In recent years, big tech companies have been forced to begin taking user privacy more seriously.
Apple began blocking third-party tracking cookies on its Safari web browser in 2021, preventing users from being tracked across different websites, and Google has announced it will soon do the same in Chrome.
Facebook has had to stop showing personalised ads to minors in Europe, after the introduction of the EU’s Digital Services Act in August.
However, certain mobile apps still collect a significant amount of user data. Although users can now restrict personal data collection on iOS and Android devices, many people are not fully aware of the types of information being collected by the apps they install.
App privacy study
We wanted to find out which data the most popular apps in the UK are collecting about their users by default.
To do this, we analysed the personal information collected by the UK’s 50 most popular free apps on the Google Play store. We also assessed whether the app developer shares any of this information with third parties, and whether they have a way for users to request that their data be deleted.
This data was collected from developer-supplied information made available on the Google Play store. Google states that app developers who provide incorrect information will be required to update it, or they may be removed from the app store. However, Google does not independently verify the information supplied.
Types of data collected
Each category of personal information defined by the Google Play Store is relatively broad, and contains multiple different types of data. For example, if an app developer states that their software collects personal information, this could just be your email address, or it could include your name and date of birth as well.
Here are the types of data collected, what they each mean, and how they can pose a privacy risk.
|Data category||Description||Typical use case||Potential privacy issue (example)|
|Personal information||Name, address, phone number, and other personal details.||Your name is displayed on a videoconferencing app.||A video streaming app shares your email address with third parties to create a comprehensive profile of your interests, which they use to display targeted ads.|
|Financial information||Information such as your credit card number, purchase history, and credit score.||A video streaming app accesses your purchase history to determine whether or not you are subscribed, and whether you can access premium content.||A free game uses your app purchase history to display targeted ads.|
|Photos and videos||Photos and videos stored on your phone.||A social media app accesses your photos when you go to upload an image to the platform.||An untrustworthy app downloads and stores your photos, they are later leaked in a data breach.|
|Audio||Audio files and audio recorded by your phone.||A messaging app uses your phone's microphone to help you record an audio message.||An untrustworthy app collects an audio file, it is later leaked in a data breach.|
|Messages||Emails, SMS, and in-app messages.||An email app allows you to import messages from another email app you've previously used.||An email app uses the content of your emails to display targeted ads.|
|Contacts||Your phone contacts.||A social media app uses your contacts to help you find friends on the platform.||A social media app uses your contacts to narrow down your interests based on who is on your contact list, to display targeted ads.|
|Files and documents||FIles and documents stored on your phone, such as downloaded PDFs.||A government app uses a photocopy of your passport to verify your identity.||An untrustworthy app downloads a private PDF file and stores it on a third-party server.|
|Calendar||Your calendar information, such as meetings booked.||A videoconferencing app accesses your calendar to alert you of an upcoming meeting.||A web browser app accesses your calendar to pinpoint your location and display targeted ads.|
|Health/fitness information||Medical records and symptoms, and fitness information (such as collected by a smart watch).||A government app uses your medical records to help you book doctors' appointments.||A social media app collects health/fitness information to display targeted ads.|
|App activity||Installed apps, app activity, user information provided in-app, in-app search history, and other in-app actions.||An app suggests that the user download another app made by the same company, if the app is not already installed.||An online shopping app uses in-app search history to display targeted ads on websites you visit.|
|Web browsing activity||Websites you have visited in the past.||A web browser app displays URLs you have visited in the past.||A social media app uses your browsing history to display targeted ads.|
|Location||Your phone's physical location, either exact or approximate, as provided by your phone's GPS.||A rideshare app shows your location to your driver.||A social media app uses your city or even your exact location (such as a shopping centre) to display more targeted ads.|
|App info & performance data||Crash logs, diagnostics, and other app performance data.||A video streaming app analyses battery usage on different devices in order to improve performance.||N/A - this data is generally used for bug fixing and performance improvement.|
|Device or other IDs||Information that identifies your specific device, such as its MAC address.||A web browsing app identifies other devices you have the app installed on, in order to sync your browsing history across multiple devices.||A social media app builds a profile of your activity on your phone, computer, and other devices, in order to display targeted ads.|
Google Play also asks app developers whether each type of data collected is shared with third parties or not. Also, developers must specify whether they have a facility that allows users to request that their data be deleted.
The type of data collected isn’t necessarily the biggest issue – it’s what the data will be used for.
For example, ridesharing and delivery apps have a good reason to view your current location – to help your driver find you. On the other hand, while social media apps may use GPS data to help you tag the location of your posts more easily, they may also use it to display geo-targeted ads.
If you use your phone while in a shopping centre for instance, you could theoretically receive ads from stores in that shopping centre the app thinks you would be likely to buy from.
It would be good to see Google Play require app developers to provide more detail into how different types of data are used, and what exactly is being collected. For example, when a social media app states that it collects web browsing history, it is unclear whether this relates to user activity in the app’s inbuilt web browser, or whether the social media app has the ability to gather data from other web browsers as well.
How to protect your privacy
If you’re not comfortable sharing your private data with app developers, here are some ways you can protect your privacy.
1. Uninstall any apps you don’t use
Go through your installed apps, and remove any that you don’t use on a regular basis, especially social media or shopping apps, or any free apps from small, untrustworthy developers.
Remember, apps can continue to track you even when you’re not using them. In general, the fewer apps you have installed, the safer your private data is.
2. Review app permissions
On most modern smartphones, you can check which types of private data each installed app is accessing, and revoke permissions if desired.
To do this:
- On iOS, go to Settings > Privacy & Security.
- On Android, go to Settings > Privacy > Permission Manager.
Here, you will be able to see a list of different types of personal information, and which apps have access to this data. This will allow you to restrict data sharing so that each app only has the information it needs to function. For example, you might like to make it so that only navigation and ridesharing apps have access to your location.
3. Turn off location services
If you are wary of apps tracking your location history, you can also turn off location services entirely, and then turn it on again as needed, such as when travelling.
To disable location services:
- On iOS, go to Settings > Privacy & Security > Location Services.
- On Android, go to Settings > Privacy > Location, or swipe down from the top of the screen to open the system tray, and then tap the “Location” icon.
4. Take advantage of your right to be forgotten
Under GDPR legislation in the EU and UK, you have the right to request that companies erase your private information. This is known as the right to be forgotten.
Although the right to be forgotten is not enshrined in legislation in other countries like the US, many tech companies now allow people from anywhere in the world to request that their personal data be erased.
This can be helpful in cases where you have been using an app for an extended period, without being fully aware of the amount of data it is collecting, and you’re not comfortable with someone else storing this information.
To take advantage of the right to be forgotten, you will have to contact the developer of the app you have been using and ask that your personal data be deleted.
5. Carefully review data access rights when installing new apps
When installing a new app on the App Store or Google Play Store, you will be able to see which types of personal data it can access.
Ensure to carefully review what data an app can access, before installing it.
On modern smartphones, it’s possible to revoke access to certain types of data on a per-app basis. Therefore, if there is an app you particularly want to install, but it accesses a significant amount of personal data, you might be able to revoke its access permissions once installed in your privacy settings to get around this problem.