Table 4.
Coverage of privacy and security-related topics in privacy policies
| Apps with a privacy policy | ||||||
|---|---|---|---|---|---|---|
| Apps collecting data | Apps transmitting data | |||||
| Domain | Topic | All apps, n = 53 (%) | Any data, n = 50 (%) | Personal or sensitive dataa, n = 43 (%) | Any data, n = 49 (%) | Personal or sensitive dataa, n = 31 (%) |
| Uses of data | Primary uses of collected data | 46 (87 %) | 43 (86 %) | 36 (84 %) | 43 (88 %) | 28 (90 %) |
| Secondary uses of collected data | 31 (58 %) | 29 (58 %) | 25 (58 %) | 30 (61 %) | 20 (65 %) | |
| Sending data to developer-provided online services | 21 (40 %) | 21 (42 %) | 18 (42 %) | 21 (43 %) | 17 (55 %) | |
| Sending data to advertisers/marketers | 6 (11 %) | 6 (12 %) | 6 (14 %) | 6 (12 %) | 6 (19 %) | |
| Sending data for analytics/research | 19 (36 %) | 18 (36 %) | 14 (33 %) | 19 (39 %) | 16 (52 %) | |
| Sending data while loading content | 5 (9 %) | 5 (10 %) | 4 (9 %) | 5 (10 %) | 3 (10 %) | |
| Anonymous uses only | 8 (15 %) | 7 (14 %) | 7 (16 %) | 8 (16 %) | 4 (13 %) | |
| Technical concerns | Technical and procedural security arrangements | 28 (53 %) | 26 (52 %) | 22 (51 %) | 27 (55 %) | 15 (48 %) |
| How long data will be retained | 9 (17 %) | 9 (18 %) | 7 (16 %) | 9 (18 %) | 6 (19 %) | |
| Inherent risks or limitations of security on mobile device/internet | 19 (36 %) | 18 (36 %) | 14 (33 %) | 19 (39 %) | 11 (35 %) | |
| The use of cookies | 42 (79 %) | 39 (78 %) | 33 (77 %) | 38 (78 %) | 25 (81 %) | |
| User rights | Procedures for opting out of data sharingb,c | 30 (61 %) | 28 (56 %) | 25 (58 %) | 30 (61 %) | 19 (61 %) |
| Consequences of not providing or sharing dataa | 15 (31 %) | 15 (30 %) | 13 (30 %) | 15 (31 %) | 8 (26 %) | |
| Procedures for subject access requestsb,c | 14 (29 %) | 14 (28 %) | 10 (23 %) | 14 (29 %) | 9 (29 %) | |
| Procedures for editing data held by developers/third partiesb,c | 29 (59 %) | 27 (54 %) | 23 (53 %) | 29 (59 %) | 17 (55 %) | |
| Procedures for deleting data held by developers/third partiesb,c | 15 (31 %) | 14 (28 %) | 14 (33 %) | 15 (31 %) | 10 (32 %) | |
| Complaints proceduresc | 28 (53 %) | 27 (54 %) | 24 (56 %) | 28 (57 %) | 17 (55 %) | |
| Special procedures for handling data for vulnerable users | 9 (17 %) | 9 (18 %) | 8 (19 %) | 9 (18 %) | 6 (19 %) | |
| Administrative details | Identify data controller or responsible legal entity | 16 (30 %) | 16 (32 %) | 14 (33 %) | 16 (33 %) | 10 (32 %) |
| Legal jurisdiction governing policy | 27 (51 %) | 26 (52 %) | 23 (53 %) | 26 (53 %) | 17 (55 %) | |
| Jurisdictions under which data will be processeda | 13 (27 %) | 13 (26 %) | 11 (26 %) | 13 (27 %) | 8 (26 %) | |
| Date of policy | 8 (15 %) | 7 (14 %) | 5 (12 %) | 8 (16 %) | 3 (10 %) | |
| Date of next review | 0 (0 %) | 0 (0 %) | 0 (0 %) | 0 (0 %) | 0 (0 %) | |
| Procedures for changing the terms of the policy | 17 (32 %) | 17 (34 %) | 14 (33 %) | 17 (35 %) | 11 (35 %) | |
aIncorporates strong personal identifiers, health-related information and other sensitive information; bbecause these topics are only relevant for apps that transmit data, the denominator for calculated percentages is the number of apps with a privacy policy that also transmit data; cfor these domains, policies were additionally examined to distinguish between rights afforded to individuals and those denied. However, in no case did a policy text mention a user right only to deny it