Policy Paper

The Role of State Attorneys General in Protecting Sensitive Health Information Collected by Menstrual and Ovulation Tracking Applications

Download PDF

Authors

Contributors

Share

Summary

State attorneys general can play a key role in either protecting or exploiting Americans’ sensitive reproductive health information. Some attorneys general work to inform their constituents of their rights to privacy and reproductive health care through actions like consumer alerts, hotlines, guidance and advisories. These efforts work to safeguard reproductive health data from being wrongfully exploited by those who would use it to harm individuals seeking critical healthcare, including and exercising their right to a legal abortion. Moreover, several attorneys general continue to utilize their powers and authority to work in collaboration with states across the country to adopt privacy and security measures to defend and expand reproductive freedom. Further, state attorneys general are uniquely positioned to hold companies, including digital fertility tracking applications, accountable for violating privacy protections as guaranteed by state and federal laws.

Introduction

The ability for individuals to control the use of their personal data, in particular their sensitive health information, is at the forefront of privacy law. The concern regarding how personal information is controlled has led to the development of data privacy laws in 6 states, with many more introducing legislation to forge their own pathway to privacy protection. Although technology companies have historically been able to share and sell users’ private data, the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, No. 19-1392, 597 U.S. ___ (2022), which overturned Roe v. Wade, thereby outlawing abortion in several states, has generated significant concern that menstrual and ovulation tracking applications (apps) may be weaponized against people who are seeking or may have had an abortion.

Period tracking apps collect personal health data, including menstrual cycle information, and often share this data with third-party advertisers and researchers. These apps allow women to track their cycles for a variety of reasons, including: to predict period and ovulation dates, to provide insight into their fertile windows, and for signs they are missing their period. These are services the tracking apps claim to provide assuming women undergo a 28-day menstrual cycle. The use of period tracking apps are common in the United States. A study by the Kaiser Family Foundation found that one third of women in the country use a tracking app.1

Privacy policies regarding how the information is stored and used in these apps vary among companies. Certain businesses may provide data to data brokers, utilize the information for advertising purposes, distribute it for research purposes, or retain it exclusively for internal use. Period-tracking applications frequently fall outside the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and are not restricted from sharing de-identified data.2 In 2021, the Federal Trade Commission (FTC) settled with a menstrual tracking app company called Flo, for violating its own privacy policies by collecting users’ sensitive health details from 2016 to 2019 and sharing this data with third-party analytics and marketing services without adequately informing users or obtaining their consent.3 More recently, a study by the Norwegian Consumer Council found that several popular menstrual tracking apps, including Flo and Clue, were sharing sensitive user data with third-party companies for targeted advertising purposes.4

The concern that period tracking app data can be used to prosecute someone seeking an abortion is not merely theoretical. There are recent examples of governments using personal data to prosecute women seeking an abortion. In Nebraska, police subpoenaed Facebook messages to investigate an alleged illegal abortion where a mother and daughter exchanged messages about obtaining the abortion pill.5 While interviewing the daughter the police noticed she was scrolling through Facebook messages to place the time of her miscarriage which led to their subpoena of the message logs. In other cases, police have used women’s text messages and web search history to prosecute women seeking abortions.6 Further, tracking abortion activity for predatory purposes is not novel. In 2019, the Missouri state health director obtained a spreadsheet tracking the menstrual periods of women who visited Planned Parenthood in an effort to identify patients who had “failed medical abortions” and prompted the health department to revoke Planned Parenthood’s abortion license for allegedly violating safety protocols and not carrying out its duties properly.7 An anti-abortion group or individuals who hope to identify and prosecute women who may be considering an abortion or who have already had one would find access to personal data from these apps to be very valuable. Further, the Dobbs decision is a warning sign that the right to personal privacy is in peril, particularly as the decision shifts more responsibility to the states—and in particular states attorneys general—to protect that right.

State Attorneys General Leadership in Protecting Sensitive Healthcare Data

Many state attorneys general are leaders in the area of data privacy. They have long known about the risk to consumers who share sensitive health information. For example, in 2020, New York State Attorney General Letitia James sent a letter to Zoom, a video conferencing application, seeking more information regarding the platforms’ security measures given increased traffic and the risk of identity thieves.8 Immediately following the Dobbs decision last year, half a dozen attorneys general released consumer protection alerts warning residents in their states to exercise extreme scrutiny when sharing menstrual and ovulation information with tracking apps to mitigate the risk of constituents’ sensitive health data being used in any future criminal prosecutions—especially given the ever changing landscape of abortion rights in the U.S. For example, Michigan Attorney General Dana Nessel assured consumers that, “[t]here are a lot of unknowns as we face a post-Roe era, but one thing that remains certain is that consumers can protect themselves and their private information.”9 California Attorney General Rob Bonta went a step further in his consumer alert by emphasizing health apps’ obligations under California law to protect and secure reproductive health information.10 One such California law is the Confidentiality of Medical Information Act (CMIA), which applies to mobile applications that are designed to store medical information, including some fertility trackers, and establishes privacy protections that go beyond federal law.11

