Mind the FemTech data gap: Top tips for app developers

Academics are calling for an enhanced regulatory framework after their research found privacy and security concerns in female-oriented technologies (FemTech). Experts at York University and King’s College London conducted research to investigate how women’s health data within FemTech apps is shared with third parties. 

With the rapid expansion of this segment of the women’s health market, privacy concerns through poor data handling processes have raised questions about how these apps process sensitive personal data. Last year, the Information Commissioner’s Office (ICO) published guidance to support app developers comply with their data protection obligations and maintain the privacy of their users. 

Researchers at York and King’s College analysed the data these apps and third parties access and compared their findings with the apps’ privacy policies and data safety agreements (otherwise commonly known as data processing, data transfer or data sharing agreements in the UK) – the two key documents that help users decide whether to download an app and set up a profile. The study covered the 14 most downloaded menopause Android applications from the Google Play Store in the UK, EU, US and Canada.

The study concluded that enhanced regulatory protection is required for health data which should mandate privacy-by-design principles for all FemTech apps, ensuring they safeguard user data. They also recommend requiring apps to conduct Data Protection Impact Assessments to identify and mitigate privacy risks before and during their operation. Supporting the need for enhanced protection is the potential integration of FemTech in healthcare delivery – an ambition set out in the Department of Health and Social Care’s 2022 Women’s Healthcare Strategy.

Key study findings

The findings are summarised in four core areas covering:

1. Advertising: Eight of the apps had Advertising Identifiers (AdIDs) automatically enabled from Google and one app had this enabled automatically from both Google and Meta. This directly conflicts with GDPR.
2. Sharing health data: Eight of the 14 apps were sharing app ‘event’ data with third parties without a clear explanation of what this means to users. App event data captures user activity in an app, such as clicking buttons, watching videos, or making purchases.
3. Inconsistent data governance tools: The researchers cross-referencing of the menopause apps with the Google Play Store’s data safety agreements and privacy policies revealed inconsistencies. Four apps claimed to access, but not share, app event data in their data safety agreement but then reported sharing it with third parties in their privacy policy.
4. Collecting and sharing other data: It was often only in the apps’ privacy policies, not data safety agreements, that apps reported that users’ addresses, phone numbers and purchase histories would be shared with third parties. In addition, it was found that almost every app was sharing email addresses, user IDs, device identifiers and IP addresses contrary to GPDR obligations.

The researchers argue that an enhanced regulatory framework is needed to protect women’s online privacy and security, and set out policy recommendations around compliance, transparency and obtaining valid consent which mirror several of the ICO’s recommendations. 

• New regular audits and compliance checks: To ensure FemTech apps comply with GDPR and Google Play Store policies
• Enhance transparency to enable informed decisions: Users should be able to understand how different apps manage their personal and health data, requiring FemTech apps to disclose all data-sharing practices with third parties in a clear and understandable way. Google Play Store should be held more accountable in reinforcing consistency between apps’ data safety agreements and privacy policies to ensure users are better informed when deciding to use an app. The same recommendations would be applicable to any equivalent app store/marketplace.

• Enable greater user agency: FemTech apps should be mandated to require opt-in consent for data-sharing practices beyond essential services and should be provided with clear options to withdraw consent and delete their health data at any time.

How we can help

It is vital that app developers in general and FemTech providers ensure that they address any privacy concerns to ensure they are on the right side of the ICO.

If you are an app developer and would like to know more about how your app can better meet your user’s expectations and comply with ICO’s expectations in relation to data transparency and UK data protection law, read our seven tips we have pulled together outlining some dos and don’ts.

Talking digital health podcast

Are you developing, procuring, or selling a ground-breaking health tech product? Or perhaps you're navigating the complexities of bidding for contracts? Our podcast, hosted by experienced health and tech lawyers, is your go-to resource for all things regulatory and compliance. With a fantastic line-up of expert guests, we provide insights and guidance to help you succeed at every step of your journey. Tune in and stay ahead in the ever-evolving world of health tech.

Listen here and follow Talking digital health to keep updated with future episodes!

Our content explained