Study: Less than a third of popular health apps have privacy policies

By Jonah Comstock
06:46 am

Mobile SecurityAccording to a new study from Boston Children's Hospital and the University of Cologne in Germany, less than a third of health apps in the iTunes and Google Play store had any privacy policy at all in place.

"Our findings show that currently mHealth developers often fail to provide app privacy policies," study authors wrote. "The privacy policies that are available do not make information privacy practices transparent to users, require college-level literacy, and are often not focused on the app itself."

Researchers, led by Boston Children's Dr. Kenneth Mandl and Dr. Ali Sunyaev of the University of Cologne, looked at the 300 most popular apps from each store, out of an identified pool of 24,405 health apps total. They found that only 183 of the 600, or about 30 percent, had privacy policies.

Learn on-demand, earn credit, find products and solutions. Get Started >>

On average, the privacy policies that did exist were both very long and very hard to read. The average length was 1,750 words and the longest policy was more than 6,000 words. The average reading level was identified as a 16th grade level -- that is to say, it was understandable only by the average college senior.

The privacy policies were often found outside the app, on the developer's website, and only one third of the privacy policies that did exist -- 62 policies -- actually covered the app in question. Of those, 10 percent failed to disclose the kind of information the app collected and 13 percent didn't give users a way to control how their data was used.

"We had some idea there was non-uniformity, but it was still stunning to see how widespread it was to find either no or inadequate privacy policies,” Mandl said in a statement.

Mandl and Sunyaev believe the problem here is that consumers have an unrealistic expectation that consumer apps will protect their privacy the same way the medical establishment does.

“The developers aren’t really connected to the health care industry," Mandl said in a statement. "They aren’t aware of the industry’s standards, but patients probably have some expectation that the protections found in the health care system will be there when they use a health app.”

The researchers believe that privacy policies need to be re-envisioned as documents that actually provide a useful service to the consumer. They recommend that policies state "where users’ data are stored, whether the developer will use data for anything and what that use would be, whether the developer will make users’ data available to outside parties in an identifiable way or in aggregate form, whether the app transmits users’ data securely, and how users can have their data deleted from the developer’s servers," according to a release from Boston Children's.

"Current privacy policies are not of much use, so users do not perceive them as beneficial,” Sunyaev said in a statement. “To be truly effective, developers should design privacy policies to meet users’ needs and preferences, and create an environment where privacy practices are expected to be transparent to users.”

A similar study from Privacy Rights Clearinghouse last year found apps fairing a little better at that time: they found 74 percent of free apps and 60 percent of paid apps had a privacy policy in the app or on the developer’s website. For the apps that had a privacy policy on the developer’s website, 43 percent of the free apps and 25 percent of the paid apps provided a link in the app to find it. The others required a user to search independently for the policy.

Going forward, Apple's stringent developer requirements for partnering with HealthKit may start to address the situation: They announced last week that “[a]pps using the HealthKit framework must provide a privacy policy or they will be rejected.”


The latest news in digital health delivered daily to your inbox.

Thank you for subscribing!
Error! Something went wrong!