California’s attorney general urged health apps to bolster security and confidentiality of user data in the face of “unprecedented threats to reproductive freedom.”
Fertility trackers and other health apps apps should develop security programs designed to protect sensitive information against unauthorized access and disclosure, California Attorney General Rob Bonta (D) said in a Thursday statement.
Health apps also should obtain consent before sharing user data and allow users to revoke previously granted consent, he advised, and the companies that make them should provide internal employee training on the threats and privacy concerns associated with reproductive rights.
Bonta issued the guidance amid concerns about potential appropriation and misuse of fertility app data if the US Supreme Court overturns Roe v. Wade, the landmark decision that legalized abortion nationwide, as is expected.
“Sensitive health data must remain secure and never be used against individuals seeking critical healthcare and exercising their right to abortion,” Bonta said.
Compliance, Best Practices
Apps that fall under California’s Confidentiality of Medical Information Act are required to preserve the confidentiality of medical information, and the law prohibits its disclosure without proper authorization, according to the attorney general’s statement.
“Apps collecting medical information, particularly reproductive health information, need to comply with our state laws and protect such information from risks like improper disclosure or a data breach,” Bonta said.
The CMIA applies to mobile apps, wearable technology, and to other businesses that maintain medical information, regardless of their obligations under federal health privacy laws, the attorney general said. Fertility apps generally aren’t covered by the federal Health Insurance Portability and Accountability Act, which requires health providers, insurers, and third-party administrators to protect patients’ health data.
In addition, the attorney general’s statement advised that health apps protect information with strong authentication protocols and require two-factor authentication as best practices.
Bonta’s predecessor, Xavier Becerra, settled a state suit in 2020 with fertility tracker Glow Inc. that included a directive to fix privacy flaws in its app and pay a $250,000 penalty. The settlement also required Glow to consider how privacy and security lapses could affect women.
Even if some health apps do not fall under the CMIA, other laws, such as the California Consumer Privacy Act, may apply, Bonta said. That statutegives consumers the right to opt out of the sale of their personal information and requires businesses to implement and maintain reasonable security procedures.