Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Contradictions on Apps’ privacy policies and the risks of using templates

A large number of Google Play Store mobile applications (“Apps”) contain privacy policies that do not honestly and adequately reflect what happens to the personal information they collect from users. In many cases, the use of standard policies or templates is the practice to blame for the contradictions between what the company claims to do with users’ data and what actually happens with their data.

In an academic study (1) published in August last year, researchers from several universities created a tool called “PolicyLint” with the purpose of analysing the language used in the privacy policies of 11,430 Google Play Store applications. The result was that 14.2% of the applications (1,618 Apps) have a privacy policy that contains logical contradictions regarding the collection of personal data from users.

Examples of these contradictions include privacy policies that state in one section that they do not collect personal data and then contradict themselves in later sections where they state that they collect the email address and even the user's name - these being clearly personal data.

Another study (2), also published in 2019, examines an even more controversial case: privacy policies of 8,030 mobile applications specifically targeted at children and families – applications listed on the Google Play Store's "Designated for Families" list – meaning that their target audience includes children under 13.

Surprisingly, 9.1% of these applications (728 Apps) claim not to target children and 30.6% (2,457 Apps) claim no knowledge of data collection from children under 13; which raises serious questions about how they are using children’s data.

Likewise in both studies, a large percentage of the privacy policies do not make any reference to the existence of data communications to third companies, when in practice it was possible to verify the existence of these. Furthermore, the second aforementioned study found that 9,424 applications do not use encryption protocols in data communications, when 28.4% of these same applications claim to implement adequate security measures in data transfers.

In many cases, templates are to blame

The research team that created “PolicyLint” found 59 applications that had made use of Internet services to self-generate the privacy policy, and a further examination of those policies revealed that the conflicting statements were part of the template itself and not an addition of the App provider.

As the Spanish Data Protection Authority (AEPD) has already stressed about this sort of service of adaptation to the data protection regulations “at zero cost” (3), compliance with the GDPR and the Spanish Data Protection Act (LOPDGDD) “does not consist of merely formal compliance, but rather implies reviewing, designing and applying the data protection principles to the specific circumstances of each company”; therefore the implementation of templates, except where there are exceptional coincidences, does not allow real compliance with the data protection regulations.