Posted on

Blood, Bodies and Personal Data: How Period Tracking Apps approach privacy rights of menstruating individuals, from the lens of Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules, 2025

Digital health technologies are repositories of some of our most intimate personal data. Most menstruating individuals who use menstrual and fertility tracking apps (referred to as “period tracking apps” hereafter) regularly record the most private aspects of their life, such as cycle dates, symptoms, mood, sexual activity, and fertility patterns (referred to as “menstrual data”) on these apps while looking for predictability and awareness of their own body and its functioning. Implicit in this use is an assumption that the app will protect their sensitive personal information and that it will not be disclosed or shared with anyone, especially without their informed consent.

However, investigations and regulatory findings in various countries have revealed that period tracking apps collect sensitive personal data beyond what is necessary for service delivery, retain such data for extended periods of time and share it with third-party advertisers or analytics platforms without the knowledge of unsuspecting users.

Law to protect privacy in India
A privacy-focused law called the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”) was passed in 2023. The Act introduces a definitive legal framework for the protection of digital personal data, but it has been largely ineffective thus far, owing to the absence of rules which can translate the legal framework into concrete obligations with accountability.

The Indian Government has notified the Digital Personal Data Protection (DPDP) Rules, 2025 (“DPDP Rules”) under the DPDP Act on November 14, 2025. Before the enactment of the DPDP Act, the collection, storage, processing, disclosure and transfer of health-related personal information and data was regulated in a limited manner under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). However, with the introduction of the DPDP Act and DPDP Rules, the SPDI Rules are set to be replaced by May 13, 2027. The DPDP Rules are expected to give teeth to the DPDP Act since they enumerate real obligations on entities that process personal data.

This article will critically examine whether the protections put in place by the DPDP Act and DPDP Rules are sufficient to protect the personal data of menstruating individuals which is being collected and stored in period tracking apps.

Data processed by period tracking apps
Menstrual data is not just informational. Unlike most health data, which is often a record of isolated medical facts, menstrual data is inherently derivative and inferential in nature. From seemingly simple menstrual cycle logs, it is possible to predict pregnancy, miscarriage, or abortion; indicate underlying conditions such as Polycystic Ovary Syndrome (PCOS) or endometriosis; and enable profiling relating to marital status, sexual behaviour, fertility preferences, and broader reproductive choices. The misuse of such data can result in stigma, discrimination, coercion, or even physical risk. Therefore, menstrual data is not merely sensitive; it is sacrosanct and private.

Consent, purpose and necessity framework for processing personal data
Under the DPDP Act, owners and operators of period tracking apps are known as “data fiduciaries”. The DPDP Act has imposed an obligation on data fiduciaries to obtain valid consent from users who come under the definition of “data principals” before any collection, storing and processing of data principals’ personal data. The consent given by a data principal has to be free, specific, informed, unconditional and unambiguous, with a clear affirmative action. Further, any processing of such personal data must be limited, i.e., as is necessary for performing the specified purpose that was informed before or at the time of taking consent.

For period tracking apps, a bundled consent mechanism and ambiguous privacy policies will now turn out to be unlawful. Such apps must explicitly disclose (i) what menstrual data is collected with a description; (ii) the specified purpose of such collection (including whether it is shared, with whom, and for what purpose); (iii) a mechanism for withdrawal of consent, exercise of rights, including making complaints to the Data Protection Board.

As stated above, before requesting specific consent, the data fiduciary is required to describe the specified purpose for processing personal data. However, there is currently no guidance on the standards a data fiduciary should follow while describing a specified purpose, which begs the following question: Should the specified purpose be left to be determined by data fiduciaries who are running businesses and would be inclined to expand the specified purpose as much as possible? If the data fiduciaries who runs period tracking apps decides to include “use of menstrual data for recommendation of health services and health service providers” as another specified purpose in addition to access to period tracking service, and start sharing the personal data of menstruating individuals users to doctors and hospitals in form of leads, it won’t be unlawful, if the unsuspecting user has granted their consent to such “specified use”.

