WASHINGTON, D.C. – U.S. Senator Bob Menendez (D-N.J.), along with Congresswomen Bonnie Watson Coleman (D-N.J.-12) and Mikie Sherrill (D-N.J.-11) today asked Apple, Samsung and Google’s App stores to immediately remove any app which shares users’ private health data with third parties without obtaining explicit consent before an individual begins to use it. Approximately 100 million women worldwide use menstruation-tracking and fertility-tracking apps. Recent news reports show that the sensitive data collected by these apps are frequently shared with third parties without the user’s knowledge or consent.

“When consumers use menstruation-tracking or fertility-tracking apps they trust some of the most intimate parts of their lives with that app; information on their menstrual cycle, mood, weight, birth control usage, results of ovulation tests and sexual activity,” the lawmakers wrote in separate letters to Matt Fischer, Vice President of Apple’s App Store; Purnima Kochikar, Director of Google Play, Apps, & Games; and YH Eom, President and CEO of Samsung Electronics America. “Some apps prompt users to share how often they smoke, drink coffee, or use tampons. According to the [Privacy International] study, 61 percent of menstruation apps tested automatically transferred data to Facebook ‘the moment the user opens the app’.”

“This is a serious invasion of privacy,” they added.

The letter to Apple’s App Store can be found here and below. Similar letters to Google’s Google Play, Apps, & Games can be downloaded here, and to Samsung Electronics America here.

Dear Mr. Fischer,

We write to ask that you take steps to ensure that the menstruation-tracking and fertility-tracking apps available on the Apple App store do not share user data with third parties without clear and affirmative consent given before a user begins to use the app. Furthermore, we seek information about the security of user information in the apps as well as the data you directly collect from app developers.

In 2015, there were over 200 period-tracking and fertility-tracking apps. In the last several years, “an estimated $1 billion of investment has been poured into women’s health technology.” Approximately 100 million women around the world use menstruation–tracking apps. Yet, a number of troubling reports show that the sensitive data collected by these apps are shared with third parties, often without the user’s knowledge or consent. We do not believe the traditional end-user agreements are sufficient for individual’s health information data.

New research from Privacy International shows that many popular menstruation-tracking apps share sensitive health information with Facebook. When consumers use menstruation-tracking or fertility-tracking apps they trust some of their most intimate part of their lives with that app; information on their menstrual cycle, mood, weight, birth control usage, results of ovulation tests and sexual activity. Some apps prompt users to share how often they smoke, drink coffee, or use tampons. According to the study, 61 percent of menstruation apps tested automatically transferred data to Facebook “the moment the user opens the app”. This is a serious invasion of privacy.

According to Privacy International, Facebook’s Software Development Kit (SDK) facilitates the sharing of user’s private information without their explicit consent. SDK helps app developers incorporate particular features and collect user data. Facebook in turn “uses customer data from its SDK, combined with other data it collects, to personalize ads and content”. In other words, Facebook (and other third parties that use similar SDKs) monetizes sensitive data regarding women’s reproductive health.

What’s more, some of these apps were sharing data as early as 2013. In 2016, the Washington Post reported one study from Consumer Reports found that users of the period-tracking app Glow could link their account with another person in order to share information. Most troubling, was the finding that “anyone who knew a user's email address could start getting that data without the user's explicit permission. That means practically anyone, including stalkers or abusive exes, could have found a window into the intimate data the app tracked.” Although Glow fixed this “feature”, this highly concerning episode highlights the serious consequences of lax data privacy. Another study examining the effectiveness of menstruation-tracking apps to identify windows found that a “surprising number of the apps that her team reviewed ‘didn't have any privacy policy at all.’”

Your company is well aware of the gaps in data security and instances where a user’s personal information and data was sold without the user’s explicit consent and knowledge. The continued failure of your industry to be out front on these issues and consider the best interests of your users, especially on reproductive health data, shows either a glaring disregard for privacy concerns or gross incompetence.

It is critical that women are able to make informed choices about their reproductive health and data; and that includes how reproductive health data is shared. To that end, we urge you to remove any menstruation-tracking and fertility-tracking apps that share user data with third parties without explicit and affirmative consent. In addition, we seek answers to the following questions:

1. What if any privacy standards must an app meet before you approve the app for download on your platform? Please provide a detailed description of those standards.

2. What data sharing notices do you require menstruation-tracking, fertility-tracking, and health care-related apps to provide to users?

3. What if any protocols do you have in place to respond to data breaches of menstruation-tracking, fertility-tracking, and health care-related apps available on your platform?

4. Given the rise of data breaches and the sharing of personal information from apps available on your platform, what proactive steps will you be taking to offer users better control over their privacy?

Thank you in advance for your prompt response and attention to this matter.

Sincerely,

###