Those external partners may then have a relationship with data brokers, who collect, aggregate, and combine personal information about you from a variety of sources to create a profile on you and in turn sell it to others. And there’s no way to really know who is getting that profile. A recent study by an advocacy group called the Norwegian Consumer Council examined 10 popular apps including Clue and found that they were collectively feeding personal information to at least 135 companies.
What’s more, even when your data is de-identified by removing identifiable information such as your name or email address, it can be combined with other information—such as your location, contacts, or unique identifiers in your phone—and traced back to you, research suggests.“It is the ability of a mobile app to collect far more data about you than you’re telling it that can be harmful,” says Jennifer King, director of consumer privacy at Stanford Law School’s Center for Internet and Society.
While consumers may shrug at such sharing as a trade-off of the digital age, there's emerging evidence of harm. Last March, for instance, the Department of Housing and Urban Development sued Facebook for housing discrimination, saying that the social media giant allowed advertisers to restrict who can see housing-related ads based on race, religion, sex, or disability. This information was gleaned from Facebook’s data mining activities, and then handed over to advertisers. While the Facebook suit isn’t related to personal health data, it’s not hard to imagine that the information collected by period trackers—especially with some employers and health insurers licensing the apps to use as part of corporate wellness programs—could be used in ways that harm women, King says.
CR’s Mendelsohn agrees. “With issues like pregnancy discrimination still a concern for many women, those using reproductive health apps will want to be sure their private information stays private," she says.There's a bipartisan effort in the Senate to address the problem with the Protecting Personal Health Data Act, introduced in June by Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska). The proposed law, which CR supports, would require that mobile health technologies such as health apps and fitness trackers allow users to review, change, and delete health data collected by companies. Some states are also taking action. For example, the California Consumer Privacy Act of 2018, which went into effect this month, gives consumers similar protections.