UK app developers issued warning amid concerns over user privacy

Female software developer working at a computer in an office environment
(Image credit: Getty Images)

Application developers have been warned that user privacy must be a key priority in development processes amid concerns about poor data protection standards. 

The warning from the Information Commissioner’s Office (ICO) comes after a review of fertility apps showed users could be placed at risk due to poor standards.

Last year, the ICO took a detailed look at period and fertility apps to check how they were processing personal data and decide whether their privacy practices were having any negative impact on users. It contacted several app providers, along with interviewing app users to ask about their experiences.

While the data watchdog said it uncovered no serious compliance issues or evidence of harms during the review, it decided nonetheless to remind all app developers about the importance of protecting users’ personal data, especially where sensitive information is involved.

Emily Keaney, the ICO's deputy commissioner for regulatory policy, said the review bore positive results, but that “improvements” were needed to ensure users aren’t placed in harm's way.

"When we announced we were looking into period and fertility apps, we received a helpful response from users who were able to share their experiences with us. We want to reassure users that we haven’t found any evidence these apps are using their data in a way that could cause them harm," she said.

"However, our review has highlighted there are improvements app developers could make to ensure they are meeting all their obligations to be transparent with their users and keep their data safe."

Period trackers tend to hold data of a particularly personal nature - especially in the US, where abortion rights are coming under fire.

When the ICO launched its review last year, it said that more than half of those women using period trackers reckoned they'd seen an increase in baby or fertility-related adverts since signing up.

In a 2022 review of the privacy policies of 25 period tracker apps, the Organisation for the Review of Care and Health Apps (ORCHA) found that 84% of the apps allowed the sharing of personal and sensitive health data with third parties. At 68%, the majority did so for marketing, 40% for research and 40% for improving developer services of the app itself.

App developers across the board need to prioritize privacy

The ICO said its warning wasn’t just limited to developers of fertility products, however. The watchdog said all types of applications must ensure that they’re properly adhering to data protection standards and keeping users informed of potential risks. 

Developers need to ensure their apps are being transparent with how they use people’s personal information, the ICO said, telling users the purposes for processing their personal data, how long data will be retained, and who it will be shared with.

They must also make sure they have the right consent to use people’s personal information - explicit, unambiguous, and involving a clear action to opt in.

Pre-ticked boxes, or any other default method for consent are not allowed, and developers must also make it easy for people to withdraw their consent at any time.

In order to process personal data at all, there must be a lawful basis, such as consent, contract, or legitimate interests. When deciding on the lawful basis, app developers need to consider the purposes and context of their processing to decide which is most appropriate.

Similarly, anyone developing apps must be accountable for the personal information they hold.

Determining the purpose of processing data means being the official data controller, responsible for complying with data protection law, and means appropriate measures must be taken to ensure any data processing is lawful.

"Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing," Keaney said. "Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.