Apps More Likely To Come With Privacy Policies

Mobile apps are more likely to offer privacy policies now than just four years ago, according to a new study by the think tank Future of Privacy Forum.

Seventy-six percent of the most popular apps for Apple and Android devices now have privacy policies, up from 68% four years ago, according to the think tank. Nearly nine in 10 free apps (86%) have privacy policies, compared to just 66% of paid apps. Prior studies by the Future of Privacy Forum also found that free apps were more likely to have privacy policies than paid apps.

Ironically, popular health and fitness apps -- which potentially gather particularly sensitive information -- are less likely to offer privacy policies than other types of apps, the think tank reports. Consider sleep aid apps, such as apps that enable users to keep "sleep diaries," or that offer white noise. Just 66% of those apps offered privacy policies.

"Given that some health and fitness apps can access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device, their below average performance is both unexpected and troubling," the report states.

The authors add that people's sleep habits can reveal information like their work schedules, or whether they are traveling. The Future of Privacy Forum adds that some apps might ask users for "unusual permissions," including access to their contacts or photos.

Since 2012, Google, Apple and other major operators of app marketplaces have said they require developers to post privacy policies if their apps collect personal data from users.

The state of California has a privacy law, the Online Privacy Protection Act, that requires all Web site operators to post privacy policies. State Attorney General Kamala Harris argues that this requirement applies to mobile app developers.

Harris has pushed many app developers to add privacy policies to their apps, but she lost a lawsuit accusing Delta Air Lines of violating California's privacy law. She argued that Delta should have posted a privacy policy that details everything collected by its Fly Delta app. A California trial judge and appellate court ruled against Harris on the grounds that a federal law governing airlines trumped California's Online Privacy Protection Act.

It is worth noting that the mere existence of a privacy policy doesn't in itself guarantee much. For one thing, even when companies have privacy policies, they're often so poorly written, and filled with such incomprehensible jargon, that they don't actually communicate anything to users. What's more, even when companies disclose their data collection practices, they often do so on a take-it-or-leave-it basis.

Still, despite their limits, privacy policies can give regulators some ammunition against companies that engage in questionable practices. That's because companies that violate their own privacy promises arguably engage in deceptive business practices. Consider, in recent years the Federal Trade Commission has brought cases against numerous online companies -- including Google, Facebook, Twitter and Snapchat -- for failing to follow their own privacy policies

The FTC is slated to take up questions about privacy policies at a workshop next month.

1 comment about "Apps More Likely To Come With Privacy Policies".
Check to receive email when comments are posted.
  1. Roy Smith from PrivacyCheq, August 23, 2016 at 3:54 p.m.

    The California law you refer to is known as CalOPPA to differentiate it from the federal child privacy protection law, called COPPA. CalOPPA does require all app publishers with users in the state (which includes the vast majority of app publishers) to provide users with an  understandable explanation of the privacy impacts of their use of the app. Unfortunately the CalOPPA law has never actually been successfully enforced beyond the mailing of 'warnings' in 2012. In fact, after three years of legal wrangling, the first enforcement action against Delta Airlines was dismissed by the CA court of appeals. 

    The new EU privacy rule known as "GDPR" specificallly requires companies to provide 'clear and understandable privacy notice' and users must give their affirmative consent before private data can be captured. "Default" opt-ins and obfuscatory terms that are buried in legalese are no longer allowed.  The recently approved "Privacy Shield" agreement between the US and EU requires US companies that wish to benefit from an open market to the EU to certify their compliance with GDPR. 

Next story loading loading..