Experiential Case Study Audit of Three Popular Period Trackers Using General Data Protection Regulation (GDPR) and Intimate Privacy Assessment Criteria

Objectives: Period tracker downloads worldwide continue to increase year over year even though users are exposed to intimate data surveillance, unconsented third-party data sharing, and unauthorised commercial use of their reproductive information. This paper argues that data protection measures such as Europe’s General Data Protection Regulation, considered the gold standard for personal privacy protection, could be bolstered if an intimate privacy design code was applied.

Study Design: As no design code like the UK Information Commissioner’s Children’s Code exists for reducing data protection risks associated with online processing of sensitive reproductive information, we developed fifteen measures operationalising the concept of intimate privacy. Risk assessments based on intimate privacy criteria were compared to General Data Protection Regulation requirements in our 2023 UK-based pilot study auditing popular period trackers, Flo®, Clue®, and Eve®.

Results: When our intimate privacy criteria were applied, we identified tracker data protection weaknesses and privacy elements falling outside of existing General Data Protection Regulation requirements. Particularly worrisome was the lack of dynamic consenting for data sharing, no built-in surveillance detection measures, and few user-determined data retention and deletion processes. The US processing and storage of UK-collected Flo® and Eve® data raises significant intimate privacy protection concerns, especially as legal implications of such data transfers were not well explained to users. Privacy policies were complex, requiring college education.

Conclusion: Incorporating intimate privacy-by-design would provide Femtech device users enhanced protection for their sensitive, private intimate data.