Skip to main content

Table 4 Coverage of privacy and security-related topics in privacy policies

From: Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

   Apps with a privacy policy
    Apps collecting data Apps transmitting data
Domain Topic All apps, n = 53 (%) Any data, n = 50 (%) Personal or sensitive dataa, n = 43 (%) Any data, n = 49 (%) Personal or sensitive dataa, n = 31 (%)
Uses of data Primary uses of collected data 46 (87 %) 43 (86 %) 36 (84 %) 43 (88 %) 28 (90 %)
  Secondary uses of collected data 31 (58 %) 29 (58 %) 25 (58 %) 30 (61 %) 20 (65 %)
  Sending data to developer-provided online services 21 (40 %) 21 (42 %) 18 (42 %) 21 (43 %) 17 (55 %)
  Sending data to advertisers/marketers 6 (11 %) 6 (12 %) 6 (14 %) 6 (12 %) 6 (19 %)
  Sending data for analytics/research 19 (36 %) 18 (36 %) 14 (33 %) 19 (39 %) 16 (52 %)
  Sending data while loading content 5 (9 %) 5 (10 %) 4 (9 %) 5 (10 %) 3 (10 %)
  Anonymous uses only 8 (15 %) 7 (14 %) 7 (16 %) 8 (16 %) 4 (13 %)
Technical concerns Technical and procedural security arrangements 28 (53 %) 26 (52 %) 22 (51 %) 27 (55 %) 15 (48 %)
  How long data will be retained 9 (17 %) 9 (18 %) 7 (16 %) 9 (18 %) 6 (19 %)
  Inherent risks or limitations of security on mobile device/internet 19 (36 %) 18 (36 %) 14 (33 %) 19 (39 %) 11 (35 %)
  The use of cookies 42 (79 %) 39 (78 %) 33 (77 %) 38 (78 %) 25 (81 %)
User rights Procedures for opting out of data sharingb,c 30 (61 %) 28 (56 %) 25 (58 %) 30 (61 %) 19 (61 %)
  Consequences of not providing or sharing dataa 15 (31 %) 15 (30 %) 13 (30 %) 15 (31 %) 8 (26 %)
  Procedures for subject access requestsb,c 14 (29 %) 14 (28 %) 10 (23 %) 14 (29 %) 9 (29 %)
  Procedures for editing data held by developers/third partiesb,c 29 (59 %) 27 (54 %) 23 (53 %) 29 (59 %) 17 (55 %)
  Procedures for deleting data held by developers/third partiesb,c 15 (31 %) 14 (28 %) 14 (33 %) 15 (31 %) 10 (32 %)
  Complaints proceduresc 28 (53 %) 27 (54 %) 24 (56 %) 28 (57 %) 17 (55 %)
  Special procedures for handling data for vulnerable users 9 (17 %) 9 (18 %) 8 (19 %) 9 (18 %) 6 (19 %)
Administrative details Identify data controller or responsible legal entity 16 (30 %) 16 (32 %) 14 (33 %) 16 (33 %) 10 (32 %)
  Legal jurisdiction governing policy 27 (51 %) 26 (52 %) 23 (53 %) 26 (53 %) 17 (55 %)
  Jurisdictions under which data will be processeda 13 (27 %) 13 (26 %) 11 (26 %) 13 (27 %) 8 (26 %)
  Date of policy 8 (15 %) 7 (14 %) 5 (12 %) 8 (16 %) 3 (10 %)
  Date of next review 0 (0 %) 0 (0 %) 0 (0 %) 0 (0 %) 0 (0 %)
  Procedures for changing the terms of the policy 17 (32 %) 17 (34 %) 14 (33 %) 17 (35 %) 11 (35 %)
  1. aIncorporates strong personal identifiers, health-related information and other sensitive information; bbecause these topics are only relevant for apps that transmit data, the denominator for calculated percentages is the number of apps with a privacy policy that also transmit data; cfor these domains, policies were additionally examined to distinguish between rights afforded to individuals and those denied. However, in no case did a policy text mention a user right only to deny it