Navigating regulatory ambiguity in femtech

The regulation of medical devices is a complex topic with a myriad of rules laid out by the Medicines and Healthcare products Regulatory Agency (MHRA). But, with the rapid development of medical technology and the growth of people managing their health outside the bounds of the NHS, regulation is struggling to keep up.

There is growing ambiguity about where some products lie in the regulatory framework, especially when it comes to femtech products. So with technology outpacing regulation, what are the drawbacks and potential hurdles for femtech businesses?

Regulating fertility

The MHRA holds responsibility for regulating the UK medical device market, providing the precious UK Conformity Assessed (UKCA) seal of approval. And unless you’ve got either a UKCA or CE accreditation – the European equivalent – you’re not allowed to market medical devices on these shores.

The MHRA classifies fertility-related contraceptive devices – such as digital contraceptives – as a medium risk, or Class B, meaning the software or product could “cause minor harm such as injuries”. Critics, however, argue this should be considered as a higher risk – or Class C – after the Natural Cycles controversy.

In 2018, Swedish startup Natural Cycles – an app-based product billed as a “natural contraceptive” – came under scrutiny from the European regulators after 37 unwanted pregnancies were recorded by women using the app in Sweden. It was the first fertility-awareness app to be CE-marked as a medical device. A months-long investigation by Sweden’s Medical Products Agency (MPA) received “approximately 50 complaints” from users of Natural Cycles’ devices related to unwanted pregnancies.

The same year, the company also faced scrutiny by the UK’s Advertising Standards Agency, after a 2017 Facebook advert claiming that the product was “highly accurate” was misleading. Since then, Natural Cycles has included a disclaimer on its app that it should only be used in conjunction with other contraceptives.

When privacy isn’t private

The stigmatisation of female bodies is a tale as old as time, and whilst the femtech revolution purports to bring the power back into the hands of women, concerns remain around this segment of the medtech market.

Medicine is a highly regulated and emotive topic, and so individuals having complete control of their biological processes should feel like a win. But because of lagging regulation, we’re in a space that leaves users at risk of relying on as-yet unproven technologies.

Dr. Catriona McMillan, Lecturer in Medical Law and Ethics at the University of Edinburgh School of Law, has written a number of papers on insufficient regulatory attention within the femtech space, and has argued that “the regulatory sphere in which femtech operates fundamentally fails to ensure that the health and safety of femtech users are protected as this market continues to expand”.

Femtechs, especially tracking apps, rely heavily on the user input data. Everything from innocuous data like name and age, to more private data such as occasions of intimacy and bodily functions. This data may lead to important findings about women’s health, but it also leaves companies and users at a higher risk of data breaches.

In recent months, femtech products have come under further scrutiny around their privacy policies, and there have been reports that user data is sold to third parties. A recent article in the British Medical Journal stated that “the sale of this data, so far, has been anonymised information. However, although the data is said to be anonymised, ‘an entire sub-industry exists that links these identifiers to peoples’ real names and physical addresses’.”

Across the Atlantic, in the wake of the overturning of Roe v. Wade, period and ovulation tracker Flo Health has created an anonymous mode for users to input their data without their name being attached. This comes after concerns that courts in the US, and other countries that restrict abortion rights, could have the ability to retrieve personal data from fertility or tracking apps if they needed to use it in a case relating to the termination of a pregnancy.

In a bid to fight this, Flo Health has pledged to open source their intellectual property so other companies can use similar methods for the anonymity of women globally.

Tech versus regulation

Technology has been outpacing regulation within the femtech space for years. The pandemic changed the way people manage their health outside of their relationships with their GPs, and with lowering hardware costs and the meteoric rise of AI, femtech has blossomed.

But behind the facade of pastel apps and palatable interfaces lies a complex tangle of ambiguity. This may feel overwhelming, but there are some things that founders can control.

Firstly, personal health data. Femtech companies should ensure compliance to General Data Protection Regulation (GDPR) and/or Health Insurance Portability and Accountability Act (HIPAA) equivalent regulations. Upholding stringent cyber hygiene such as encryption and anonymisation of any personal data can keep users safe.

Secondly, intellectual property (IP). IP is extremely valuable, to individual companies and to cyber criminals. If determined hackers get hold of important code, blueprints for devices or clinical trial information it could be hugely detrimental for any company, especially if they get leaked or stolen. We would always suggest our clients to go above and beyond GDPR and complement their watertight cyber controls with strong cyber insurance cover.

To learn more about protecting your femtech business, read our blog on that very topic.