Smartphone and smartwatch health apps
Privacy & Technology Print

Health Apps Commonly Share User Data Without Consent

The Scoop

Your favorite smartphone/mobile health app probably shares your private information with third parties, and most likely without your knowledge.


  • Some mobile health apps commonly sell sensitive user information to third parties
  • Study of Android diabetes apps found very few apps even have a privacy policy
  • Most permissions settings give apps powerful access to your device and unrelated app info
  • In many cases, HIPAA does not apply to data collected by health apps

The Details

Think your mobile health app keeps your private information private? Think again. Health apps connected to your phone or a wearable device commonly share or sell user data to third parties — a reality of which many people are unaware. 

A recent study published in the Journal of the American Medical Association looked at 211 Android diabetes apps and found that only 41 apps (19%) actually had privacy policies (a notice within the app informing the user how the app may gather, use, disclose, and manage the user’s information). The remaining 81% had none. And of the 41 apps that had privacy policies, only four of them indicated they would request user permission before sharing the user’s data with a third party. 

Many people think if an app has a “privacy policy” it means the app protects the privacy of their information. In reality, they often include notices and disclaimers that diminish the users’ privacy rights — with users effectively giving up rights to the data.1 On top of that, apps are generally not subject to HIPAA even if they collect health-related information.   

Why should you care? The issue isn’t limited to diabetes apps. In general, all apps you download to your mobile device — and any website you might access — collects information about you. Information collected with tracking cookies can include personal details like name, date of birth, gender, exercise habits, and sexual activity. And in the case of the diabetes apps covered in the study, sensitive health info like insulin or blood glucose levels can be sold and shared without your affirmative consent. This info is compiled and analyzed by data brokers who then provide it to advertisers, insurance companies, and government entities, to name a few.2 

Aside from privacy policy issues, in many instances, the default permissions (which you must accept to download an app) give the app the ability to track your location, access your camera, and make changes or delete information on your device. That said, most permissions can be changed manually in your device’s settings. But you should know a change in device settings may affect the functionality of the app.

The moral of the story? The information you input into a mobile app or that is tracked through your use of any mobile app probably will be shared and used by third parties without your affirmative  consent. If an app has a privacy policy, you should read it carefully and understand how your information may be gathered, used, and disclosed. You should also understand whether or not there are ways to protect your information within the app, such as adjusting your permission settings. 

By taking these extra steps, you can make an informed decision about not only the information that you make available through the app, but also if you want to download and utilize the app in the first place.