Table 1.
The 26 heuristics (H) present in our evaluation technique.
| Category description and numbera | Heuristic | |
| Notice or Awareness: These heuristics concern what people are told about how their data are used before their personal information is collected, such as the terms of service or privacy policies. | ||
|
|
H1 | Before data are shared with a remote actor, the entity collecting the data is explicitly identified. |
| H2 | Before data are shared with a remote actor, the uses of the data are explicitly identified. | |
| H3 | Before data are shared with a remote actor, the potential recipients are explicitly identified. | |
| H4 | The nature and means of the data collected are explicitly identified. | |
| H5 | Steps taken to ensure confidentiality, integrity, and quality of data are explained. | |
| H6 | For those of above satisfied, notice is sufficiently explicit. | |
| H7 | Can control when data are used for nonoperational secondary use, such as marketing or research. | |
| Choice or Consent: These include the controls people have over use of their data, such as whether to permit secondary uses of their data, including marketing. | ||
|
|
H8 | Consent acquired before data shared with remote actor. |
| H9 | Consent is explicitly opt-in: no preticked checkboxes, etc. | |
| H10 | Can choose which data types are automatically collected from sensors or other sources, for example, connect a finance app to a single bank account or track steps but not heart rate. | |
| H11 | Data collection consent is dynamic: if new types of data are being collected, consent is renewed in situ. | |
| H12 | Data processing consent is dynamic: if the purpose of processing changes, consent is renewed. | |
| H13 | Data distribution consent is dynamic: if the actors’ data are distributed to changes, consent is renewed. | |
| H14 | Consent to store and process data can be revoked at any time: with the service and any other actors. | |
| H15 | Can control where data are stored. | |
| Access or Participation: These address issues such as whether people are able to view the data they have provided and whether they can verify its accuracy in a timely manner. | ||
|
|
H16 | All raw collected data can be extracted from the service (in-app or via vendor’s website). |
| H17 | All data are available in standard text formats (CSVb, XML, JSONc, GPXd, etc). | |
| H18 | Data extraction is available from within the service, for example, without raising a request with support. | |
| H19 | Programmatic access to data is possible, for example, app programming interfaces are exposed. | |
| Social Disclosure Usability: These relate to the usability of interface elements that allow users to share data with third-party services, for example, social networking sites. | ||
|
|
H20 | Privacy controls are per-disclosure, for example, individual workouts can be published to a social networking site, not relying solely on global defaults. |
| H21 | Privacy controls allow granular sharing of data types, for example, when sharing a workout, the distance can be shared but not the pace. | |
| H22 | Error prevention: is explicit confirmation acquired before a disclosure? | |
| H23 | Minimize user memory load: Effects of a disclosure are visible throughout the disclosure flow (ie, memory of earlier decisions not required). | |
| H24 | Minimalist: During the disclosure flow no extraneous information (such as adverts or irrelevant user interface elements) is displayed. | |
| H25 | Consistency: Information shown during the disclosure flow is consistent with the effect of the disclosure. | |
| H26 | Help and documentation: Contextual help with making privacy decisions is available. | |
aSee Multimedia Appendix 1 for the scoring criteria.
bCSV: comma-separated values.
cJSON: JavaScript Object Notation.
dGPX: GPS eXchange Format.