Period tracking apps are sharing sensitive medical data with Facebook, an investigation has found.

Data, including menstruation frequency, use of contraception and symptoms like blood pressure and acne, are being shared directly with the social media company.

In some cases, data is shared from the moment a user opens the app.

UK-based advocacy group Privacy International scrutinised six period tracking apps and found that five shared their data with Facebook, some before a user even agrees to privacy settings.

The apps, Maya by Plackal Tech, MIA by Mobapp Development Limited, My Period Tracker by Linchpin Health, Ovulation Calculator by Pinkbird, Period Tracker by GP International LLC and Mi Calendario by Grupo Familia, have been downloaded several million times between them.

Two of the apps, Maya and MIA, were exposed for “extensive sharing” of sensitive data.

Privacy International’s analysis found that Maya, which has five million downloads on Google Play, shares information with Facebook as soon as a user opens the app and before the user agrees to privacy settings. It asks for sensitive medical information, including choice of contraception and the date of their last period, which is also shared.

“Medical data is among the most sensitive data one can collect. Confidentiality is at the heart of medical ethics and countries that have data protection laws traditionally have a separate regime for health data, which includes health data, which are considered sensitive data,” the report said.

“Thus, when Maya asks you to enter how you feel and offers suggestions of symptoms you might have – suggestions like blood pressure, swelling or acne – one would hope this data would be treated with extra care. But no, that information is shared with Facebook.”

The app is also used to track the user’s mood, which is then shared with Facebook. Intimate knowledge of a person’s mood is highly valuable to advertisers who then use this data to strategically target them, the report said.

MIA, which has over a million downloads, also starts sharing sensitive data immediately.

Before a user starts entering information in the app it wants to know if it will be used as a period tracker or if the user is trying to become pregnant and is using it to maximise their chances. Again, the reason for this is to benefit advertisers, according to the report.

The data of pregnant women is particularly valuable to advertisers, as expecting parents are likely to change their spending habits. In the US, the report explained, an average person’s data is worth £0.08 ($0.10), while a pregnant woman’s is worth £1.20 ($1.50).

MIA also shares with Facebook the users age and what phase of their menstrual cycle they’re on, as well as lifestyle choices like smoking, alcohol consumption and tampon preferences.

This information is used to present a collection of articles tailored for the user when they opt for MIA to “analyse symptoms”. This is then shared with Facebook to let the company know what articles are featured in the users personal feed, the report found.

The other apps analysed also shared sensitive medical information with Facebook, but on a lesser scale. The only app that didn’t share data was Period Tracker by GP International LLC.

Maya and MIA also shared user’s data with other third party’s including wzrkt.com. and AppsFlyer, respectively.

Privacy International’s recommendations to period tracker apps

  • Undertake in-depth privacy and risk impact assessments when designing applications, with consideration for users and the potential harms they could experience
  • Limit the data collected, many menstruation apps appear to request superfluous data – including sensitive personal data – to build a profile of their users. Only data that is necessary for the purpose the app states should be collected
  • Limit data sharing only to what is strictly necessary for the purpose of providing the services. This requires checking default data sharing settings of tools provided by third-parties such as Facebook’s SDK or third-party data management tools

Under GDPR app developers have to provide users with adequate information on how their personal data is used.

Plackal Tech, which owns Maya, is based in India but serves people in the EU and Mobapp Development Limited, which owns MIA, is based in Cyprus, therefore GDPR applies to both companies.

In response to the investigation Plackal Tech confirmed the company had removed the Facebook and Analytics software development kit (SDK) – a set of tools used to develop apps – from their app.

“Maya does not share any personally identifiable data or medical data with the Facebook Ad SDK. The Ad SDK helps us earn revenue by displaying ads that our users can opt out of by subscribing to Maya’s premium subscription,” the companies chief executive said in a letter.

“All data accessed by Maya are also essential to the proper functioning of the product. Predicting information pertaining to menstrual cycles is complex and dependent on thousands of variables. We will continue evaluating our privacy policy and align ourselves to global best practices on data privacy.”

Facebook responded to say the company’s Business Tools Terms require developers to be “clear with their users about the information they are sharing with us and to have a lawful basis for the disclosure and use of data”.

“Our terms also prohibit app developers from sharing customer data with us that ‘includes health, financial information, or other categories of sensitive information (including any information defined as sensitive under applicable law)’. Facebook does not want this information in its systems and apps that send us this data are in violation of their obligations under those terms,” the company said in a letter.

Facebook said it had contacted the apps in question, but made no commitment to investigate the likelihood of other developers sharing sensitive information.

Privacy International’s recommendations to Facebook

  • Facebook needs to better explain how it uses the data that it automatically receives through the Facebook SDK, how long the data is stored and if it is being shared
  • Facebook should do more to offer products and services that make it as easy as possible for developers to protect the privacy of their users by design and by default. For instance, the default implementation of the SDK should not automatically transmit data the second an app is launched
  • Facebook should take steps to make it easier for people to exercise their data rights on all personal data that Facebook stores, whether they have a Facebook account or not