To date, 6 states have enacted their own data privacy laws: California, Connecticut, Utah, Colorado, Virginia, and Iowa. However, these state laws differ in the authority they give to the state attorney general to bring enforcement actions against entities that violate state data privacy laws.12 For example, Colorado’s privacy law only allows the attorney general’s office to enforce violations (Colorado Privacy Act, 2021), with no private right of action. That means the attorney general, who has limited resources, is the only party that can bring an enforcement action under the privacy law. In contrast, California’s data privacy law includes a “private right of action” allowing an individual to pursue a grievance against a violator of the state data privacy law (California Privacy Rights Act, 2020).

Given the heightened concern surrounding the use of period tracking apps, there have been several actions to help protect this sensitive data. Many states are currently considering data privacy laws that would specifically prohibit or restrict companies from sharing sensitive health information with third party entities. For example, in 2023, Washington Attorney General Bob Ferguson introduced a data privacy bill that ultimately passed the Washington State legislature, called “My Health My Data” Act that will increase privacy protections around consumer health data.13 My Health My Data Act requires companies to get explicit consent from a consumer to collect, share or sell the consumer’s health data. Additionally, companies are prohibited from geofencing (meaning collecting data on a person’s location to collect and sell) for certain locations. In certain jurisdictions, consumers can sue organizations that fail to obtain their explicit consent to use their data and the attorney general can also take legal action on behalf of consumers. In May of 2023 New York Attorney General Letitia James worked with state legislators to include a provision in the state budget to include measures that would safeguard abortion access and health care privacy that include a prohibition on law enforcement from buying or obtaining electronic health information without a warrant. The legislation also bans electronic communications companies from assisting out-of-state law enforcement with warrants related to reproductive health care in New York. 14

In May of 2023, DC Attorney General Brian Schwalb, along with Oregon Attorney General Ellen Rosenbaum and Connecticut Attorney General William Tong, announced the conclusion of an inquiry into Easy Healthcare Corporation. These attorneys general along with the FTC concluded that the company should be mandated to alter its privacy procedures related to the “Premom” ovulation tracking application in order to safeguard the sensitive reproductive data of its users. Easy Health consented to implement a series of corrective actions aimed at preventing the sharing of sensitive information with external parties and to make a $100,000 payment to the states participating in the investigation as a penalty. The Attorney General Offices collaborated with the FTC to conduct an investigation into the company, verifying that Easy Healthcare had disclosed sensitive healthcare information to third parties without informing or obtaining consent from consumers.15

Some of the new measures to protect sensitive health information have received mixed reviews from the business community. Some in the business and technology industries oppose the private right of action option out of fear of costly, frivolous litigation. According to the US Chamber of Commerce, “national data protection law including a private right of action would encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.”16

Proposed State and Federal Legislation to Protect Sensitive Health Data

State Legislation to Protect Reproductive Health Data

States continue to consider legislation to protect sensitive health information in the wake of Dobbs. For example, the Massachusetts Senate is considering a bill that aims to protect “reproductive health access, LGBTQ lives, religious liberty and freedom of movement” by banning the sale of cell phone location information.17 Also, in January 2023, New York

Governor Kathy Hochul proposed legislation to protect the personal data, including location history and search history, of anyone seeking abortion care in New York.18

Federal Data Privacy Legislation

Although the 118th Congress seems unlikely to pass data privacy legislation that would protect personal health information, a future Congress may consider a comprehensive national data privacy law. Congress has considered the DATA Privacy Act, which would protect personal health information shared with apps, but has failed to pass it into law.19 Congress has also considered legislation specific to reproductive health information called the My Body My Act law. This legislation would create a national standard for protecting reproductive health information. In the 117th Congress, this measure was introduced in both the House and Senate, but did not receive a hearing or otherwise advance.20

Some in the tech industry have taken the position that states should not enact their own data privacy laws. Instead, those advocates suggest a national privacy law to ensure continuity across state lines. According to TechNet, which represents companies such as Apple, Google, Meta, and Amazon, a series of individual state privacy laws would create confusion for companies and users.21

State Legislation Many states and their state attorneys general may still wish to pass data privacy laws specific to protecting sensitive health information, while others are fighting against these additional protections. Several state attorneys general, including those in Minnesota and Hawaii, have expressed support for enacting the California model. California’s law requires “out-of-state law enforcement agencies seeking data or records from California corporations to confirm in writing that the investigation does not involve an abortion that is legal under California state law”. It also blocks out-of-state law enforcement investigating abortion services from “using warrants to obtain California cell phone tower data location or search history from computers with an IP address in the state.”22 In contrast, in 2023, Virginia Governor Glenn Youngkin and Virginia Attorney General Jason Miyares opposed legislation passed by the state legislature which sought to prohibit search warrants for menstrual data, arguing that law enforcement should have the ability to acquire that information or any other health information through a search warrant.23 As a result, women in Virginia are now at risk for criminal prosecution based on information found in their period tracking apps.

