A study by ORCHA [the Organisation for the Review of Care and Health Apps] has revealed that 84% of period tracker apps share data with third parties. 

Data stored in some of these apps can show details of sexual activity, contraception used, and when the user’s period stops and starts.

ORCHA studied 25 different period tracker apps and found only one that kept all sensitive data on the owner’s device. The rest all shared this data with the app developer.

In addition, 84% of the apps allowed the sharing of personal and sensitive health data beyond the developer’s system, with third parties. The majority (68%) did so for marketing with 40% for research and 40% for improving developer services of the app itself.

Tim Andrews, ORCHA’s chief operating officer, said: “It would be best practice for an app to have a ‘consent’ page that’s easily accessed from the main menu. Each individual permission could then be ticked or unticked at any time. So, a user wanting to guarantee privacy, could easily change their mind and untick the permission to share with third parties.”

Other issues ORCHA identified with this type of app relating to data security included nearly half of those tested demonstrating poor compliance with GDPR; just two apps showing evidence of conformity to best practice certifications; and 80% of the apps failing to meet the wider quality standards for them to be included on ORCHA app libraries for NHS providers.

Fatima Ahmed, ORCHA clinical lead for maternity and women’s health, said: “Period tracker apps have come into sharp focus for alarming reasons – but they are probably the tip of the iceberg when it comes to data security. And even app developers who promise to stop sharing names and addresses, for example, should be aware that people can be identified by an IP address.”

It’s not the first time that this type of app has been highlighted for failing to protect users’ data. In 2019, Privacy International scrutinised six period tracking apps and revealed that five shared data with Facebook – some even before privacy settings have been agreed with the user.