Can a period tracker company sell my health data

Under current federal law, there is no outright prohibition on consumer health app companies selling health data, as long as doing so is disclosed in their privacy policy. The FTC enforcement actions against Flo and Premom targeted companies that shared data without adequate disclosure or contrary to their stated policies, not the act of sharing itself.

Does the FTC have the power to fine period tracker companies for privacy violations

Yes, though the structure varies. The FTC can seek civil penalties in some cases and require injunctive relief (consent orders requiring specific changes). The $59.5M that Flo faced was through a class action lawsuit (Reuters, September 25, 2025), not the FTC action itself. FTC consent orders can require companies to change practices and submit to audits, but the FTC's civil penalty authority for first-time violations is limited.

Are health data privacy laws getting stricter

At the state level, yes. Several states have passed laws addressing consumer health data. At the federal level, protections have moved backward. The HIPAA Reproductive Privacy Rule was vacated in June 2025. Executive Orders 14076 and 14079/14101 directing HHS and FTC action on reproductive health data were revoked on January 24, 2025. The My Body My Data Act (H.R. 3916 / S. 2029) has a 2% chance of clearing committee per GovTrack. The most protective posture is to use an app that collects no server-side data at all, rather than relying on laws that may change.

guides

Are Period Tracker Apps Covered by HIPAA

Most period tracker apps are not covered by HIPAA. Explains which law governs consumer health apps, what the gap means, and what the FTC can do.

The HIPAA Misconception A ClearDATA/Harris Poll survey (May 2023, n=2,053) found that 81% of Americans wrongly believe their health app data is protected by HIPAA. That same survey found 58% of Americans who use digital health apps have never considered where their data is shared. Both numbers reflect the same gap: people assume the healthcare privacy framework extends to consumer apps. It does not. HIPAA was designed for the healthcare system: hospitals, clinics, insurers, and the companies that serve them. When you share health information with your doctor, HIPAA governs how that information can be used and disclosed. When you enter the same information into a consumer app, HIPAA does not apply. This is not a loophole, it is an intentional scope limitation. HIPAA was enacted in 1996, long before consumer health apps existed. Congress has not updated the law to cover them. What FTC Section 5 Actually Provides The FTC's enforcement authority under Section 5 covers unfair and deceptive practices. Applied to period trackers, this means: A company that says it will not share your data and then shares it can face an FTC enforcement action (as Flo did in 2021) A company that shares data