Therefore, in the context of period tracking applications, the ability of a data fiduciary to define a specified purpose in broad or unrelated terms and seek specific consent from unsuspecting users creates a systemic vulnerability for menstruating individuals who use period tracking app. A period tracking app may lawfully define its specified purpose to include targeted advertising, behavioural analytics, or commercial use of such data, provided such purposes are disclosed and consented to. The Act does not impose an independent test of necessity, proportionality, or contextual legitimacy of the specified purpose, nor does it prohibit certain uses of menstrual data outright. In this way, the current privacy framework under the DPDP Act and DPDP Rules risks reducing consent to a mere formality, insufficient to protect menstruating individuals from exploitative or intrusive uses of their most intimate menstrual data.

Derivative and Anonymised Data: Limits of the Right to Erasur
Pursuant to the DPDP Act, the users have an explicit right to access their stored (menstrual) data, correct inaccuracies, seek erasure where the specified purpose they consented to is served or when they withdraw consent. Hence, among the rights conferred on data principals under the DPDP Act, the right to erasure is particularly significant in the context of period tracking apps. Historically, such apps have relied on indefinite and discretionary retention of menstrual data and have thrived on years of cycle history that make their predictions more “accurate” by training their models, as well as to benefit from the economic value of such data by selling it to third parties. The DPDP Act makes it unlawful to do so now.

However, a challenge remains in the context of derivative and AI-generated data because the DPDP Act does not distinguish between original personal data and inferences drawn from it, i.e., derivative personal data. In other words, derivative menstrual data remains “personal data” so long as it relates to an identifiable individual. Therefore, when it comes to erasure of such personal derivative menstrual data, the right of erasure turns out to be ineffective as once an individual’s menstrual data has been incorporated into a trained (AI) model, the underlying data cannot be extracted, separated and deleted in any meaningful sense. Even after a user requests deletion of their personal data, the model may continue to draw on patterns derived from that data to infer or predict similar outcomes.

Another risk is that of anonymisation, which is often presented as a solution to privacy concerns. Yet menstrual data, even when stripped of personal information, can be re-identified when combined with other datasets. It can also enable group-level profiling (e.g., fertility trends in a region, age group, or socio-economic class). Further, the DPDP Act does not specify standards for what level of anonymisation is sufficient, or who bears the burden of proving irreversibility.

This gap becomes particularly consequential when such menstrual (derivative or anonymised) data is retained indefinitely, perhaps even monetised, or used to train predictive or AI-driven systems.

Minors, Consent, and Menstrual Privacy
It is worth noting that a substantial number of period tracking app users include teenagers. The DPDP Act introduces strict “verifiable parental consent” for those under the age of 18. Verifiable consent entails that the individual who has provided parental consent – his/her identity is checked, age is confirmed, using reliable or government-backed identity verification methods. While intended as a protective measure, this requirement may unintentionally undermine the privacy of minors.

In many social contexts, young users may not feel safe or comfortable discussing menstrual health or sexual activity with their parents. Mandatory parental consent could therefore discourage minors from using digital tools that help them manage their reproductive health, effectively denying them confidential access to essential health information.

Conclusion
It is undeniable that the DPDP Act and DPDP Rules provide a legal framework for protecting the privacy of users of period tracking apps in India. However, when applied to menstrual data, certain limitations become evident where clearer guidance and interpretation are needed.

The current framework does not fully account for the unique sensitivity of menstrual information, the realities of AI-driven processing, the risks of derivative and anonymised data, and the potential inadvertent exclusion of minors from period tracking apps. Without clearer restrictions on permissible uses and stronger safeguards, the law risks treating deeply intimate bodily data as ordinary consumer information.

To fill the gap, one potential solutions could be that the schema of the DPDP Act itself be tweaked to treat menstrual and other sensitive health data as a special category or sensitive form of data requiring higher standards of protection, much like the outgoing SPDI Rules which categorically labelled health data as sensitive data and EU General Data Protection Regulation (GDPR) that treats menstrual data as “Special Category Data”.