Recommendations

Recent developments such as the Dobbs decision highlight the need for regulation and transparency to protect sensitive health information, particularly when it comes to menstrual tracking apps. Users should be aware of how their data is being collected, used, and shared, and should have control over their own personal health information. Below are recommendations for actions attorneys general can take to also protect personal health information:

  1. Advocate for stronger consumer protection laws that protect the privacy of sensitive health information stored by entities not subject to HIPAA.

    States should look to the California law as model legislation. State attorneys general should evaluate their offices’ resources when considering whether to include a private right of action in any new law. Additionally, attorneys general should consider engaging additional stakeholders such as those in the reproductive access advocacy community and the technology industry to provide input into data privacy laws. If attorneys general are not comfortable advocating for a comprehensive data privacy law within their state, they may consider advocating for just the protection of sensitive health data or data specifically surrounding abortion related activity or menstrual and ovulation tracking.

  2. Advocate for state laws that prohibit out-of-state law enforcement from accessing data from state residents.

    California law now prohibits law-enforcement agencies from sharing information with out-of-state agencies investigating a legal abortion. It also aims to prevent companies headquartered in California—particularly major tech firms and data brokers—from sharing information with out-of-state agencies investigating abortion procedures that would be legal in California. Additionally, this law prohibits companies from providing geolocation data to prosecutors. State attorneys general, specifically those in states adjacent to ones that have outlawed abortion, should consider advocating for a similar law that could provide data protections for women coming from out-of-state to seek abortion related care.

  3.  Issue consumer alerts and guidance to protect the privacy of women seeking abortion care and services.State attorneys general should continue to provide guidance and consumer alerts, or “know your rights” pamphlets, for women within their states or who may be traveling to their states who are seeking abortion related care. As laws continue to change at the federal, state, and local levels, and within the judicial system, it is important that state attorneys general provide leadership to protect women who seek abortions and reproductive care.

 

The Leadership Center for Attorney General Studies is a non-partisan organization dedicated to educating the public about the important role state attorneys general play in addressing pressing issues, enforcing laws, and bringing about change.

Brittany Anderson Whitley is a Policy Fellow for the Leadership Center for Attorney General Studies. Previously, she served as Chief of External Affairs and Policy in the Virginia Attorney General’s Office. She is currently Senior Vice President at Lamar Consulting.

Grace Pak is the Policy Associate Counsel for the Leadership Center for Attorney General Studies and the Progressive State Leaders Committee. Previously, she served as Of Counsel at a boutique reproductive health care law firm, specializing in IVF (in vitro fertilization) and ART (assisted reproductive technology).

Britteny Jenkins is the former Policy Director for the Leadership Center for Attorneys General Studies and Progressive State Leaders Committee. She is also a former Chief of Staff and Staff Director for the Subcommittee on Environment for the House Committee on Oversight and Reform in the U.S. House of Representatives. She also has several years of litigation experience, focused on commercial and bankruptcy litigation.

Jonathan Sclarsic is the Chief Operating Officer and General Counsel for the Leadership Center for Attorney General Studies and the Progressive State Leaders Committee. He is a former Assistant Attorney General and Director of the Division of Open Government in the Massachusetts Attorney General’s Office and a former legislative director in the United States Senate.

1 Separating hype from reality in health tech. (2019, September 10). Axios. https://www.axios.com/2019/09/10/health-tech-innovation-hype-poll-young-people

2 Ornstein, C. (2022, July 5). Federal Patient Privacy Law Does Not Cover Most Period-Tracking Apps. ProPublica. https://www.propublica.org/article/period-app-privacy-hipaa

3 Developer of Popular Women’s Fertility-Tracking App Settles FTC Allegations that It Misled Consumers About the Disclosure of their Health Data. (2021, January 28). Federal Trade Commission. [Press Release] https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; see also Gupta, A. H. and Singer, N. (2021 January 28). Your App Knows You Got Your Period. Guess Who It Told? The New York Times.

4 Page, C. (2022, May 5). Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app? TechCrunch. https://techcrunch.com/2022/05/05/roe-wade-privacy-period-tracking/#:~:text=%E2%80%9CGenerally%2C%20unless%20the%20user%20expressly,a%20user%20delete%20their%20account.

5 Kaste, M. (2022, August 12). Nebraska cops used Facebook messages to investigate an alleged illegal abortion. NPR. https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion.

