Your Body, Their Data: FemTech, Reproductive Privacy, and the Legal Crisis Nobody Is Talking About Enough
By Prinmma Eyongegbe, Criminal Justice, MSc., Ph.D (in view), Liberty University
Millions of women open a small, colourful app on their phones every morning. They tap in the date their period began, note a headache, record their mood, log whether they had sex. It takes thirty seconds. It feels routine. What most of them do not realise is that this daily ritual is generating a detailed dossier — one that a prosecutor, a data broker, or a law enforcement officer may one day hold in their hands.
The femtech industry, a term coined in 2016 by Ida Tin, co-founder and chief executive of period tracking app Clue, refers to the broad category of technology products built around women’s reproductive and menstrual health. In 2024, Flo Health reported over 70 million active users and became the first app in this space to achieve unicorn status, with a valuation beyond one billion dollars. These numbers are remarkable. They are also alarming. Because the growth of these platforms has outpaced nearly every meaningful legal protection designed to keep intimate health data safe.
This article is for anyone who uses these tools, studies the law, or cares about where the boundary between personal health and state surveillance is being drawn. The central argument is this: femtech data occupies a dangerous legal grey zone, and in the current climate, it can be used to build criminal cases against the very users the apps claim to serve. Understanding this is the first step. Knowing what to do about it is the point.
The Data These Apps Actually Collect
It is worth being specific about what femtech platforms gather, because the word “data” can make something deeply personal sound abstract and harmless.
Beyond a user’s name, gender, and location, period and fertility tracking apps collect details on the regularity of a user’s menstruation cycle, related symptoms, fertility concerns, and pregnancy planning. Some apps go further. They log sexual activity, contraception choices, miscarriage history, and emotional states. Certain platforms integrate with wearables and collect body temperature readings and sleep patterns. Taken together, this is not generic health information. It is a granular, timestamped record of a woman’s reproductive life.
The femtech market is expected to exceed sixty billion US dollars by 2027, with period tracking apps making up half that value alone . The financial model driving that growth matters enormously. When an app is free to download and free to use, the user is rarely the customer. The data is. And that data moves in ways most users never see.
The Legal Gap: Why HIPAA Does Not Protect You
Most people assume that health data is protected in the United States. That assumption is built on a misunderstanding of what the Health Insurance Portability and Accountability Act — HIPAA — actually does.
Most fertility tracking apps fall outside HIPAA’s jurisdiction because they are not classified as covered entities like hospitals, insurers, or traditional healthcare provider. This regulatory gap has allowed applications to share sensitive reproductive health data with third parties without violating healthcare privacy laws. Your doctor cannot share your medical records without your consent. Your period tracker app can, because it is not governed by the same rules.
The majority of femtech companies, particularly startups, are not subject to HIPAA. As a result, data disclosure for most femtech companies is restricted by the Federal Trade Commission, which prohibits companies from committing unfair or deceptive acts or practices, and applicable state laws. In practice, this means that what a company does with your reproductive health data is governed primarily by its own privacy policy. That is a document most users never read, and one that companies can revise with little notice.
Femtech falls outside the scope of HIPAA, which regulates only health plans, health plan clearinghouses, and healthcare providers — or their associates — that transmit protected health information. This is not a minor administrative oversight. It is a structural failure with real criminal justice consequences.
How Law Enforcement Gets the Data
There are two distinct routes through which reproductive health data finds its way into criminal proceedings.
The first is legal compulsion. Law enforcement can obtain this data from a femtech company directly, if equipped with the right paperwork, like a subpoena, court order, or search warrant. Most technology companies comply with these requests. They are legally required to. The question, then, is not whether companies will hand data over when asked — most will — but whether users are even aware that this possibility exists at all.
The second route is commercial purchase. Law enforcement could purchase this data from femtech companies directly, or any third parties who have access to it, and there are many that do. This is the more troubling avenue. When data is sold to brokers and then resold again, tracking its movement becomes nearly impossible. A user may delete an app today, but her data could still be circulating through third-party networks for years.
The market for reproductive data has grown, with its uses extending beyond retail, and its data made accessible to third parties, including law enforcement. This is not a hypothetical concern. It is an active and documented reality.
The Flo Health Case: A Turning Point
The most instructive case study in femtech data misuse involves Flo Health, the company behind one of the world’s most downloaded period tracking apps.
In January 2021, the Federal Trade Commission took action against the company. The FTC alleged that despite promising to keep users’ health data private, Flo shared sensitive health data from millions of users of its Flo Period and Ovulation Tracker app with marketing and analytics firms, including Facebook and Google (Federal Trade Commission, 2021a). The company’s own privacy policy had explicitly told users their intimate health information would remain confidential. That promise was not kept.
As part of the settlement, Flo Health was required to notify affected users about the disclosure of their health information and instruct any third party that received users’ health information to destroy that data (Federal Trade Commission, 2021b). The settlement did not include a fine. No criminal charges were filed. The users whose data had been shared received a notification and very little else.
This case matters for several reasons. Flo is not a fringe app operated by an obscure company. It is one of the most popular health applications in the world. If a platform of that scale could share menstruation and fertility data with advertising firms while telling users their information was safe, the problem is clearly not limited to small operators cutting corners.
A prominent example of regulatory failure also occurred with the Premom application, which received a two-hundred-thousand-dollar FTC fine for sharing users’ fertility data with Google and Chinese analytics firms. The pattern is consistent. Sensitive health data moves quietly, repeatedly, and often without the knowledge of the people it describes.
When Data Becomes Evidence: The Nebraska Case
Nothing illustrates the criminal justice dimension of this issue more starkly than what happened to a mother and her teenage daughter in the state of Nebraska.
A Nebraska woman pleaded guilty to helping her daughter have a medication abortion. The legal proceeding against her hinged on Facebook’s decision to provide authorities with private messages between that mother and her seventeen-year-old daughter discussing the latter’s plans to terminate her pregnancy. The messages were obtained through a search warrant. Facebook complied.
After the two were initially charged, law enforcement continued to investigate and obtained Facebook messages between Celeste and Jessica that appear to make reference to abortion pills, according to a copy of the conversation contained in court filings. The case became one of the first in modern US history where private digital communications were used as the primary basis for prosecuting a reproductive health decision.
A case out of Nebraska involving a mother and her teenage daughter offered a preview of how digital footprints could be used to enforce abortion laws. Legal scholars and privacy advocates had spent years warning that this was possible. The Nebraska case proved it was not just possible. It had already happened.
This was not a period tracker app. It was a messaging platform. But the legal mechanism was identical to what prosecutors could use with fertility app data: obtain a warrant, demand the records, build a case. The Nebraska prosecution made one thing clear — the digital trail a woman leaves while managing her reproductive health is not abstract. It is evidence.
The British Dimension: This Is Not Only an American Problem
It would be a mistake to read this as purely an American story. The same dynamics are emerging in the United Kingdom, with their own distinct legal character.
In Britain, police can check search history and fertility trackers on digital devices after an unexpected pregnancy loss, according to new police guidance published in December 2024. “Internet search history and health apps such as menstrual cycle and fertility trackers may all provide information to help investigators establish a woman’s knowledge and intention in relation to the pregnancy,” the guidance stated.
While abortions are legal in England and Wales up to twenty-four weeks, women could face criminal charges for ending a pregnancy after that point under a law dating back to the mid-nineteenth century, which carries a potential sentence of life imprisonment. The Victorian-era statute in question is the Offences Against the Person Act 1861. It was written before the telephone existed. It is still on the books. And British police guidance now explicitly lists fertility app data as a tool for investigating pregnancy loss.
Clue, as a European company, is obligated to apply special protections to reproductive health data under European law. “It is important to understand that European law protects our community’s sensitive health data,” the company noted, citing the General Data Protection Regulation. The GDPR provides meaningfully stronger protections than American federal law. But even within Europe, those protections are only as strong as the companies willing to honour them, and as the Flo case showed, promises are sometimes broken.