Adopting a comparable approach under the DPDP Act and DPDP Rules would ensure that menstrual data receives the heightened protection it deserves. Without such reforms, the privacy of millions of menstruating individuals using period tracking apps will remain unsecured and exposed to potential misuse.

Posted on

TOP 5 HEALTH LAWS AND POLICY UPDATES

Dear Readers, we are happy to share the most interesting legal and policy updates concerning health industry that we read today. We hope you enjoy reading it.

1. The Supreme Court of India has urged the Union Government to consider giving legal backing to the Uniform Code of Pharmaceutical Marketing Practices, 2024, noting that the current voluntary framework lacks effective enforcement and leaves patient unprotected. The Court indicated it may issue interim guidelines and sought detailed proposals for a statutory, government-enforced framework.
Source: h7.cl/1jDIt

2. The Competition Commission of India (CCI) has approached the NCLAT to clarify whether privacy safeguards for non-advertising data sharing should also apply when a social media platform shares user data with its parent company for advertising purposes. This follows the lifting of a five-year ban on such data sharing,
Source: h7.cl/1ePhT

3. India’s central drug regulator (CDSCO) reportedly plans for a digital tracking system for high-risk solvents like diethylene glycol and batch-level reporting to prevent cough-syrup contamination. Authorities are also increasing scrutiny of unlicensed rural pharmacies and considering removal of the Schedule K exemption that currently eases regulatory requirements for selling cough syrups.
Source: h7.cl/1ePhW

4. The Directorate General of Foreign Trade (DGFT) has resolved a long-standing issue affecting pharmaceutical exporters by clarifying redemption of Advance Authorisations (AAs) impacted by the old CGST Rule 96(10). The move addresses compliance hurdles for duty-free raw material imports for the pharma sector.
Source: h7.cl/1jDHw

5. Indian government has launched the National Action Plan on Antimicrobial Resistance (NAP-AMR) 2.0 (2025–29) to counter rising drug resistance. The plan sets clear timelines, strengthens surveillance, curbs antibiotic misuse, boosts lab and infection-control capacity, and adopts a One Health approach through coordinated, multi-ministerial action against the growing AMR threat.
Source: h7.cl/1jDHD

Posted on

TOP 5 HEALTH LAWS AND POLICY UPDATES

Dear Readers, we are happy to share the most interesting legal and policy updates concerning health industry that we read today. we hope you enjoy reading it.

1. The Indian government has extended the deadline for small and medium pharmaceutical companies to comply with the revised Good Manufacturing Practices (GMP) under Schedule M of the Drugs and Cosmetics Act. The revised deadline is December 31, 2025, while the earlier deadline was January 1, 2025. This extension aims to assist smaller manufacturers in upgrading their facilities to meet stringent regulatory requirements.
Source: bit.ly/4a4HaAo

2. The Central Drugs Standard Control Organisation (CDSCO) and the Indian Council of Medical Research (ICMR) have released draft standard evaluation protocols for licensing in-vitro diagnostics (IVDs) under the Medical Devices Rules, 2017. These protocols aim to ensure quality and performance evaluation of IVDs, establishing uniformity in testing across various diagnostic kits. Stakeholders are invited to provide their feedback on the draft by February 15, 2025.
Source: bit.ly/40kTlWt

3. The Ministry of Electronics and Information Technology (MeitY) has released the draft Digital Personal Data Protection Rules, 2025, inviting public feedback until February 18, 2025. These rules aim to operationalize the Digital Personal Data Protection Act, 2023, which was enacted to enhance the framework for protecting digital personal data in India. The draft includes provisions for data localization, compliance requirements for significant data fiduciaries, timelines for storing data and ensuring that personal data is processed responsibly.
Source: bit.ly/3C63oFx

4. The Ministry of Commerce and Industry has launched the Open Network for Digital Commerce (ONDC) initiative to democratize digital commerce in India by fostering open networks for the exchange of goods and services. This initiative focuses on inclusivity, enabling small and medium enterprises (MSMEs) to access digital marketplaces while promoting innovation through open protocols. By creating a level playing field, ONDC seeks to reduce the dominance of large e-commerce platforms and enhance competition among sellers.
Source: bit.ly/4gHo1al

