Do the privacy policies of popular smartphone applications (apps) for depression and smoking cessation describe accurately whether data will be processed by commercial third parties?
In this cross-sectional study of 36 top-ranked apps for depression and smoking cessation available in public app stores, 29 transmitted data to services provided by Facebook or Google, but only 12 accurately disclosed this in a privacy policy.
Health care professionals prescribing apps should not rely on disclosures about data sharing in health app privacy policies but should reasonably assume that data will be shared with commercial entities whose own privacy practices have been questioned and, if possible, should consider only apps with data transmission behaviors that have been subject to direct scrutiny.
This cross-sectional study evaluates the data sharing and privacy practices of smartphone applications available in public app stores for depression and smoking cessation.
Inadequate privacy disclosures have repeatedly been identified by cross-sectional surveys of health applications (apps), including apps for mental health and behavior change. However, few studies have assessed directly the correspondence between privacy disclosures and how apps handle personal data. Understanding the scope of this discrepancy is particularly important in mental health, given enhanced privacy concerns relating to stigma and negative impacts of inadvertent disclosure. Because most health apps fall outside government regulation, up-to-date technical scrutiny is essential for informed decision making by consumers and health care professionals wishing to prescribe health apps.
To provide a contemporary assessment of the privacy practices of popular apps for depression and smoking cessation by critically evaluating privacy policy content and, specifically, comparing disclosures regarding third-party data transmission to actual behavior.
Cross-sectional assessment of 36 top-ranked (by app store search result ordering in January 2018) apps for depression and smoking cessation for Android and iOS in the United States and Australia. Privacy policy content was evaluated with prespecified criteria. Technical assessment of encrypted and unencrypted data transmission was performed. Analysis took place between April and June 2018.
Correspondence between policies and transmission behavior observed by intercepting sent data.
Twenty-five of 36 apps (69%) incorporated a privacy policy. Twenty-two of 25 apps with a policy (88%) provided information about primary uses of collected data, while only 16 (64%) described secondary uses. While 23 of 25 apps with a privacy policy (92%) stated in a policy that data would be transmitted to a third party, transmission was detected in 33 of all 36 apps (92%). Twenty-nine of 36 apps (81%) transmitted data for advertising and marketing purposes or analytics to just 2 commercial entities, Google and Facebook, but only 12 of 28 (43%) transmitting data to Google and 6 of 12 (50%) transmitting data to Facebook disclosed this.
Data sharing with third parties that includes linkable identifiers is prevalent and focused on services provided by Google and Facebook. Despite this, most apps offer users no way to anticipate that data will be shared in this way. As a result, users are denied an informed choice about whether such sharing is acceptable to them. Privacy assessments that rely solely on disclosures made in policies, or are not regularly updated, are unlikely to uncover these evolving issues. This may limit their ability to offer effective guidance to consumers and health care professionals.