Diet Apps and the Data They Collect
The researchers looked at three popular companies: BetterMe, VShred, and Noom. These companies offer questionnaires online that claim to help find the best diet for users. These companies also invest heavily in PPC (pay-per-click) marketing, usually bidding high on popular keywords like “weight loss.” The researchers first filled out the questionnaires and noted the type of information collected by each of the three companies. This revealed that each of these companies collect a significant amount of sensitive health and lifestyle data. They also filled out these questionnaires multiple times, changing some information each time. They entered slightly different information every time to check for variations in the results. However, they found that the results did not change regardless of the data provided. For example, they found that BetterMe provides the same “suggested plan” even after entering a variety of starting and goal weights. As the report points out, an online test asking for your data and not making any use of it is a bad sign.
User Data Safety
Next, the researchers study what actually happens to the collected data. To do so, they used an HTTP toolkit to intercept HTTP(S) requests. Consequently, they examined the traffic between the website and third parties. This experiment revealed the following results: BetterMe: Users’ gender information goes to Facebook and Google analytics. Privacy International noted that they observed the same in a similar study on online mental health apps. BetterMe’s privacy policy clearly states their data-sharing practices with third parties. However, the report flagged two major concerns. First, their policy allows them to share data with unnamed service providers. Second, BetterMe operates out of Ukraine, but the “lawful basis” for their data collection does not comply with GDPR, the set of data protection rules that provide greater control to EU citizens over their data. Noom: It collects a lot of user data before subscription, and as a consequence is able to create an extremely thorough and intimate user profile. The researchers found that Noom shares the information it collects with a platform called FullStory. In fact, it does so without asking the user for consent. Additionally, Noom’s privacy policy does not mention FullStory either. VShred: It undermines user privacy in a very simple way. As the researchers were conducting the survey, the information they provided appeared in the URL. Trackers and third-party services embedded in websites “usually get access to the URL of the site you are visiting.” In its privacy policy, VShred states that European privacy laws do not apply to their data collection practices. This is not true since their ads target EU users, as one of Privacy International’s researchers noted.
Privacy Protection
Based on their report, Privacy International has filed Data Subject Access Requests with each of the companies. These are requests sent to companies to disclose information they hold about their users. Health tech is a booming sector with an enormous range of products and services. However, companies offering these services must comply with data protection laws and treat sensitive health data with caution. If you want more information, we have a dedicated section for mobile apps and how they use your data.