New research published by the University of New South Wales (UNSW) revealed that fertility apps pose serious privacy risks to Australian consumers. Popular fertility apps such as “Flo” and “Glow” collect deeply sensitive data about users’ health conditions, sexual activities, emotions, and menstrual cycles.
The research was undertaken by Katharine Kemp, a senior lecturer at UNSW Law and Justice. Kemp said the study uncovered unfair and unsafe privacy practices in popular fertility apps. She called for urgent reform to modernise Australia’s privacy laws and address the data risks faced by consumers today.
“These fertility apps collect the most intimate data, often at vulnerable moments in a consumer’s life, when they’re trying to conceive or manage health conditions or new to understanding their cycles,” said Kemp.
“They should expect to receive the clearest information about how that data is collected, used and kept safe, real choices, and the strictest standards of de-identification for any shared data. They’re not getting that.”
The study revealed that confusing and often misleading privacy messages are being used by these fertility apps. There is little choice about how someone’s personal data is used and for what purposes.
“With several of these apps, we saw that they would keep the data for over three years, or in one case seven years, after the user had stopped using the app,” said Kemp.
“That gives rise to unnecessary risks of potential data breaches during that period.”
Kemp highlighted that many of these apps indicated that the data was going to be de-identified and sold or used for other purposes. However, the de-identification measures were not adequate.
“A lot of the marketing messages around these apps are that they are privacy compliant or safe to use,” said Kemp.
“But if you look at the fine print, then you find that there are lots of potential harms in the way the organisation is using the data.
“We know that consumers don’t have the time or expertise necessary to decipher the privacy policies and privacy messaging of these apps.”
Kemp said that her research illustrated why privacy laws need to be updated. After all, there is no fundamental right to privacy in Australia.
“We don’t have a Bill of Rights, that includes the right to privacy in the way that some jurisdictions do,” said Kemp.
“That is very significant in terms of the need to legislate more specifically to protect privacy, rather than being able to rely on the existence of a recognised fundamental right.”
Kemp asserted that the Privacy Act needs to clarify what data is covered, what data uses are prohibited, what choices consumers have when it comes to their data and what security measures companies should implement. She called for clearer and more onerous obligations on companies about when data should be deleted.
“Companies have duties under the Australian Privacy Principles, to essentially delete data when it’s no longer needed for a lawful purpose but that is not a specific obligation,” said Kemp.
“As with many obligations under the Privacy Act, it’s expressed in terms of what’s reasonable for the organisation to do.
“It leaves room for a self-serving interpretation.”
Kemp explained that Australia’s current privacy legislation allows many data practices to rely on dangerous fictions.
“These fictions include that consumers have real information and choices, that consumers are always capable of making choices about data practices, that companies are not using personal information when they’re targeting a particular individual and that consumers are not harmed by pervasive tracking,” said Kemp.
“These are all fictions, and we need tighter laws to ensure that data practices are fair to individuals and not just serving the business interests of organisations,” she said.
One difficulty that may arise for Australians is that a lot of fertility apps have their headquarters overseas. This affects whether it will come within the extraterritorial application of Australia’s federal privacy legislation.
“It will depend on whether they are seen to be carrying on business here in some way,” said Kemp.
“But it also means that they vary a great deal in the privacy laws that apply to them where they are headquartered.
“For example, it’s less likely that there will be strict privacy regulation enforced in the United States than in certain countries in the European Union.”