FTC Concerned with Health Data Sharing Apps

Register now

Some of the most popular mobile health and fitness apps are sharing consumer data with third-party companies and putting potentially sensitive information at risk, according to the Federal Trade Commission. The FTC tested 12 apps and found that this kind of information was sent to 76 third-party companies.

"Consumers reveal significant amounts of information about themselves when they use health and fitness apps. This includes everything from basic information about the devices and smartphones they are using to the precise metrics and characteristics of their bodies," said Jared Ho, an attorney in the FTC's Mobile Technology Unit, during a May 7 FTC seminar on the privacy ramifications of consumer generated and controlled health data. 

"Health and fitness apps collect and transmit to third parties sensitive information about our bodies and our habits," said Ho, who revealed that consumer data gathered from mobile apps and wearable devices shared with third-party companies might include a person's eating habits, sleeping patterns, disease symptom searches, as well as walking/running stride and cadence and walking/running routes. "There are significant privacy implications where health routines, dietary habits and symptom searches are capable of being aggregated using identifiers unique to a particular person or their device," he argued.

FTC testing of 12 health and fitness apps found that information was transmitted to their developer websites and to 76 third-party companies. In the case of one particular app, Ho said it sent information to 18 different third parties who received information that fell into five categories: device information, device-specific identifiers, third-party specific identifiers, consumer-specific identifiers, and consumer information (dietary and workout habits). He said in one case a third-party advertising services company received information from apps that included key words such as ovulation, fertilization, pregnancy, and baby.

Eighteen of the 76 third parties collected "persistent device identifiers" and 14 of them also collected consumer-specific identifiers including usernames and email addresses. "It wasn't uncommon for a third party or an app to identify a user by their first name, a last name initial and then a string of identifiers," said Ho. Twenty-two of the third-party companies received additional data about consumers such as exercise/diet information, medical symptoms search information, zip code, gender, and geolocation. 

In September 2013, web analytics and privacy group Evidon similarly reported that the top 20 most popular health and fitness apps, including WebMD Health, were actively sharing user data with as many as 70 third-party companies. The companies, typically advertising and analytics firms, often use the information gathered from consumers who are tracking diseases and diets to build profiles or display personalized ads. 

In July 2013, the Privacy Rights Clearinghouse examined mobile health and fitness apps based on a technical risk assessment to determine what data the apps collected, stored, and transmitted. The not-for-profit group studied 43 popular apps (both free and paid) from a consumer and technical perspective and found "considerable privacy risks for users" because a large percentage of apps did not have privacy policies and about a third of the apps transmitted the information to an undisclosed party.

The Privacy Rights Clearinghouse study concluded that apps which presented the lowest privacy risk to users were paid apps because they don't rely solely on advertising to make money. Of the free mobile apps the consumer group reviewed, less than half (43 percent) provided a link to a website privacy policy and of the sites that did in fact post a privacy policy only about half were accurate in describing the app's technical processes. 

For reprint and licensing requests for this article, click here.