App privacy protections need more than new policies

With the Supreme Court’s pending opinion to overturn Roe v. Wade, some consumers are rethinking how much of their health data they want to share with mobile apps.

Several period-tracking apps reassured users that companies would not sell or share their contact details. But several types of apps and programs, even Internet searches, generate data such as location tracking — data that could be used to implicate people seeking abortions.

Jessica Lee, partner at law firm Loeb & Loeb, helps companies develop their privacy policies. She says even robust standards can’t do much about user privacy. The following is an edited transcript of our conversation.

Jessica Lee: Well, I mean, the privacy policy, it’s not necessarily an agreement. Rather, it is a notice or disclosure about a company’s privacy practices. So in terms of what the notice can do, it can only tell the consumer what a company is doing, and then the consumer has to decide whether or not they’re comfortable with those practices.

Jessica Lee (courtesy Loeb & Loeb).

Kimberly Adams: As someone who writes privacy policies for businesses, have you seen any companies, especially tech companies or any of those apps, change their privacy policies in light of this news?

Li: Not yet, but I think those conversations are happening. Companies probably go back to their privacy policies, but I will say that the privacy policy is the last, right? They should first review their practices, understand what they do, who they share information with, what type of information they share, then identify: Are there any updates they need to make to protect their consumers?

Adam: What can an app do, however, if presented with a warrant requiring user data?

Li: This is a difficult question. Because if law enforcement went to court and got a legal warrant to get information, a company could try to challenge that warrant. We have seen other companies do this. Apple, for example, challenged an effort to get a backdoor into its devices. But depending on company size, resources, and a company’s policies, they might not want to challenge a warrant. I think it becomes a more difficult conversation. And consumers really need to understand that there are – even in states or jurisdictions where there are broad privacy protections – there are usually exceptions for the operation of the law.

Adam: And what legal protection is there on the user’s side for this type of data?

Li: Very little. This data does not fall under HIPAA, which is a kind of federal law that protects certain health care information. And unless you’re in a state like California, where you could have [the] right in 2023you will have the right to limit how sensitive health information is used, or in Colorado or Virginia where companies will be required to seek and obtain your consent to collect your health information. But there are no laws on the books in many states that will protect this type of data in the way that I think most expect.

Adam: So how do you anticipate mobile app privacy policies changing in the coming months, if at all?

Li: Part of that will depend on how apps decide to update or change their practices. For example, Apple recently moved to require apps to have a nutrition label which contains more high-level, easy-to-digest information about what an app does. And you might see some of these apps looking to make information about their practices more accessible so that consumers can make a different decision about how they use or interact with that app.

Related Links: More from Kimberly Adams

As Jessica pointed out, privacy policies can be tough, but they also need to be accurate.

Last year, fertility tracking app Flo Health reached a settlement with the Federal Trade Commission after the company claimed it did not share user information with third parties like Google and Facebook. Turns out it was.

Here is the FTC press release on the settlement, which requires Flo to obtain affirmative consent from users before sharing their data with third parties.

Flo was among several period-tracking apps that, as I mentioned up top, reached out to worried users on social media this week.

In a Twitter thread, the company said, “We have heard data privacy concerns if Roe v. Wade was canceled. We understand these concerns and want to assure you that your data is safe with Flo.

Rival period-tracking app Clue had its own thread, saying: “We fully understand this anxiety, and we want to reassure you that any health data you track in Clue about pregnancy or abortion is private and sure.”

Clue also pointed out that it is based in Berlin and that European laws give users additional privacy protections.

To finish, Recode has a piece from last year detailing how police used Facebook to gather evidence against the January 6 Capitol insurgents.

These are the same methods that proponents of abortion rights now fear to use to implicate those seeking abortions in states where it is illegal.

Comments are closed.