This article is more than 5 years old. Information may no longer be current.
Not all mental health apps disclose third-party data transmission practices
Of 36 smartphone apps for depression and smoking cessation assessed in a cross-sectional study, 29 transmitted data to services provided by Facebook or Google, but only 12 disclosed this in a privacy policy.
“While the potential of smartphone applications (apps) to improve access to health care resources, real-time monitoring, and even interventions is well established, concerns about data privacy remain,” Kit Huckvale, MBChB, MSc, PhD, from the Black Dog Institute in Australia, and colleagues wrote in JAMA Network Open. “Because many national health payers and insurance companies do not yet cover apps (given their often-nascent evidence base), selling either subscriptions or users’ personal data is often the only path toward sustainability.”
The researchers examined the privacy practices of 36 popular, top-ranked mental health apps for depression and smoking cessation as well as the association between disclosures made in privacy policies and data transmitted to third parties.
Huckvale and colleagues evaluated privacy policy content, including terms and conditions, which were identified from app store descriptions, app content and related websites. They performed technical assessment of encrypted and unencrypted data transmission, examining the link between policies and transmission behavior by intercepting sent data. For each transmission, they identified the owner of the destination — developer or third party — and occurrences of personal and other user-generated data contained within each message.
Overall, 25 of 36 apps (69%) for depression and smoking cessation had a privacy policy, with 22 of these 25 apps (88%) providing information about the primary uses of collected data and 16 (64%) describing secondary use, according to the results.
Although 23 of 25 apps with a privacy policy disclosed that data would be transmitted to a third-party entity, Huckvale and colleagues detected data transmission to one or more third parties in 33 of 36 apps (92%). Nine apps did not have a privacy policy, five did not disclose this transmission in policy text and three specified that transmission would not occur.
Overall, 81% of apps transmitted data, for advertising and marketing purposes or analytics, to Google and Facebook; however, only 43% of these apps sending out data to Google and 50% sending data to Facebook disclosed this.
“Privacy policy review must be supplemented by sustained technical efforts if new and evolving privacy risks are to be identified in a timely way and flagged effectively to consumers and health care professionals,” researchers wrote. “As smartphones continue to gain capabilities to collect new forms of personal, biometric, and health information, it is imperative for the health care community to respond with new methods and processes to review apps and ensure they remain safe and protect personal health information.” – by Savannah Demko
Disclosure: One researcher reported grants from National Health and Medical Research Council; no other authors report relevant financial disclosures.