Skip to main content

Table 4 Coverage of privacy and security-related topics in privacy policies

From: Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment

  

Apps with a privacy policy

   

Apps collecting data

Apps transmitting data

Domain

Topic

All apps, n = 53 (%)

Any data, n = 50 (%)

Personal or sensitive dataa, n = 43 (%)

Any data, n = 49 (%)

Personal or sensitive dataa, n = 31 (%)

Uses of data

Primary uses of collected data

46 (87 %)

43 (86 %)

36 (84 %)

43 (88 %)

28 (90 %)

 

Secondary uses of collected data

31 (58 %)

29 (58 %)

25 (58 %)

30 (61 %)

20 (65 %)

 

Sending data to developer-provided online services

21 (40 %)

21 (42 %)

18 (42 %)

21 (43 %)

17 (55 %)

 

Sending data to advertisers/marketers

6 (11 %)

6 (12 %)

6 (14 %)

6 (12 %)

6 (19 %)

 

Sending data for analytics/research

19 (36 %)

18 (36 %)

14 (33 %)

19 (39 %)

16 (52 %)

 

Sending data while loading content

5 (9 %)

5 (10 %)

4 (9 %)

5 (10 %)

3 (10 %)

 

Anonymous uses only

8 (15 %)

7 (14 %)

7 (16 %)

8 (16 %)

4 (13 %)

Technical concerns

Technical and procedural security arrangements

28 (53 %)

26 (52 %)

22 (51 %)

27 (55 %)

15 (48 %)

 

How long data will be retained

9 (17 %)

9 (18 %)

7 (16 %)

9 (18 %)

6 (19 %)

 

Inherent risks or limitations of security on mobile device/internet

19 (36 %)

18 (36 %)

14 (33 %)

19 (39 %)

11 (35 %)

 

The use of cookies

42 (79 %)

39 (78 %)

33 (77 %)

38 (78 %)

25 (81 %)

User rights

Procedures for opting out of data sharingb,c

30 (61 %)

28 (56 %)

25 (58 %)

30 (61 %)

19 (61 %)

 

Consequences of not providing or sharing dataa

15 (31 %)

15 (30 %)

13 (30 %)

15 (31 %)

8 (26 %)

 

Procedures for subject access requestsb,c

14 (29 %)

14 (28 %)

10 (23 %)

14 (29 %)

9 (29 %)

 

Procedures for editing data held by developers/third partiesb,c

29 (59 %)

27 (54 %)

23 (53 %)

29 (59 %)

17 (55 %)

 

Procedures for deleting data held by developers/third partiesb,c

15 (31 %)

14 (28 %)

14 (33 %)

15 (31 %)

10 (32 %)

 

Complaints proceduresc

28 (53 %)

27 (54 %)

24 (56 %)

28 (57 %)

17 (55 %)

 

Special procedures for handling data for vulnerable users

9 (17 %)

9 (18 %)

8 (19 %)

9 (18 %)

6 (19 %)

Administrative details

Identify data controller or responsible legal entity

16 (30 %)

16 (32 %)

14 (33 %)

16 (33 %)

10 (32 %)

 

Legal jurisdiction governing policy

27 (51 %)

26 (52 %)

23 (53 %)

26 (53 %)

17 (55 %)

 

Jurisdictions under which data will be processeda

13 (27 %)

13 (26 %)

11 (26 %)

13 (27 %)

8 (26 %)

 

Date of policy

8 (15 %)

7 (14 %)

5 (12 %)

8 (16 %)

3 (10 %)

 

Date of next review

0 (0 %)

0 (0 %)

0 (0 %)

0 (0 %)

0 (0 %)

 

Procedures for changing the terms of the policy

17 (32 %)

17 (34 %)

14 (33 %)

17 (35 %)

11 (35 %)

  1. aIncorporates strong personal identifiers, health-related information and other sensitive information; bbecause these topics are only relevant for apps that transmit data, the denominator for calculated percentages is the number of apps with a privacy policy that also transmit data; cfor these domains, policies were additionally examined to distinguish between rights afforded to individuals and those denied. However, in no case did a policy text mention a user right only to deny it