Health, fitness apps sending user data to third parties

The top 20 most popular health, wellness and fitness apps, including WebMD Health, are actively sharing user data with as many as 70 third-party companies, according to a blog post from web analytics and privacy group Evidon.

"These companies are typically advertising and analytics companies, who attempt to better match advertisements to users who will buy; and who work to help app developers increase functionality and usability, respectively," the author of the post contends. "It's a common practice for these companies to make these data available to whoever finds it valuable, however, so any number of companies may acquire this data eventually."

Evidon's findings were featured in a recent Financial Times article which revealed that the third parties often use the information gathered from consumers who are tracking diseases, diets and bicycle trip distances to build profiles or display personalized ads.

"You are talking about some of the most sensitive details of your life being widely available to others," Jeff Chester, executive director of the Center for Digital Democracy, a consumer privacy group, says in the article. "That information is being sucked up and collected surreptitiously by a host of online companies that are sharing, selling and trading that information."

WebMD, however, denied in the article that the information shared with third parties is personally identifiable or that it is being sold, adding that it does not allow third-party companies to combine the consumer data collected about its users with other profile information or use it beyond its site. 

Nevertheless, Evidon's blog stated that while its research cannot speak to exactly what data is shared, the "breadth of the data collection is certainly a surprise to most app users, particularly since there is a lack of clear disclosure about the frequency and type of data collected." 

In July, the Privacy Rights Clearinghouse, a California nonprofit group, released a report on mobile health and fitness apps based on a technical risk assessment they performed to determine what data the apps collected, stored, and transmitted. After studying 43 popular apps (both free and paid) from a consumer and technical perspective, the group found "considerable privacy risks for users" and that the privacy policies for those apps that have policies do not describe those risks.

The apps which presented the lowest privacy risk to users were paid apps due to the fact that they don't rely solely on advertising to make money, which means the data is less likely to be available to other parties. Of the free mobile apps the consumer group reviewed, less than half (43 percent) provided a link to a website privacy policy and of the sites that did in fact post a privacy policy only about half were accurate in describing the app's technical processes. 

To learn more:
- read the FT article
- read the Evidon blog