5. The Telangana Medical Council has issued a show-cause notice to a Hyderabad-based hospital for allegedly collaborating with unqualified practitioners and promoting fake doctors. This action follows the hospital’s involvement in sponsoring the medical program and advertising the same on social media, where unqualified individuals were reportedly encouraged. The hospital has been given a 10-day deadline to respond; failure to do so may result in punitive actions under the National Medical Commission (NMC) Act and other regulations.
Source: bit.ly/3BWAQhM

Posted on

TOP 5 HEALTH LAWS AND POLICY UPDATES

Dear Readers, we are happy to share the most interesting legal and policy updates concerning health industry that we read today. we hope you enjoy reading it.

1. The Madras High Court has refused to impose a ban on advertisements by doctors and hospitals in the media, stating that it cannot expect media outlets to verify every advertisement on fake drugs, hospitals and treatments. The court acknowledged concerns about misleading advertisements and stated that doctors and hospitals should have self-regularisation and in case of violation the Medical Commission should take action.
Source: bit.ly/3CzfDu4
2. The Supreme Court of India raised serious concerns about live surgery broadcasts, citing risks to patient safety and informed consent. The court noted the absence of officials from the National Medical Commission and the Central Government during a hearing, emphasizing the need for guidelines to regulate such practices effectively.
Source: bit.ly/4fyc8CM3.

3. The Union Minister for Chemicals and Fertilizers, Jagat Prakash Nadda, has launched a new initiative called the “Scheme for Strengthening the Medical Device Industry,” to enhance manufacturing, skill development, clinical studies, and infrastructure in the medical device sector. It includes five sub-schemes designed to reduce import dependence and promote domestic production, ultimately supporting India’s goal of self-reliance in healthcare.
Source: bit.ly/4fjICRq

4. The Supreme Court of India has ordered the government to enforce mandatory accessibility rules under the Rights of Persons with Disabilities (RPWD) Act, 2016 emphasizing the need for compliance to ensure public spaces are accessible for disabled individuals. The court has given the government three months to establish clear guidelines and penalties for non-compliance.
Source: bit.ly/3UNULWl

5. Reportedly, government entities in India are exempt from the Digital Personal Data Protection (DPDP) Act, 2023, which permits them to process personal data under specific circumstances without following the Act’s normal provisions. Hospitals, however, are not granted this exemption and must therefore abide with data privacy regulations.
Source: bit.ly/3CkdRwZ

Posted on

TOP 5 HEALTH LAWS AND POLICY UPDATES

Dear Reader, We are happy to share the most interesting legal and policy updates concerning health industry that we read today. We hope you enjoy reading it.

Guidance for making regulatory applications for biological and biotechnology products such vaccines may be revised soon
India’s central drug regulator, Central Drugs Standards Control Organization (CDSCO), has issued draft of revised guidance which seeks to align the online regulatory application process with applicable law i.e. The New Drugs and Clinical Trial Rules, 2019. Recently, the CDSCO has started accepting regulatory applications through NSWS portal. All stakeholders have time until April 25, 2024 to submit their suggestions/comments.
Source: bit.ly/3JlwIrU

Indian Pharma industry has sought clarity from Government on ethics of sponsoring foreign trips of doctors to attend scientific and training programs outside India.
An industry group representing multinational pharma companies has reportedly approached the Indian Government for seeking clarity on the issue of Indian doctors being sponsored by pharma companies for attending medical events outside India. A recent guidance issued by Department of Pharmaceuticals called Uniform Code for Pharmaceutical Marketing Practices, 2024 (UCPMP) has stated that pharma companies will not sponsor travel and hospitality of Doctors unless they are speaking in medical events.
Source: bit.ly/3JklqnG

