FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.

The “FemTech” market is estimated to exceed $75 billion by 2025 and refers to health software and tech-enabled products that cater to female biological needs and to the wider wellness market for all those who identify as female. In turn, FemTech Apps typically involve the processing of large volumes of sensitive data as defined under certain data protection laws, and in turn the ICO has identified this as an area of “vulnerability” requiring regulatory attention. The ICO’s concerns align with an increased focus by the FTC on health and wellness apps, particularly where they may process data relating to reproductive health.

Interestingly, this initiative proposed by the ICO to focus on FemTech could be contrasted with other UK regulators’ intent to promote faster approvals for and access to women’s health technologies, with initiatives such as the Women’s Health Strategy for England Strategy published in late August 2022. In the Strategy, NHS England, the National Institute for Health and Care Excellence (NICE), the UK’s health technology assessment body, and the UK’s Medicines and Healthcare Products Regulatory Agency (MHRA) committed to working together to accelerate patient access to digital technologies that are proven to be safe and effective, e.g. through the Accelerated Access Collaborative.

Now more than ever, FemTech companies engaged in the development, deployment and use of apps are urged to review their existing GDPR and other data protection compliance postures.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.