6 Zakrzewski, C., Verma, P., & Parker, C. (2022, July 3). Texts, web searches about abortion have been used to prosecute women. Washington Post. https://www.washingtonpost.com/technology/2022/07/03/abortion-data-privacy-prosecution/

7 Ali, Safia Samee Ali. (2019, October 29). Missouri health director tracked menstrual periods of Planned Parenthood patients. https://www.nbcnews.com/news/us-news/missouri-health-director-tracked-menstrual-periods-planned-parenthood-patients-n1073701.

8 Hakim, D., & Singer, N. (2020, March 31). New York Attorney General Looks Into Zoom’s Privacy Practices. The New York Times. https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html

9 AG Nessel Issues New Consumer Alert Tied to Protecting Private Health Location Data. (2022, July 5). https://www.michigan.gov/ag/news/press-releases/2022/07/05/ag-nessel-issues-new-consumer-alert-tied-to-protecting-private-health-location-data

10 Attorney General Bonta Emphasizes Health Apps’ Legal Obligation to Protect Reproductive Health Information. (2024, May 26). [Press release]. https://oag.ca.gov/news/press-releases/attorney-general-bonta-emphasizes-health-apps-legal-obligation-protect#:~:text=%E2%80%9CApps%20collecting%20medical%20information%2C%20particularly,disclosure%20or%20a%20data%20breach

11 Confidentiality of Medical Information Act | Consumer Federation of California. (n.d.). Consumer Federation of California. https://consumercal.org/about-cfc/cfc-education-foundation/cfceducation-foundationyour-medical-privacy-rights/confidentiality-of-medical-information-act/

12 US State Privacy Legislation Tracker. (n.d.). https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

13 AG Ferguson, Rep. Slatter, Sen. Dhingra propose legislation to protect Washingtonians’ health data. (2022, October 21). [Press release]. https://www.atg.wa.gov/news/news-releases/ag-ferguson-rep-slatter-sen-dhingra-propose-legislation-protect-washingtonians

14 B. Parry. (2023, May 11). Queens lawmakers highlight new abortion privacy protections in state budget at Planned Parenthood in Long Island City – Sunnyside Post. Sunnyside Post. https://sunnysidepost.com/queens-lawmakers-highlight-new-abortion-privacy-protections-in-state-budget-at-planned-parenthood-in-long-island-city

15 AG Schwalb Protects Private Data of Consumers Using Ovulation Tracking App “Premom.” (2023, May 17). https://oag.dc.gov/release/ag-schwalb-protects-private-data-consumers-using

16 Staff, U. C. (2022). U.S. Chamber Warns It Will Oppose Any Privacy Legislation That Creates a Blanket Private Right of Action. U.S. Chamber of Commerce. https://www.uschamber.com/technology/data-privacy/u-s-chamber-warns-it-will-oppose-any-privacy-legislation-that-creates-a-blanket-private-right-of-action

17 Akin, S. (2023, January 30) Democrats eye data privacy in abortion rights protections push. Pluribus News. https://pluribusnews.com/news-and-events/democrats-eye-data-privacy-in-abortion-rights-protections-push/

18 Governor Hochul Announces Steps to Strengthen New York State’s Safe Harbor for Abortion Care. (n.d.). Governor Kathy Hochul. https://www.governor.ny.gov/news/governor-hochul-announces-steps-strengthen-new-york-states-safe-harbor-abortion-care

19 To establish national data privacy standards, H.R. 5807, 117th Cong. https://www.congress.gov/bill/117th-congress/house-bill/5807/text 20 My Body, My Data Act of 2022, H.R. 8111, 117th Cong. (2022). https://www.congress.gov/bill/117th-congress/house-bill/8111; see also Hirono, Wyden, Jacobs Introduce Bill to Protect Reproductive Health Data. (2022, June 21). https://www.hirono.senate.gov/news/press-releases/hirono-wyden-jacobs-introduce-bill-to-protect-reproductive-health-data

21 The raucous battle over Americans’ online privacy is landing on states. (2023, February 22). POLITICO. https://www.politico.com/news/2023/02/22/statehouses-privacy-law-cybersecurity-00083775

22 Governor Newsom Signs Assemblymember Bauer-Kahan and Attorney General Bonta’s Groundbreaking Legislation Protecting Digital Information on Abortion. (2022, September 27). [Press release]. https://oag.ca.gov/news/press-releases/governor-newsom-signs-assemblymember-bauer-kahan-and-attorney-general-bonta%E2%80%99s

23 Moomaw, G. (2023, February 14). Youngkin administration opposes shielding menstrual app data from search warrants. Virginia Mercury. https://www.virginiamercury.com/2023/02/14/youngkin-administration-opposes-shielding-menstrual-app-data-from-search-warrants/#:~:text=A%20proposal%20to%20put%20menstrual,idea%20for%20the%20first%20time