*Privacy Not Included researchers find discrepancies between Google Play Store’s Data Safety labels and privacy policies of nearly 80 percent of the reviewed apps
(SAN FRANCISCO, CA | FEBRUARY 23, 2023) — Google Play Store's Data Safety labels would have you believe that neither TikTok nor Twitter share your personal data with third parties. The apps' privacy policies, however, both explicitly state that they share user information with advertisers, Internet service providers, platforms, and numerous other types of companies.
These are two of the most egregious examples uncovered by Mozilla’s *Privacy Not Included researchers as part of a study looking at whether Google Play Store’s new Data Safety labels provide consumers with accurate information about apps collect, use, and share personal data. In nearly 80 percent of the apps reviewed, Mozilla found that the labels were false or misleading based on discrepancies between the apps’ privacy policies and the information apps self-reported on Google’s Data Safety Form. Researchers concluded that the system fails to help consumers make more informed choices about their privacy before purchasing or downloading one of the store’s 2.7 million apps.
The study – “See No Evil: How Loopholes in the Google Play Store’s Data Safety Labels Leave Companies in the Clear and Consumers in the Dark,” – uncovers serious loopholes in the Data Safety Form, which make it easy for apps to provide false or misleading information. For example, Google exempts apps sharing data with “service providers” from its disclosure requirements, which is problematic due to both the narrow definition it uses for service providers and the large amount of consumer data involved. Google absolves itself of the responsibility to verify whether the information is true stating that apps “are responsible for making complete and accurate declarations” in their Data Safety labels.
Google Play Store's misleading Data Safety labels give users a false sense of security. Honest nutrition labels help us eat better. It's time we have honest data safety labels to help us better protect our privacy.
Jen Caltrider, Project Lead, Mozilla
For the study, Mozilla compared privacy policies and labels of the 20 most popular paid apps and the 20 most popular free apps on Google Play Store. Each app was then assigned a rating of “Poor,” “Needs Improvement,” or “OK”. Apps that received a “Poor” score had major discrepancies on their Data Safety Forms in terms of types of data shared or collected, or the purposes for which the data was shared or collected. Apps that earned an “OK” score had privacy policies that were closely aligned with their disclosures on the Data Safety Form, and apps that were graded with “Needs Improvement” fell somewhere in the middle. The study found:
- In nearly 80% of the apps we reviewed, Mozilla found some discrepancies between the apps’ privacy policies and the information they reported on Google’s Data Safety Form.
- 16 out of 40 apps, or 40%, received a “Poor” grade, including Minecraft, Twitter, and Facebook.
- 15 apps, or 37.5%, received a middle grade, “Needs Improvement,” including YouTube, Google Maps, Gmail, WhatsApp Messenger, and Instagram.
- Just 6 of the 40 apps, or 15%, received an “OK” grade. These apps were: Candy Crush Saga, Google Play Games, Subway Surfers, Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman: 2020 Ninja.
- 3 apps, UC Browser - Safe, Fast, Private; League of Stickman Acti; and Terraria did not fill out the form at all
“Consumers care about privacy and want to make smart decisions when they download apps. Google's Data Safety labels are supposed to help them do that. Unfortunately, they don't. Instead, I'm worried they do more harm than good,” said Jen Caltrider, Project Lead, Mozilla. "When I see Data Safety labels stating that apps like Twitter or TikTok don't share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties. Consumers deserve better. Google must do better."
Caltrider added: "Google Play Store's misleading Data Safety labels give users a false sense of security. Honest nutrition labels help us eat better. It's time we have honest data safety labels to help us better protect our privacy."
Noting a 2021 Washington Post investigation that found similar problems with the Apple App Store’s labels, Caltrider said the study also brings into question whether Google and Apple can objectively police the safety of apps in their stores. Google Play and the App Store generated gross revenues of approximately $48 billion U.S. dollars and $60 billion, respectively, through mobile apps in 2021. On the heels of the Biden administration accusing both app stores of playing “a significant gatekeeping role by controlling (and restricting) how apps are distributed,” Caltrider said it’s critical the tech industry take steps to create standardized data privacy labels much like the nutrition labels now found on packaged goods and fast food menus.
“The history of nutrition labeling shows that it’s possible to create a standardized system that becomes part of the cultural fabric and makes a positive difference in people’s daily lives,” said Caltrider.
To address the problem, Mozilla recommends that Google and Apple adopt a universal, standardized data privacy system form on their platforms. Mozilla also recommends that the companies expand and explain their enforcement action against apps that don’t comply and take some responsibility for ensuring the accuracy of the information apps report.
The study builds on Mozilla’s ongoing *Privacy Not Included initiative, a two-fold effort to arm consumers with the information they need to protect their privacy while spurring the tech industry to do more to safeguard consumers. Since 2017 Mozilla’s project has reviewed the privacy and security of more than 100 apps and 300 internet-connected devices.