It has been 0 days since Facebook's last privacy scandal.
The majority of period tracking apps transmit sensitive data to Facebook the minute you open them, before you interact with them at all, thanks to the common use of Facebook's analytics tool (which nominally gives app developers a free way to track their products' use, but which, not incidentally, allows FB to harvest all that usage data).
The data that period-tracking apps share is often incredibly sensitive, including the last time the user had sex, which birth control they use, and so on. Some apps allow you to keep a private diary of your menstrual and sexual activities. This is also sent to Facebook.
It's basically a rerun of the ghastly revelations about fertility tracking apps from 2016, except that now it's three years later and the companies involved have learned not one fucking thing from that scandal.
One company, MIA Fem, threatened to sue Privacy International and Buzzfeed over Privacy International's handling of its unconvincing denials. Other vendors, like Plackal Tech, makers of the Maya app, minimized the concerns raised by researchers, suggesting that they simply don't take the issue seriously.
Facebook is just for starters. The same apps often shared data with less well-known, even slimier analytics firms who largely fly under regulators' and lawmakers' radar (Facebook, for all its failings, is full of people who are terrified that some antitrust or privacy investigation is going to cost the company millions or billions and that they will face the blame -- but small startups that are one quarter away from going broke have no incentive to think about the longterm).
The wide reach of the apps that our research has looked at might mean that intimate details of the private lives of millions of users across the world are shared with Facebook and other third parties without those users’ free, unambiguous and informed or explicit consent, in the case of special-category (sensitive) personal data, such as data relating to a user's health or sex life. Our research highlights that the apps we have exposed raise serious concerns when it comes to their compliance with their GDPR obligations, especially around consent and transparency. Indeed, EU data protection laws seeks to ensure that users maintain control over their personal data at all times and that they should be aware of the exact and specific purposes these data might be used for by controllers, namely companies. It equally applies to controllers that process data within the EU/EEA and to controllers that might be based outside the EU/EEA but still target EU users with their services
This raises interesting points. First, even when GDPR applies, for example, in EU/EEA countries, this does not mean that controllers abide by the regulation. As our research illustrates, apps targeting EU users need to comply with, among others, strict consent and transparency obligations regarding the processing of personal data, but they often fail to do so. This should lead to a call for stronger enforcement - EU data protection laws have always been there, what is needed is effective and fruitful investigations by regulators.
Secondly, while apps that are located in Europe might be failing to meet their GDPR obligations, EU users are still provided with an appropriate right of redress, such as the possibility to raise the issue with the controller directly, or to file a complaint before their national supervisory authority, or even to bring a case against the controller before national courts. However, the case is not the same for users based in countries without proper data protection laws or with data protection laws that lack effective enforcement. The practices highlighted by this research should serve as an example of abuse that should prompt law-makers and regulators to uphold users’ rights.
No Body's Business But Mine: How Menstruation Apps Are Sharing Your Data [Privacy International]
Period Tracker Apps Used By Millions Of Women Are Sharing Incredibly Sensitive Data With Facebook [Megha Rajagopalan/Buzzfeed]