"Our findings show that currently mHealth developers often fail to provide app privacy policies," study authors wrote. "The privacy policies that are available do not make information privacy practices transparent to users, require college-level literacy, and are often not focused on the app itself."
Researchers, led by Boston Children's Dr. Kenneth Mandl and Dr. Ali Sunyaev of the University of Cologne, looked at the 300 most popular apps from each store, out of an identified pool of 24,405 health apps total. They found that only 183 of the 600, or about 30 percent, had privacy policies.
On average, the privacy policies that did exist were both very long and very hard to read. The average length was 1,750 words and the longest policy was more than 6,000 words. The average reading level was identified as a 16th grade level -- that is to say, it was understandable only by the average college senior.
The privacy policies were often found outside the app, on the developer's website, and only one third of the privacy policies that did exist -- 62 policies -- actually covered the app in question. Of those, 10 percent failed to disclose the kind of information the app collected and 13 percent didn't give users a way to control how their data was used.
"We had some idea there was non-uniformity, but it was still stunning to see how widespread it was to find either no or inadequate privacy policies,” Mandl said in a statement.
Mandl and Sunyaev believe the problem here is that consumers have an unrealistic expectation that consumer apps will protect their privacy the same way the medical establishment does.
“The developers aren’t really connected to the health care industry," Mandl said in a statement. "They aren’t aware of the industry’s standards, but patients probably have some expectation that the protections found in the health care system will be there when they use a health app.”
The researchers believe that privacy policies need to be re-envisioned as documents that actually provide a useful service to the consumer. They recommend that policies state "where users’ data are stored, whether the developer will use data for anything and what that use would be, whether the developer will make users’ data available to outside parties in an identifiable way or in aggregate form, whether the app transmits users’ data securely, and how users can have their data deleted from the developer’s servers," according to a release from Boston Children's.
"Current privacy policies are not of much use, so users do not perceive them as beneficial,” Sunyaev said in a statement. “To be truly effective, developers should design privacy policies to meet users’ needs and preferences, and create an environment where privacy practices are expected to be transparent to users.”