Recent International Study Reports Delinquencies in App Privacy Disclosures

In a recently reported study released by the the Global Privacy Enforcement Network (“GPEN”), the GPEN found that a testing sample of 1,211 mobile apps accessed during May of this year failed to provide users with adequate privacy protections under current regulatory provisions in the United States and in other countries. The GPEN is a coalition of privacy officials from 19 countries, including the United States Federal Trade Commission (“FTC”). The GPEN report concluded that 60% of mobile apps accessed raised significant privacy concerns based on the following criteria:

  • The apps failed to disclose how the apps used personally identifying information (“PII”);
  • The apps required users to provide more PII than necessary as a condition to downloading the apps; and
  • The privacy policies associated with the apps were provided in too small of a font to be read on the screens of mobile devices.

Of the apps examined, the GPEN found that 30% failed to provide sufficient information on how PII would be used by the app providers.  In fact, the GPEN report found that many of the apps tested provided no privacy information at all.

Additionally, another 31% of the apps the GPEN examined requested access to PII, including contacts, device ID location, calendar and call logs, in the absence of any indicated reason for why such information would be necessary to use the apps for their advertised purposes.  The GPEN report also showed that 43% of the apps failed to make the apps’ privacy policies readable on mobile devices’ smaller screens as compared to on computers.

The most common type of PII requested by the apps examined by the GPEN was users’ geographical locations. Specifically, the report indicated that 32% of the reviewed apps requested geolocation information as a prerequisite to downloading the mobile apps.

The names or providers of the apps the GPEN examined were not identified in its report.  Also, the GPEN report did not indicate how it selected the apps that it studied.

The GPEN’s report is significant because it demonstrates the common and growing disparity between legal requirements for privacy disclosures in the United States and elsewhere and how privacy policies for mobile apps should be disclosed. Moreover, the findings in the GPEN’s report likely foreshadow further regulatory enforcement here in the United States by the FTC, as well as action by regulatory bodies outside of the United States.