The Data Broker Problem: The Invisible Market
Beyond direct law enforcement requests, there is a secondary ecosystem that deserves serious attention.
Data brokers are companies that collect personal information from multiple sources, aggregate it, and resell it. They sit outside the consumer relationship entirely. A user who carefully reads an app’s privacy policy and concludes it is acceptable may never realise that the app sells her anonymised data to a broker, who then combines it with location data purchased from another source, reconstructing a profile that is not anonymous at all.
One prominent complaint argued that this information enabled purchasers to identify and track individuals not only at their home addresses, but in other sensitive locations such as reproductive health clinics, places of worship, and domestic violence shelters. This is surveillance infrastructure. It is legal under current US federal law, and it is sold to whoever can afford to buy it.
In a prominent class action lawsuit, a federal court jury ruled that Meta had illegally collected sensitive reproductive health information from users of the period tracking app Flo for targeted advertising, in violation of the California Invasion of Privacy Act, only for Meta to settle one day before the jury’s ruling. Commercial exploitation and criminal exposure are two different problems. But they both grow from the same root: personal health data treated as a commodity.
The Regulatory Patchwork: Some Progress, Many Gaps
There has been genuine legislative movement, though it remains uneven and incomplete.
Washington State’s My Health My Data Act, which took full effect in March 2024, is the most comprehensive consumer health data law in the United States. It covers data that falls entirely outside HIPAA’s scope and defines consumer health data broadly to include reproductive and sexual health information, geolocation data that could indicate someone is seeking health services, and data inferred or derived from non-health information through algorithms or machine learning. The Act requires opt-in consent before collecting or sharing consumer health data beyond what is necessary for the stated purpose. It prohibits geofencing within two thousand feet of healthcare facilities for advertising purposes. It includes a private right of action, meaning individual users can sue, not just the attorney general.
The FTC’s amended Health Breach Notification Rule, effective July 2024, expands the scope of entities required to notify consumers and the FTC of breaches involving health information to apps and platforms not covered by HIPAA. That is a meaningful step. Notification requirements create accountability, even if they do not prevent the breach from occurring in the first place.
At the federal level, however, the gaps remain wide. Congress could expand the current definition of covered entities under HIPAA, bringing femtech under its scope. User data would then be protected under the law’s privacy and security protections, preventing apps from selling user data without consent and ensuring that law enforcement would be prevented from purchasing the data directly. That legislative reform has been proposed. It has not been enacted. Until it is, the burden falls on users themselves.
What Users Can and Must Do Now
The absence of strong federal protection does not mean users are helpless. There are concrete, practical steps that can substantially reduce risk, and they are worth detailing precisely.
Choose Apps Designed Around Privacy From the Start
Not all period trackers are built the same way. Some are engineered to monetise user data. Others are engineered specifically to prevent it.
Drip is a non-commercial, open-source project that stores all data locally on the device. Because it is fully open source, its code can be audited by security experts to verify its privacy claims. Open-source means anyone with technical knowledge can examine exactly what the app does. There are no hidden data transfers, no background analytics, no undisclosed partnerships. What the developers say the app does is what it actually does, and the public can verify it.
Euki was built with digital safety in mind, especially for reproductive health tracking. It does not require an email address or any personal identifiers to use. All data entered is stored only on the device. The app has no back-end data collection, cloud servers, or tracking cookies, which means the user is the only one with access to their information. If the app is deleted, all data is permanently erased. A unique feature of Euki is the ability to enter a “duress” PIN, which will display a fake screen if a user is ever forced to open the app.
That duress PIN is not a gimmick. In a world where border agents can compel phone access and abusive partners can demand to see a phone, a fake dashboard is a real safety feature.
Understand What “Private” Actually Means in a Privacy Policy
Reading privacy policies is not exciting. It is necessary. There are specific things to look for.
Does the company collect more data than the app strictly requires? Does the policy mention sharing data with “partners,” “affiliates,” or “analytics providers”? Are there clear data deletion procedures, or does the policy use vague language like “we may retain data as required by law”? Does the company claim HIPAA compliance without actually being a covered entity? GoodRx displayed a HIPAA compliance seal on its platform, and that seal was cited in the FTC’s complaint as a deceptive practice.
