Healthcare professionals who are in a position to recommend the use of fitness apps need to be aware that patients’ personal data can be used in ways that HIPAA would prohibit and that will surprise patients who are trying to be smart about fitness in a smartphone world.
The Customer is Not the User
The consumer is the user, not the customer of the app company. The customer is the advertiser. The user provides data that the app sells to advertisers to generate revenue. This business model goes a long way to understanding the limitations on privacy protection, especially with free apps.
What Fitness Data is Collected and Therefore at Risk?
Fitness data includes a wide range of data, including: (1) archetypal personal data provided by the user, such as name and address; (2) fitness and health-related data provided by the user, such as height, weight, and fitness activities; (3) information collected by the app during use; (4) information shared through the app’s social media component; (4) information measured by sensors on the mobile device, such as heart rate; (5) information provided by the mobile device itself, such as geolocations; (6) aggregated data from the above; (7) behavior tracking data prepared by third party analytics firms; and (8) user data collected by advertisers during use. “Behavior tracking” is a set of online techniques used to collect and interpret the fitness app user activity as they use apps, visit websites, and engage in other Internet activity. Advertising and marketing agencies use behavior tracking to tailor advertisements for specific users.
Privacy Polices Available at App Store vs. Only Within the App
Long vs. Short Privacy Policies
Perhaps counterintuitively, longer privacy policies are most often less protective of privacy than are shorter ones. Long policies generally protect the app developer more than the user. The length is driven by the need to explain all the ways in which the user’s information will be used and give and get notice and consent to third party use.
Free vs. Paid Apps
Free apps rely more on advertising for revenue than do paid apps. Paid apps receive revenue from direct payments from users, and thus have less need for ad revenue. The more detailed the information about their users that free apps provide, the more attractive the apps’ fitness data is to advertisers. Accordingly, in almost all cases, free apps collect more personal information than do paid apps because the business model of the free apps requires collecting information and selling it.
Research conducted for the Privacy Rights Clearinghouse and reported in the “Technical Analysis of Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications” (the “Technical Analysis”) found that compared with the 45 percent of paid fitness apps, 75 percent of the free apps use behavior tracking, often by multiple analytics services. It also found that most free apps and half of the paid apps sent user data to as many as five different third party analytics sites, often within minutes after the user begins using the app.
HTTP vs. HTTPS