State attorneys general call on Apple to beef up privacy protections for reproductive health information

Ten state attorneys general are calling on Apple to implement stronger privacy controls for third-party apps that collect consumers’ reproductive health data.

In a letter (PDF) sent Monday to Apple CEO Tim Cook, the group of state AGs raised privacy concerns in the wake of the U.S. Supreme Court’s Dobbs ruling overturning Roe v. Wade.

Third-party apps available on Apple's App Store such as period tracking apps and pregnancy and fertility apps collect consumers’ private reproductive health data, which can be "weaponized against consumers by law enforcement, private entities, or individuals," the state AGs wrote in the letter.

"This gap in Apple’s protections threatens the privacy and safety of App Store consumers and runs directly counter to Apple’s publicly expressed commitment to protect user data," the New Jersey-led coalition wrote.

When reached for comment, an Apple spokesperson pointed to the privacy controls built into the company's Health app. When consumers have enabled two-factor authentication and use Apple's "cycle tracking" feature, for example, the health data synced to iCloud is encrypted end-to-end and "Apple does not have the key to decrypt the data and therefore cannot read it," the policy states.

The Apple spokesperson also highlighted that users have "fine-grained control" over which health information they want to share with other apps. For example, a user could let an app read step count data, but prevent it from reading blood glucose levels. Also, Apple lays out requirements all apps must meet in order to use the HealthKit framework, the spokesperson said.

The state AGs argue that the tech giant hasn't done enough to protect reproductive health data, noting that location history, search history and adjacent health data—specifically, all information relating to the past, present or future reproductive or sexual health of an individual—pose a significant risk to individuals seeking or providing abortions, birth control or other reproductive health care, according to the letter.

App developers should be required to delete data not essential for the use of the application, including location history, search history and any other related data of consumers who may be seeking, accessing or helping provide reproductive health care, the state law enforcers wrote in the letter.

App makers should also be required to clarify what reproductive health information is shared with third parties, including law enforcement. Apple also should require apps to do so only when required by a valid subpoena, search warrant or court order, the AGs said.

Third-party apps that collect consumers’ reproductive health data or that sync with user health data stored on Apple devices also should be required to implement at least the same privacy and security standards as Apple does with regards to the data. As an example, Apple ensures that Apple Health data—including reproductive data—are automatically encrypted. 

"At minimum, Apple should require apps on the App Store to meet certain threshold security requirements, such as encryption of biometric and other sensitive health data stored on applications, use of end-to-end encryption when transmitting said data, and compliance with Apple’s user opt-out controls," the AGs wrote.

Apple also should conduct periodic audits and remove or refuse to list third-party apps in violation of these standards. Apps that fail to certify compliance with these measures should be removed from the App Store.

"These actions will safeguard reproductive health information from being wrongfully exploited by those who would use it to harm patients or providers," the group wrote.

The Mozilla Foundation recently surveyed popular reproductive health apps to evaluate how each company uses, shares, sells and retains the data it collects as well as the security measures employed by the app. The organization concluded that most reproductive health tracking apps have opaque privacy protection policies and no clear policy on data-sharing practices with law enforcement. Of the twenty-five reproductive health apps surveyed by Mozilla Foundation, the majority (eighteen apps) either failed to abide by proper privacy and security practices or obfuscated the scope of user data collected by the apps.

“Protecting reproductive privacy in the wake of the Dobbs decision is paramount. Despite promoting privacy as one of its ‘core values’ Apple simply has not done enough to ensure that private reproductive health data collected and stored by apps will not be used to track, harass, or criminalize those seeking to exercise their reproductive freedoms,” said New Jersey Attorney General Matthew Platkin in a statement. “With this letter, we are putting Apple executives on notice that New Jersey is prepared to use all its authority to impel them to protect the privacy of those accessing or providing legal reproductive health services.”

Tech companies and app developers have taken steps to beef up privacy controls in the wake of the Supreme Court's decision. In September, Flo, the No. 1 period-tracking app in the Apple store, made “anonymous mode” live after widespread calls to protect users’ data. 

Thirty senators also called for the strengthening of federal privacy protections under the Health Information Portability and Accountability Act, further prohibiting providers from sharing patients’ reproductive health information without consent. The American Data Privacy and Protection Act, if passed, would also work in protecting health data.

Google announced it would cease collecting geolocation data around abortion facilities, a July announcement that has yet to be followed by action at a technical or policy level.

In July, the House Oversight Committee launched an investigation into how companies are handling sensitive health data in the wake of the Supreme Court’s decision to overturn Roe v. Wade. The Federal Trade Commission also pledged to crack down on companies that exploit consumers' location, health or other sensitive data following an executive order from President Joe Biden.

Editor's note: This story has been updated with a response from Apple highlighting its privacy controls.