Mobile apps are more likely to offer privacy policies now than just four years ago, according to a new study by the think tank Future of Privacy Forum.
Seventy-six percent of the most
popular apps for Apple and Android devices now have privacy policies, up from 68% four years ago, according
to the think tank. Nearly nine in 10 free apps (86%) have privacy policies, compared to just 66% of paid apps. Prior studies by the Future of Privacy Forum also found that free apps were more
likely to have privacy policies than paid apps.
Ironically, popular health and fitness apps -- which potentially gather particularly sensitive information -- are less likely to offer privacy
policies than other types of apps, the think tank reports. Consider sleep aid apps, such as apps that enable users to keep "sleep diaries," or that offer white noise. Just 66% of those apps offered
privacy policies.
"Given that some health and fitness apps can access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device, their below average
performance is both unexpected and troubling," the report states.
The authors add that people's sleep habits can reveal information like their work schedules, or whether they are traveling.
The Future of Privacy Forum adds that some apps might ask users for "unusual permissions," including access to their contacts or photos.
Since 2012, Google, Apple and other major operators of
app marketplaces have said they require developers to post privacy policies if their apps collect personal data from users.
The state of California has a privacy law, the Online Privacy
Protection Act, that requires all Web site operators to post privacy policies. State Attorney General Kamala Harris argues that this requirement applies to mobile app developers.
Harris has
pushed many app developers to add privacy policies to their apps, but she lost a lawsuit accusing Delta Air Lines of violating California's privacy law. She argued that Delta should have posted a
privacy policy that details everything collected by its Fly Delta app. A California trial judge and appellate court ruled against Harris on the grounds that a federal law governing airlines trumped
California's Online Privacy Protection Act.
It is worth noting that the mere existence of a privacy policy doesn't in itself guarantee much. For one thing, even when companies have privacy
policies, they're often so poorly written, and filled with such incomprehensible jargon, that they don't actually communicate anything to users. What's more, even when companies disclose their data
collection practices, they often do so on a take-it-or-leave-it basis.
Still, despite their limits, privacy policies can give regulators some ammunition against companies that engage in
questionable practices. That's because companies that violate their own privacy promises arguably engage in deceptive business practices. Consider, in recent years the Federal Trade Commission has
brought cases against numerous online companies -- including Google, Facebook, Twitter and Snapchat -- for failing to follow their own privacy policies
The FTC is slated to take up
questions about privacy policies at a workshop next month.