A policy that is vague about third-party sharing is not a neutral document. It is a warning sign written in polite corporate language.
Avoid Cloud Storage Where Possible
The moment health data leaves a device and enters a company’s servers, it is subject to that company’s legal obligations and vulnerabilities. Apps that store data locally on the device offer better privacy protection compared to cloud storage, meaning data is not as vulnerable in the event of a company data breach.
This is a simple but powerful distinction. Data that never leaves your phone cannot be subpoenaed from a server. It cannot be breached in a corporate cyberattack. It cannot be sold by a company you trusted in good faith. Local storage is not perfect protection — a seized phone is still a seized phone — but it removes entire categories of risk.
Delete Data You Are No Longer Using
If you have old period tracker accounts, delete them properly. Not just the app — the account itself and all associated data. Many apps allow data deletion through their settings or by contacting customer service directly. This should be done before a legal dispute arises, not after.
Most of the responsibility to protect a user’s data falls on the user themselves, as Andrew Crawford, a healthcare privacy-focused senior counsel with the Center for Democracy and Technology, observed: “It really is incumbent on users to do their homework”. That is an uncomfortable thing to say. It places an unfair burden on individuals to compensate for regulatory failure. But it is accurate, and working within that reality is more useful than waiting for it to change.
Consider Analogue Alternatives
This may sound counterintuitive, but the most private period tracker is a paper notebook. It cannot be subpoenaed from a tech company’s servers. It cannot be breached in a data hack. It contains exactly what you write in it.
Using a notebook remains one of the most secure ways to record cycles. A user can jot down start and end dates, note flow intensity with symbols or colours, and record symptoms or lifestyle factors like stress or sleep. Over time, the notes reveal clear patterns without leaving any digital trail. For users in jurisdictions with highly restrictive reproductive laws, this is not an eccentric suggestion. It is a genuinely safer approach.
The Criminal Justice Dimension
For those of us studying criminal justice, this subject sits at an important intersection. It concerns digital evidence, privacy law, constitutional protections, and the relationship between technology companies and state power. Each of those areas is changing rapidly.
The Fourth Amendment protects against unreasonable searches and seizures. It was not written with digital data in mind. Courts have been inconsistent in how they apply constitutional protections to data held by third parties. Under the third-party doctrine, information voluntarily shared with a company may not receive full Fourth Amendment protection. That legal principle, developed in an era of paper records and phone calls, is now being applied to the intimate contents of health apps that millions of women use daily.
In the case of Latice Fisher, who was prosecuted for the death of her thirty-five-week-old fetus, her digital data gave prosecutors what the court described as a window into her soul that helped establish intent and support the prosecution’s theory about her actions. Reproductive health data is not just medically sensitive. It reveals intention, knowledge, and decision-making in the most personal domain of a person’s life. In criminal law, that is exactly the kind of evidence prosecutors want.
Digital footprints have been used in prosecuting reproductive cases even before the Dobbs decision. In 2018, a woman in Mississippi was charged with second-degree murder after she gave birth to a stillborn baby at home. Part of the prosecution’s case noted that she had researched how to terminate a pregnancy in the past. Search history. Period tracker data. Facebook messages. These are no longer separate categories of digital evidence. They are components of a single prosecutorial toolkit.
What Needs to Change at the Policy Level
Individual protective measures are necessary but not sufficient. Structural change requires legislative action, and identifying what that action should look like is part of the work.
First, HIPAA must be updated. Its coverage was designed for a world where health data lived in filing cabinets and hospital computer systems. That world no longer exists. Femtech requires robust and stringent privacy and security safeguards because of the sensitivity of the data it handles. Expanding HIPAA’s definition of covered entities to include health apps would bring the regulatory framework into alignment with how people actually manage their health in the twenty-first century.
Second, data minimisation must become a legal requirement rather than a voluntary best practice. Apps should only be permitted to collect data that is strictly necessary for the service being provided. A period tracker does not need a user’s location to calculate a cycle length. Collecting it anyway should be prohibited.