New Guidance document for generation and transfer of EPR Certificate under E-Waste Management Rules issued
India’s Central Pollution Control Board has issued a guidance document which explains steps to be taken by recyclers, recycling facilities under the E-Waste (Management) Rules, 2022 for generation of EPR Certificate. It has been clarified that EPR Certificate will have validity of 2 years. All importers and manufacturers of electric and electronic equipment including medical devices are required to procure EPR Certificates from registered recyclers to discharge their respective Extended Producer Responsibility obligations.
Source: bit.ly/44242Oc

Nestle wins class action suit filed by Government in the infamous Maggie Noodles case
The National Consumer Disputes Redressal Commission (NCDRC) has dismissed the Indian government’s 2015 complaint against Nestlé India over the safety of its Maggi noodle products. The Indian government had accused Nestlé of engaging in unfair trade practices by adding a ‘No added MSG’ label and claimed that the instant noodle product contained impermissible lead levels. However, NCDRC has noted in its order that the lead content in the tested instant noodle products was within permissible limits and that the Food Regulator itself had permitted brands to carry No Added MSG label if MSG was not deliberately added by manufacturer during the manufacturing process.
Source: bit.ly/3vIR1MJ

US based telehealth companies penalised for selling personal information
The United States Federal Trade Commission has reportedly taken action against an alcohol addiction telehealth company, for sharing health information to third parties including some major social media companies and search engines. A proposed order to settle the allegations will prevent the company from disclosing sensitive data for advertising purposes, among other penalties.
Source: bit.ly/43ZfoCi

Posted on

Top 5 Health Laws & Policy Updates

Dear Reader, We are happy to share the most interesting legal and policy updates concerning health industry that we read today. We hope you enjoy reading it.

Innovator Pharma Company questions biosimilar trial on ground of non-procurement of comparator drug from authorized sources
A multinational pharmaceutical company has questioned the veracity of a biosimilar drug trial before India’s clinical trial regulator, The Drugs Controller General of India (DCGI), on grounds that the comparator drug, a biologic, was not procured from authorized sources, thereby putting clinical trial subjects at risk and casting shadow over appropriateness of the clinical trial.
Source: bit.ly/49tJmjj

Indian IPR regime well-equipped to handle AI generated works and there is no proposal to amend the law in context of AI generated content: Ministry of Commerce & Industry
India’s Minister of Commerce & Industry, while replying to a question in India’s parliament, has clarified that user of Generative AI should obtain permissions of owner of original copyrighted work processed by Generative AI technology before using the AI generated content for commercial purposes. The Minister further clarified that there is neither any proposal to create any separate right nor to amend the law in the context of AI-generated content.
Source: bit.ly/48cK4R8

Guidelines to distinguish nutraceuticals and drugs which have same or similar composition soon
The Indian Government has reportedly formed a high-level committee to address complaints that products which have identical or similar compositions are being approved as nutraceuticals, drugs or ayurvedic formulations, depending on the regulatory pathway chosen by the manufacturer. Under the current law, nutraceuticals are not permitted to make claims of treatment or cure on the label, however there are reports of non-compliance with this requirement.
Source: bit.ly/49bvaMb

Preparing a list of unvaccinated employees does not amount to violation of privacy: Madras High Court
India’s Madras High Court has held that the action of preparation of list of employees who have not received COVID-19 vaccinations and subsequent circulation of such list amongst employees of company would not amount to violation of privacy. The High Court was hearing a criminal complaint filed by an employee of the Company under Information Technology Act, 2000 on grounds that the Company had breached the said law sharing his personal information as part of list of unvaccinated employees.
Source: bit.ly/42yExmP

Couples seeking surrogacy on medical grounds are able to use donor sperm or egg, in spite of law to the contrary, by approaching a High Court
Following the precedent set by Supreme Court, the Bombay High Court has permitted two couples to use donor eggs for surrogacy owing to medical issues faced by the Couple. The development is important because The Surrogacy (Regulation) Rules, 2022 explicitly prohibits the use of donor gametes for surrogacy. In the past, Karnataka High Court has also granted similar reliefs to a couple facing medical challenges to conceive using own gametes while seeking a surrogate to deliver the baby.
Source: bit.ly/42yczHP