When millions of iPhones update to iOS 14.5 in the coming weeks, it will become much more obvious that many of the most common apps—including weather trackers, dating apps, and games—are advertising-data tools as much as they are anything else. When you open apps for the first time after Apple’s latest system update, you’ll get a pop-up asking to “track your activity,” and your approval will give permission for developers to link information about you to an advertising profile that can track you across apps (and across the web). On the App Store, Apple’s recently introduced “privacy nutrition label” helps detail what information each app seeks to collect, store, and share, but the implications aren’t always clear.
We decided to see what we could learn about data tracking on iPhones and iPads by reading 250 App Store labels, including those for some of the most popular apps.1 We found that most of them do indeed collect and share a lot about you, and that some of the longtime worst offenders haven’t changed their behavior just because there’s a system pop-up or store label these days.
Understanding Apple’s three privacy categories
Head into the Apple App Store, and below the reviews you’ll find an App Privacy section consisting of three categories:
- Data Used to Track You (or your device) and shared across different apps, ad networks, and companies
- Data Linked to You (and your real identity) that is collected by the app and company but not shared
- Data Not Linked to You that the company generally aggregates into larger statistics
Each category lists any of the 14 different types of data that the app collects and uses, as self-reported by the app’s developer. This labeling gets complicated quickly, and the same type of data can appear in multiple categories. To really understand how your privacy is affected by these new tracking-request pop-ups and how to deal with each one thoughtfully, you’ll need to understand the labels. (Though if you’d prefer to skip straight to the how-to portion for disabling all of these prompts, see our instructions.)
Data Used to Track You
Nearly two-thirds of the apps we looked at indicated the collection of some types of data under Data Used to Track You. Apple’s definition of tracking refers to any data collected in an app about a person or a device (your iPhone or iPad) that is linked to data collected by another party, such as a data broker or advertising network. Advertising companies often defend the practice by noting that the information collected is typically tied to a unique number, not a person, but it’s often trivial to link a device to a person. And if you see “Contact Info” listed as data an app can collect, that can include your name, address, phone number, email address, and “Any other information that can be used to contact the user outside the app.”
Even without your contact info, the data your app activity generates is tracked by a device ID, a unique identifier (that is, an “identifier for advertisers,” or IDFA for short) that makes it easy for third parties to track you through other apps, services, and websites. The Wall Street Journal has a useful graphic (subscription required) that explains how these ads tend to work. Or for a more detailed look at how ridiculously complicated this can get, check out this chart.
This data tracking across apps explains how you can search for, say, a pair of running shoes in one app, and then ads for running shoes start showing up in other apps like Instagram.
Not all apps that declare their data gathering in the Data Used to Track You portion have ads, but they may sell or share data. As Pete Snyder, senior privacy researcher and director of privacy at Brave, a browser and software company that emphasizes its privacy-protection features, explains: “So even if an app isn’t ‘monetizing’ by showing you ads, apps will collect everything they can, on the vague chance that with enough machine learning and combining with other data sets, they’ll find some unique data point about you that someone in the surveillance economy will pay them for.”
Starting with iOS 14.5, apps must send you a notification and receive your permission before they can track and share your activity. If you tap Ask App Not to Track, your IDFA is withheld. Apple also expects developers to stop using other identifiers, such as an email address or usage data, to track you as well, though there’s no technical means to block that tracking. If you allow tracking, the app will continue to share the types of data as listed on the privacy label with other apps and data brokers. You can always review or change your choice by heading into the Settings app and selecting Privacy then Tracking. If an app has ads, you’ll still see them after disabling tracking, but they won’t be based on tracking data from different apps or services.
Opting out doesn’t stop developers from tracking you across multiple apps owned by the same company, such as Google Maps and Google Chrome, or Facebook and Instagram. Developers can continue to include their own ads for subscription services, products, or other apps made by the same company. And companies don’t have to list what kinds of data they’ve collected and tracked if it doesn’t involve advertising or sharing the data with data brokers; this includes data for the performing of services such as fraud prevention, security, and some analytics.
