App privacy protections require more than new policies
May 12, 2022

App privacy protections require more than new policies

Apps may also have to address fundamental questions about what they share and how they turn a profit.

With the expected Supreme Court opinion to overturn Roe v. Wade on its way, some consumers are rethinking how much of their health data they want to share with mobile apps.

Several period-tracking apps have reassured users that the companies won’t sell or share their details. But multiple types of apps and programs, even internet searches, generate data like location tracking — data that could be used to implicate people seeking abortions.

Jessica Lee, a partner with the law firm Loeb & Loeb, helps companies craft their privacy policies. She says even robust standards can only do so much when it comes to user privacy. The following is an edited transcript of our conversation.

Jessica Lee: Well, I mean, the privacy policy, it’s not an agreement, necessarily. It’s more of a notice or disclosure about what a company’s privacy practices are. So, in terms of what the notice can do, it can only tell the consumer what a company is doing, and then the consumer has to make a decision about whether or not they’re comfortable with those practices.

Jessica Lee smiles in front of a grey background wearing a navy blazer.
Jessica Lee (Courtesy Loeb & Loeb).

Kimberly Adams: As somebody who writes privacy policies for companies, have you seen companies, especially tech companies or any of these apps, changing their privacy policies in light of this news?

Lee: Not yet, but I think that those conversations are happening. Companies are likely going back to their privacy policies, but I’ll say the privacy policy is last, right? They need to kind of go to their practices first, understand what they’re doing, who they’re sharing information with, what type of information they’re sharing, and then identify: Are there updates that they need to make to protect their consumers?

Adams: What can an app do, though, if they are presented with a warrant demanding user data?

Lee: That’s a difficult question. Because if law enforcement has gone to court and obtained a lawful warrant for information, a company could try to challenge that warrant. We’ve seen other companies do this. Apple, for example, challenged an effort to get a backdoor into its devices. But depending on the size of the company, the resources and the policies of a company, they might not want to challenge a warrant. I think that becomes a harder conversation. And consumers really need to understand that there are — even in states or jurisdictions where there are broad privacy protections — there are usually exceptions for law enforcement.

Adams: And how much legal protection is there on the user side for this kind of data?

Lee: Very little. This data doesn’t fall under HIPAA, which is a kind of a federal law that protects certain health care information. And unless you’re in a state like California, where you might have [the] right in 2023, you’ll have rights to limit how sensitive health information is used, or in Colorado or Virginia where companies will be required to ask you and get consent to collect your health information. But there aren’t laws on the books in many states that will protect this type of data in the way I think most expect.

Adams: So how do you anticipate privacy policies within mobile apps changing in the months to come, if at all?

Lee: Part of that is going to depend on how the apps decide to update or change their practices. For example, Apple made moves recently to require apps to have a nutrition label that has more kind of high-level, easy-to-digest information about what an app does. And you might see some of these apps looking to try to make the information about their practices more accessible so that consumers can make a different decision about how they use or interact with that app.

Related Links: More insight from Kimberly Adams

As Jessica pointed out, privacy policies can be strengthened, but they must also be accurate.

Last year, fertility-tracking app Flo Health reached a settlement with the Federal Trade Commission after the company claimed it wasn’t sharing user information with third parties like Google and Facebook. As it turns out, it was.

Here’s the FTC press release about the settlement, which requires Flo to get affirmative consent from users before sharing their data with third parties.

Flo was among several period tracking apps which, as I mentioned at the top, addressed worried users on social media this week.

In a Twitter thread, the company said: “We have heard concerns surrounding data privacy should Roe v. Wade be overturned. We understand these concerns and want to assure you that your data is safe with Flo.”

Rival period-tracking app Clue had a thread of its own, saying, “We completely understand this anxiety, and we want to reassure you that any health data you track in Clue about pregnancy or abortion is private and safe.”

Clue also highlighted that it’s based in Berlin, and that Europe’s laws grant users additional privacy protections.

Finally, Recode has a piece from last year detailing how police used Facebook to gather evidence against the January 6 Capitol insurrectionists.

Those are the same methods abortion rights supporters are now worried might be used to implicate those seeking abortions in states where it’s illegal.

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.

The team

Daniel Shin Producer
Jesús Alvarado Associate Producer