Third, data broker regulation requires urgent attention. States such as California, Nevada, and Vermont have laws that require data brokers to register with the state, or ensure consumers have the opportunity to opt out of third-party sales. That model should become a federal standard. Users should not have to know that a broker exists, find their way to an obscure opt-out form, and repeat the process for hundreds of companies just to exercise basic control over their own information.
Fourth, reproductive health data should be classified as a distinct category of sensitive information, with higher protections than ordinary personal data. The GDPR does this in Europe. Several US states are beginning to move in this direction. Federal law has not caught up.
Conclusion: The Stakes Are Real
Women are not paranoid to worry about this. The worry is well-founded, documented, and increasingly urgent.
In the wake of Dobbs v. Jackson Women’s Health Organization, concerns have come to light regarding the potential misuse of sensitive personal health data originating from period tracking apps. Questions have arisen concerning whether femtech app data can be used to identify and prosecute individuals violating abortion laws. Those are no longer theoretical questions. They have been answered in courtrooms.
The technology that was meant to help women understand their own bodies has been drawn into a political and legal conflict that its designers may not have anticipated. The data that helps someone track their cycle or plan a pregnancy can, in the wrong jurisdiction and the wrong legal climate, become the evidence that convicts them.
This is a criminal justice issue. It is a civil liberties issue. It is a technology regulation issue. And it is, above all, a human issue — one that asks what it means to have a private inner life in a world that increasingly insists on logging it.
The solutions are both personal and political. Individually, use apps that store data locally, read privacy policies carefully, delete old accounts, and recognise that analogue options remain available. Collectively, push legislators to extend HIPAA protections, mandate data minimisation, regulate the broker marketplace, and treat reproductive health information with the seriousness it deserves.
The gap between the law and the technology is wide. Closing it is not optional. It is overdue.
References
Braddom, K. (2024) ‘From Menstruation to Regulation: Understanding Data Privacy Laws and Period Tracker Apps’, Policy Perspectives, 24 February. Available at: https://policy-perspectives.org/2024/02/24/from-menstruation-to-regulation-understanding-data-privacy-laws-and-period-tracker-apps/ (Accessed: 30 December 2025).
CNN Business (2022) ‘Nebraska teen and mother facing charges in abortion-related case that involved obtaining their Facebook messages’, CNN Business, 10 August. Available at: https://www.cnn.com/2022/08/10/tech/teen-charged-abortion-facebook-messages/index.html (Accessed: 30 December 2025).
Coblentz Law (2025) ‘Updates to U.S. Health-Data Privacy and Wearable Tech’, Coblentz Law, 27 September. Available at: https://www.coblentzlaw.com/news/updates-to-u-s-health-data-privacy-and-wearable-tech/ (Accessed: 30 December 2025).
Columbia Science and Technology Law Review (2024) ‘FemTech, Privacy, and the Post-Dobbs Data Landscape’. Available at: https://journals.library.columbia.edu/index.php/stlr/blog/view/660 (Accessed: 30 December 2025).
Context News (2025) ‘How period tracking apps threaten digital privacy rights’, Context by TRF, 12 August. Available at: https://www.context.news/digital-rights/how-period-tracking-apps-threaten-digital-privacy-rights (Accessed: 30 December 2025).
ExpressVPN (2026) ‘Safe period tracker: Best apps and private alternatives’, ExpressVPN Blog, 27 February. Available at: https://www.expressvpn.com/blog/period-tracking-apps/ (Accessed: 30 December 2025).
Federal Trade Commission (2021a) ‘Developer of Popular Women’s Fertility-Tracking App Settles FTC Allegations that It Misled Consumers About the Disclosure of their Health Data’, FTC Press Release, 13 January. Available at: https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about (Accessed: 30 December 2025).
