap on these privacy protections.  States such as California, Nevada and Vermont have laws that require data brokers to register with the state, or ensure consumers have the opportunity to opt-out of third-party sales.   This would ensure that users are in control of their own data, preventing it from falling into the hands of law enforcement.

Third, while not a legal solution, more femtech companies should take steps to protect their consumer base.  There are signs that apps are beginning to act on this; shortly after Dobbs, the Flo app announced the creation of an “anonymous mode” setting, so that users can use the app without any identifiers.

But without any government regulation, private companies—and their sales-driven systems—will be the deciders of how a woman’s personal data is used and shared.  In today’s post-Dobbs world, that might dictate who is prosecuted in abortion cases.