Data Linked to You
The Data Linked to You category includes any types of data the developer collects that can be tied to your identity but is not shared with third parties. In some instances it can be hard to comprehend why a company wants this sort of data. Apps actually collect a lot of information about you but need much of that data for basic functionality. For example, if you pay for an app through a subscription service, the app’s developer needs access to “Purchases” data and perhaps even “Financial Info” in order to verify your account status. “User Content” data can include the photos you add to an app but also game data such as saves or multiplayer-matching info. An app is not supposed to use any of the types of data listed in the Data Linked to You section of the privacy label to track you across other apps, but in many cases that expectation doesn’t keep your data contained to the app. Take, for example, Google Chrome, which collects a variety of information about your web browsing and is tied to your Google account.
It’s easy to see a long privacy label, especially in the Data Linked to You portion of the label, as bad news. But Christy Harris, director of technology and privacy research at Future of Privacy Forum, disagrees with that notion: “Just because an entity lists a multitude of data elements that they might collect, does not necessarily indicate that they are doing nefarious things or that they are some massive data aggregator.”
In our experience, we had to use the apps for a while just to understand why their privacy labels listed certain types of data under Data Linked to You, which we think defeats the purpose of the label in those situations.
Data Not Linked to You
Almost everything in the Data Not Linked to You section is about analytics. About 50% of the apps we looked at said they collected “Diagnostics,” making that the most common type of data accumulated. This type of data refers to crash reports, energy use, and other technical issues.
Most of this data is innocuous, but the traffic analyzer we used, Disconnect’s Privacy Pro SmartVPN, flags several types of diagnostic tools, including Adjust, Amplitude, and Crashlytics, as trackers. Since many of these tools can also be used for tracking, either for advertising or for tasks that are allowed under Apple’s rules, such as fraud prevention or analytics, their existence blurred the conclusions we could make for this category in our testing. Some diagnostic tools, such as Adjust, fully support Apple’s new rules, offering developers a way to display ads without tracking the device ID. But even while testing an app, it’s impossible for most people to verify how the app employs such third-party tools unless the developer mentions the use of those tools in its privacy policies.
Despite the Data Not Linked to You name, we did run into some questionable data collection in this category during our examination of various apps. For example, the KXAN Weather app lists several types of data in this section of its privacy label, including “Precise Location” and “Email Address,” and both of those types of data can be easily tied to identity in most cases.
We chose to examine the privacy labels and practices of 250 apps (a fraction of the millions of apps in the App Store) across several categories. This selection included the top apps of 2020, as well as popular games, browsers, weather apps, streaming-video apps, photography apps, notes apps, dating apps, shopping apps, news apps, and health and fitness apps. (We collected the information between March 17 and 26, 2021.) Among those apps, we found the following:
- 60% of the apps had a Data Used to Track You label.
- Of the apps with a Data Used to Track You label, 96% used identifiers (either the device ID or a user ID), 70% measured advertising data (usually information about which ads you’ve seen and whether you clicked them), 38% of the apps used location, and 19% used contact info (typically an address). When you tell an app not to track you, Apple withholds the identifier from the app but technically can’t monitor any of the other possible methods.
- 57% explicitly mentioned advertising as their purpose for tracking you.
- 44% of all the apps we looked at indicated using data in the Data Linked to You category for third-party ads, while 55% said they used it for “developer’s ads.”
We also used Disconnect’s Privacy Pro SmartVPN app to analyze traffic on 150 of the 250 apps, and we found that they shared data across 44 different third-party services that Disconnect defines as trackers, averaging between two and three third-party services per app (some estimates suggest that apps can be connected to as many as six trackers each).
Of the 150 apps we checked, 17 apps shared data with third parties without disclosing that sharing on their privacy label. When we reached out to the developers behind those 17 apps, only four replied with an explanation; in those four cases, the developers said their apps communicated with an analytics service for tracking how people used the app. (Disconnect flags this type of tool as a tracker because it can be configured to document a single person’s usage, but it doesn’t fall under Apple’s definition since there’s no advertising component.) At this writing, at least four other apps’ developers have not responded to our request for comment but have quietly updated their App Store pages to add a new list of data types under the Data Used to Track You portion of their label, and two apps appear to have removed some of their trackers.