Federal Trade Commission (2021b) ‘FTC Finalizes Order with Flo Health, a Fertility-Tracking App that Shared Sensitive Health Data with Facebook, Google, and Others’, FTC Press Release, 22 June. Available at: https://www.ftc.gov/news-events/news/press-releases/2021/06/ftc-finalizes-order-flo-health-fertility-tracking-app-shared-sensitive-health-data-facebook-google (Accessed: 30 December 2025).
Georgetown Law Technology Review (2022) ‘Users of “Femtech” Should Be Concerned — In a Post-Dobbs World, Their Personal Data Could Be Used Against Them’, Georgetown Law Technology Review, 22 November. Available at: https://georgetownlawtechreview.org/users-of-femtech-should-be-concerned-in-a-post-dobbs-world-their-personal-data-could-be-used-against-them/GLTR-11-2022/ (Accessed: 30 December 2025).
IAPP (2022) ‘Privacy and digital health data: The femtech challenge’, International Association of Privacy Professionals, 25 October. Available at: https://iapp.org/news/a/privacy-and-digital-health-data-the-femtech-challenge (Accessed: 30 December 2025).
Kalema, N.L. and Al Futtaim, S. (2024) ‘Digital Handmaidens: Your Body, Their Data’, Harvard Kennedy School Carr Center for Human Rights Policy. Available at: https://www.hks.harvard.edu/centers/carr-ryan/our-work/carr-ryan-commentary/digital-handmaidens-your-body-their-data (Accessed: 1 June 2026).
Living360 (2025) ‘Period tracking apps that protect your data privacy’, Living360, 30 July. Available at: https://living360.uk/period-tracking-app-cycle-safe-data/ (Accessed: 30 December 2025).
Nixon Law Group (2022) ‘FemTech Data Privacy and the Changing Abortion Landscape: What FemTech Companies and Founders Need to Know’, Nixon Law Group Resources. Available at: https://www.nixonlawgroup.com/resources/femtech-data-privacy-and-the-changing-abortion-landscape-what-femtech-companies-and-founders-need-to-know (Accessed: 30 December 2025).
NPR (2022) ‘How period tracking apps and data privacy fit into a post-Roe v. Wade climate’, NPR, 10 May. Available at: https://www.npr.org/2022/05/10/1097482967/roe-v-wade-supreme-court-abortion-period-apps (Accessed: 30 December 2025).
Petkovic, A. (2023) ‘The FemTech Problem: How Dobbs Shifted the Data Privacy Landscape for Period-Tracking Apps’, Journal on Telecommunications and High Technology Law, Northwestern Pritzker School of Law, 19 April. Available at: https://jtip.law.northwestern.edu/2023/04/19/the-femtech-problem-how-dobbs-shifted-the-data-privacy-landscape-for-period-tracking-apps/ (Accessed: 30 December 2025).
Secure Privacy (2024) ‘Privacy Vulnerabilities in Fertility Technology: Digital Reproductive Health Data’, Secure Privacy Blog. Available at: https://secureprivacy.ai/blog/femtech-fertility-technology-digital-reproductive-data-privacy (Accessed: 30 December 2025).
Sekurno (2026) ‘What FemTech Apps Get Wrong About Security After Dobbs’, Sekurno Blog, 30 April. Available at: https://www.sekurno.com/post/femtech-app-security-dobbs-reproductive-health-data (Accessed: 30 December 2025).
Shachar, C. et al. (2025) ‘Effective regulation of technology in women’s health and healthcare’, BMJ, 391, r2351. Available at: https://pmc.ncbi.nlm.nih.gov/articles/PMC12516473/ (Accessed: 30 December 2025).
Stateline (2024) ‘Data privacy after Dobbs: Is period tracking safe?’, Stateline, 26 July. Available at: https://stateline.org/2024/07/26/data-privacy-after-dobbs-is-period-tracking-safe/ (Accessed: 30 December 2025).
Taylor, C. (2023) ‘Teen and mom plead guilty to abortion charges based on Facebook data’, TechCrunch, 11 July. Available at: https://techcrunch.com/2023/07/11/teen-and-mom-plead-guilty-to-abortion-charges-based-on-facebook-data/ (Accessed: 30 December 2025).