The privacy of our medical and hospital records is protected by federal law, so it would be easy to make the mistake of assuming that all our personal health information is kept confidential, including information collected by health apps. In fact, studies have shown that health apps commonly share users’ health data with third parties, often without complete disclosure of that fact to users.
In a study published last year in the Journal of the American Medical Association, researchers analyzed 36 of the highest-ranked Apple and Android apps for depression and tobacco cessation and found that 25 of them had privacy policies, 23 of which disclosed that information would be shared with third parties. However, with the use of specialized software, the researchers were able to detect transmissions of data to third parties from 33 of the apps, or 92%.
Twenty-nine of the apps transmitted data to Google and/or Facebook, but only 12 of those apps accurately described this in their privacy policies, the study found.
A similar study published last year in The BMJ analyzed 24 of the highest-rated medicine-related Android apps and found that 19 of them, or 79%, shared user data with third parties. Thirty-seven of those apps also provided services related to the collection and analysis of user data, such as advertising or analytics. Some of the information was clearly sensitive, personal, or identifying, such as a user’s email address, date of birth, location, or drug list. Other information was not identifying in itself but could be aggregated with other data across multiple sources to identify a user, the researchers said.
The Wall Street Journal last year analyzed 70 of the most popular Apple apps that handle sensitive user information and found that of the 15 most popular health and fitness apps, at least six sent potentially sensitive user information to Facebook immediately after collecting it.
Why are these practices concerning? The authors of the BMJ study said the sharing of app users’ data “ultimately has real-world consequences in the form of highly targeted advertising or algorithmic decisions about insurance premiums, employability, financial services, or suitability for housing. These decisions may be discriminatory or made on the basis of incomplete or inaccurate data, with little recourse for consumers.”
The issue has seized the attention of policymakers. In 2016, the European Union adopted the General Data Protection Regulation (GDPR), which set privacy protection standards for all businesses, including apps, that handle the personal data of EU citizens and established individuals’ rights regarding their data. The regulation became enforceable in May 2018.
In the United States, several states have taken up the issue, most notably California. The California Consumer Privacy Act of 2018, which took effect in January, allows a consumer to opt out of the sale of his or her personal data to third parties.
Federal lawmakers are considering action as well, with some support from tech companies that would prefer a single set of rules to a patchwork quilt of state laws. Advocates of data protection have argued that federal legislation should go farther than the GDPR and the California law by shifting the onus away from individual consumers ― who, under those laws, have to read companies’ privacy policies to know what their data rights are ― to the companies that are profiting from the sale of consumers’ personal data.