The Privacy Rights Clearinghouse (“Clearinghouse”) recently released a study funded by the California Consumer Protection Foundation examining the potential privacy risks of mobile health and fitness apps.  The study analyzed 43 popular health and fitness apps (free and paid) to identify potential privacy issues based on the data collected, stored, and transmitted by those apps.

Overall, the study found that 26% of the free health and fitness apps and 40% of the paid apps had no privacy policy at all.  For the apps that had privacy policies, the study found that some of the policies were not always accurate in describing the apps’ technical processes.  Free apps were also more likely than paid apps to make user data available to third parties.  In addition, the study found that 13% of free apps and 10% of paid apps “encrypted all data connections and transmission” between the app and the developer’s website(s).

In addition to the study, the Clearinghouse issued a “how to” guide for mobile app developers that lays out a list of best practices for building privacy into mobile apps.  Among other suggestions, the guide recommends that developers avoid unencrypted (http) connections to transmit data from the app and instead utilize an encrypted (https) connection.  The Clearinghouse also recommends the use of privacy policies that clearly inform users of what data is being collected and what it will be used for, suggesting that the best way to do this is through contextual pop-up notices.

The release of the study is a reminder that app developers and other members of the mobile wireless ecosystem should review their existing data privacy and security practices for compliance with applicable Federal and state laws, especially as they deploy new consumer-oriented services.  For example, making sure that privacy notices are in place and updated to reflect current activities and data practices can help decrease the risk of consumer confusion, regulatory enforcement, and potential litigation.

Arielle Brown