Popular menstrual apps send sensitive data to Facebook
A number of commonly used menstrual apps automatically forward user data to Facebook. This is done on Android via Facebook’s SDK, even if a user does not have a Facebook account or does not have the Facebook app on the phone.
These are various apps that have been downloaded millions of times, according to research by Privacy International. The privacy organization looked at the apps Maya, MIA, My Period Tracker from Linchpin Health, Ovulation Calculator, Period Tracker from GP International and Mi Calendario. Of those apps, only Period Tracker does not send information to Facebook. The applications are used to track menstrual cycles, but often also to monitor fertility periods. This is useful for couples trying to conceive. This requires the collection of a lot of sensitive information, such as how users feel physically, but also when they have had sex.
The other apps all use a feature from Facebook’s Software Development Kit, which can be used for different purposes. One of those goals is to collect data to show more personalized advertisements. Privacy International’s research shows that most menstrual apps send data to Facebook that users enter themselves. In some cases, this concerns detailed information, such as the content of notes that users can create, but more often it concerns metadata. For example, the Maya app gives a variable number to the ways in which a user has sex. When using contraception, for example, this is assigned a 2, for unprotected sex a 3. These variables are then shared with Facebook. Dates, such as when a menstrual cycle has started, are also sent to Facebook in this way.
According to Privacy International, it is not always clear to users which data is shared with whom in all cases. Some apps already send data to Facebook as soon as the app is opened. So that happens before users can even accept the terms and conditions, the researchers say. That would be against the GDPR. Facebook says in a response to BuzzFeed that apps must be clear about what data they collect.