An estimated 50 million women worldwide use menstrual tracking apps like Clue, Ovia, and Flo to keep up to date on their personal cycles or to use them as pregnancy trackers.
But if you take a look at Flo, how does a free app with less than $10M in iOS app sales make almost $100M? 🤔
Well, do all 50 million women know their personal health data is being sold to third parties for profit?
Flo is the most popular women’s health app globally; over 167.7 million users have downloaded Flo to their smartphones. And downloading the app as a period tracker records all kinds of sensitive information, from personal health information about menstrual cycles and birth control to recording that first baby kick.
With Flo, the idea was that you would be tracking your cycle, or use the app as a means to track your baby and help you prepare a birth plan depending on your stage of pregnancy.
But now we know they're also being sued for selling health data and violating data privacy regulations.
How did the world's leading women's health app fall from grace?
Flo is an AI-powered women’s health app that supports women at every stage of their reproductive cycle.
Used in particular for menstrual and pregnancy tracking, you can imagine that this app is recording key individual but sensitive data points about the health of the user.
This information is heavy stuff - it needs to be kept personal, and secure. Data privacy laws are particular about the ways SaaS companies protect data and as data subjects, pregnant women had no idea their data was being misused.
That's what users thought they were getting when downloading Flo, which promised that security and data were the utmost priority.
On their website, it states:
"With Flo, you’re in control. You trust us with your personal information, so we’re open about how we keep you safe. And we’ll never share your health data with any company but Flo."
And people believed them.
All until a consolidated class action complaint came forward accusing the period and fertility-tracking app developer of sharing users' targeting data and sensitive health information with third parties without app users' knowledge.
Was Flo, the best pregnancy app, selling pregnant individuals' health data as a second revenue stream?
So far, all the answers seem to be pointing to yes.
Selling to massive data-harvesting companies like Facebook, Alphabet Inc's Google, and data analytics companies Flurry Inc and AppsFlyer Inc.
Here's where the legalese comes in the lawsuit got very interesting.
In using the third parties' SDKs, Flo Health transmitted personal information back to other defendants, which allegedly "knew that the data collected and received from Flo Health included intimate health data" but didn't stop that because...
The data is "vital to their business," such as for marketing and data analytics purposes.
Now that's pretty scummy if you ask me.
And the bringers of the suit agree.
They are insisting that Flo be charged with invasion of privacy, breach of contract, and violation of the federal Stored Communications Act.
So maybe Flo is selling this data in order to improve advertising towards people who are pregnant or menstruating.
They send you a targeted ad for pain relief or another suitable product for that time.
What's all the fuss? We give that type of data away all the time online.
Roe v. Wade being at risk is the fuss.
Women's rights are the fuss.
Privacy experts have stated that period tracking and other apps could become a target for law enforcement agencies or motivated vigilantes to exploit to identify potential people seeking abortions or those providing them.
This means that an application that is supposed to safely store your medical information could be the very thing infringing on your rights and getting you in trouble.
This sets an incredibly troubling precedent.
Apps selling data as a secondary revenue stream are common.
But the industries these apps are in are key to the conversation.
Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation tweeted recently that:
"If you are in the United States and you are using a period tracking app, today is a good day to delete it before you create a trove of data that will be used to prosecute you if you ever choose to have an abortion."
This data isn't anonymous.
It's filled with targeting identifiers.
Generally, these sorts of identifiers, which often come in the form of a long string of characters and digits, are known as mobile advertising IDs, or MAIDs, and have been a cornerstone of the online advertising industry for years.
Members of the advertising industry will tell you that MAIDs are anonymous, but companies buying data from places like Flo can source these mobile identifiers and then combine them with other online information to unmask or target those devices or the people behind them.
There are even marketplaces for this type of data - and it's not just sourced from Flo, but also previously from Clue and many other women's health apps...
As an app founder, it's always important to diversify the potential to earn revenue from your digital venture.
But if it's at the cost of the people you are aiming to serve, it's not worth it.
TL:DR period and pregnancy apps commonly sell your personal data as a secondary way to make money, and you should be aware of what you share.