• by Wendy Davis , Staff Writer @wendyndavis, August 22, 2016

Mobile apps are more likely to offer privacy policies now than just four years ago, according to a new study by the think tank Future of Privacy Forum.

Seventy-six percent of the most popular apps for Apple and Android devices now have privacy policies, up from 68% four years ago, according to the think tank. Nearly nine in 10 free apps (86%) have privacy policies, compared to just 66% of paid apps. Prior studies by the Future of Privacy Forum also found that free apps were more likely to have privacy policies than paid apps.

Ironically, popular health and fitness apps -- which potentially gather particularly sensitive information -- are less likely to offer privacy policies than other types of apps, the think tank reports. Consider sleep aid apps, such as apps that enable users to keep "sleep diaries," or that offer white noise. Just 66% of those apps offered privacy policies.

"Given that some health and fitness apps can access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device, their below average performance is both unexpected and troubling," the report states.

The authors add that people's sleep habits can reveal information like their work schedules, or whether they are traveling. The Future of Privacy Forum adds that some apps might ask users for "unusual permissions," including access to their contacts or photos.

Since 2012, Google, Apple and other major operators of app marketplaces have said they require developers to post privacy policies if their apps collect personal data from users.

The state of California has a privacy law, the Online Privacy Protection Act, that requires all Web site operators to post privacy policies. State Attorney General Kamala Harris argues that this requirement applies to mobile app developers.

Harris has pushed many app developers to add privacy policies to their apps, but she lost a lawsuit accusing Delta Air Lines of violating California's privacy law. She argued that Delta should have posted a privacy policy that details everything collected by its Fly Delta app. A California trial judge and appellate court ruled against Harris on the grounds that a federal law governing airlines trumped California's Online Privacy Protection Act.

It is worth noting that the mere existence of a privacy policy doesn't in itself guarantee much. For one thing, even when companies have privacy policies, they're often so poorly written, and filled with such incomprehensible jargon, that they don't actually communicate anything to users. What's more, even when companies disclose their data collection practices, they often do so on a take-it-or-leave-it basis.

Still, despite their limits, privacy policies can give regulators some ammunition against companies that engage in questionable practices. That's because companies that violate their own privacy promises arguably engage in deceptive business practices. Consider, in recent years the Federal Trade Commission has brought cases against numerous online companies -- including Google, Facebook, Twitter and Snapchat -- for failing to follow their own privacy policies

The FTC is slated to take up questions about privacy policies at a workshop next month.