A new study on privacy policies for mobile health apps finds that less than a third actually have a policy in place – and many of those don't even address information on the app itself.
The study, conducted last August by researchers at the University of Cologne in Germany and recently published in the Journal of the American Medical Informatics Association, paints a disturbing picture of the protection of personal data on apps – or the lack thereof.
"Our findings show that currently mHealth developers often fail to provide app privacy policies," the researchers wrote. "The privacy policies that are available do not make information privacy practices transparent to users, require college-level literacy, and are often not focused on the app itself. Further research is warranted to address why privacy policies are often absent, opaque, or irrelevant, and to find a remedy."
According to the study, of the 600 most commonly used mHealth apps available on iOS and Android (more than 35,000 are currently available), only 183 – or 30.5 percent – have privacy policies. And 66.1 percent of those do not specifically address the app itself, focusing instead on the developer's homepage or services they offer.
[Related: 6 tips for vetting mobile apps]
"In the domain of health information where many consumers are concerned about what happens to their private, sensitive data, our key finding is startling: apps are being highly rated and successfully sold although privacy policies are either absent, opaque, or irrelevant," the researchers wrote. Among the possible explanations, they said consumers may be too confident in the law to protect them, they may be choosing short-term benefits over long-term exposure to data theft, or they may be "blissfully ignorant" as to how their personal health information may be at risk in using these apps.
The study explains that those policies in place are often "detached, legalistic documents that seem to be potentially fungible or borrowed from someone else because they are mostly incomprehensible, out-of-scope and lacking transparency. There are no general international standards for the information a privacy policy should offer, for uses and disclosures it should permit, whether with consent or without it, or for the rights consent can waive."
The study also points to the California Online Privacy Protection Act of 2003, which mandates provision of privacy policies for online services accessed by state residents, and it notes that the Federal Trade Commission does encourage app developers to show privacy policies as well as just-in-time disclosures requesting consent for any information collected. But those examples are few and far between, and not strong enough for the industry as a whole.
"For information that does need to be collected and stored for future reference by the app, complete transparency about subsequent disclosures or sales in a standardized format, at the sixth grade reading level, should be expected," the researchers said. "Because an overwhelming amount of text is unlikely to be read by users, a bulleted, graphical or tabular executive summary should be provided."
See also:
