Half of Android Apps Have No Privacy Policy, Despite Law

It's rarely enforced, but the practice is illegal in at least two states

Photo Illustration: Vocativ
Nov 18, 2016 at 11:04 AM ET

More than half of Android apps evaluated by a new study don’t have a privacy policy — something that seems to contradict the law in at least two states.

The study, a joint effort by several academics that used an analysis method created by Carnegie Mellon University, scraped data from 17,991 different free apps available at the Google Play store. Of those, 9,050 — 50.3% — didn’t have a privacy policy at all.

According to the Google Play store’s own rules, any app that accepts any personally identifiable information, payment information, contact data, or accesses a user’s microphone or camera, must “post a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself.”

Of those apps that had no privacy policy, the study found, the majority, 71%, did use at least some of the above forms of information and should have one.

That’s a likely problem, considering at least two state’s laws specifically prohibit an app taking users’ personal information without establishing a clear privacy policy, Pam Greenberg, a senior fellow at the National Conference of State Legislatures, pointed out to Vocativ. Both California and Delaware require a privacy policy from any app that collects, for instance, a name, physical location, or email address.

It’s unclear what kind of penalty, if any, creators of apps that collect personal data but lack a privacy policy would actually face. Google didn’t respond to request for comment. The California Attorney General’s office, at least, can fine a company up to $2,500 each time a non-compliant app is downloaded.