In May 2014, 27 privacy regulators across the world, members of the Global Privacy Enforcement Network, conducted an audit of over 1,200 mobile applications in order to examine the quality of privacy notices provided to users.
As reported by the French data protection authority, the CNIL, this audit focused on:
- the type of data collected by the mobile applications;
- the detail of information provided to users;
- the quality of the information provided about the purpose of data collection.
The main finding is that a high number of applications are accessing large amounts of personal data without adequately explaining how that data is being used.
Three-quarters of the mobile applications audited are collecting personal data. Most of the data collected relates to localization, account logins, and mobile device identifiers. The audit indicates that collection of such data is not always justified by the application’s purported purpose.
Only a quarter of the applications audited were deemed to provide clear and easily understandable information, whereas more than half left users struggling to find basic privacy information.
In France, among the 121 applications reviewed by the CNIL, 15 % do not provide any information on the processing of collected data. When such information is provided, the majority of applications fail to give easy access, requiring an excessive number of searches on the publisher’s website or in different application tabs. In most cases, the information is not clear enough and only available in English.The CNIL recommends French mobile users to be cautious and to avoid applications that are accessing a large amount of data.
The CNIL strongly advises application developers to strengthen the quality and transparency of the information provided.