Among the apps whose developers didn’t respond to our request for comment, most communicate with third-party tools or services that can technically work for tracking but may fall under Apple’s exceptions for analytics, such as Adjust, Amplitude, AppsFlyer, and Crashlytics. Future of Privacy Forum’s Christy Harris speculates that these apps “might be using a third-party SDK that also has an advertising component.” Basically, some SDKs—software development kits, or tools that developers can hook into—have multiple uses. One example is a crash-reporting tool that may have an option to track a device ID in other contexts. It’s up to app developers to know how these tools work, to know how their apps are configured to use them, and to share that connection on their privacy labels correctly. The Washington Post ran a deeper test analyzing a handful of apps (subscription required to read article) and also found several apps sharing more data than they claimed they did.
Some of this discrepancy may be attributable to a developer misunderstanding Apple’s rules or not knowing enough about the SDKs it uses. More cynically, you might assume the developer is being purposely untruthful. But among the apps we looked at, around 90% were transparent about their tracking.
Weather apps (still) share tons of data about you
Weather apps have long been scrutinized for selling your location information, and that’s still the case today. Of the 20 weather apps we looked at, 17 of them indicated (in the Data Used to Track You section of their privacy label) that they gathered data to track devices for the purpose of advertising, and 14 of those used location information to track devices. Location information is particularly valuable to data brokers, with the sales of location-targeted advertising reaching an estimated $21 billion in 2019. One app, Weather Radar Live, does not list anything on its Data Used to Track You label but appears to communicate with two potential trackers, Adjust and Crashlytics, both of which can be configured to fit Apple’s definition of not tracking. Weather Radar Live’s developer didn’t respond to our request for comment or an explanation of how it uses those tools. Overall, we found that 18 weather apps shared data with an average of four third-party companies listed as trackers by Disconnect. Some weather apps offer to remove visible ads through in-app purchases, but after we signed up in our testing, none of them changed their behavior in regard to sending data to third parties.
Carrot Weather stood out as the only all-purpose weather app in the top 20 at the time of our testing that didn’t have a Data Used to Track You label. (One other non-tracking app, Windy.com, is a niche weather app for wind modeling.) I asked Carrot Weather’s developer, Brian Mueller, why he charges for certain features in the app. “My weather data providers charge a small amount for each weather data request—and this quickly adds up when the widgets are requesting 40+ updates per day,” Mueller told me. “Without charging extra for the subscription, I wouldn’t be able to offer any of these features at all. A lot of weather apps sell your data to third parties to pay for these costs, but I think that’s wrong.”
It’s (sometimes) worth paying for apps
Anecdotal evidence suggests that apps that cost money collect and share less data than their free counterparts do. They seem to do so to the extent that when I’m looking for a new app to use, I’ll consider a paid option. The logic is obvious: Most paid apps don’t have ads and so don’t benefit directly from collecting data about you. Free apps aren’t always bad, and paid apps don’t always respect your privacy, so you still need to scrutinize apps before installing them.
Many free games make money through embedded ads. When we looked at the top 20 free games of 2020, 19 of them reported data gathering in the Data Used to Track You section of their privacy label; Among Us was the lone exception. Of the top 20 paid games of 2020, only four said they used data for tracking, but seven of them hadn’t even received their privacy label at the time of our research. (If an app hasn’t been updated to include a privacy label, it cannot access Apple’s built-in tracking tool and thus won’t get access to tracking data.)
Among the games included in the Apple Arcade $5-a-month subscription plan, we didn’t find any using data for tracking purposes, likely because games in the plan don’t have ads.
As for other paid apps, the majority of paid note-taking apps we looked at didn’t list any types of data gathering in a Data Used to Track You label, but two apps with paid subscription plans—Evernote and Notion—did. However, these apps don’t scrape the content of your notes for advertising; on their respective labels, Evernote lists “Email Address” and “Device ID” and Notion lists “Advertising Data” as the types of data collected.
We also happened across some paid apps that employ more nefarious tactics than many free apps use. Several weather apps, for instance, use manipulative design to trick you into signing up for their subscriptions while still shoveling your data off to third parties. Likewise, paying for some content subscription services, such as news subscriptions, meditation-app subscriptions, or video streaming services, doesn’t grant you any additional privacy.
Shopping, exercising, moving, news, and dating apps are big into tracking
Labels and app behaviors are always changing, but here are some conclusions that we found surprising, insightful, and representative of how apps tend to share data, according to what we found in the Data Used to Track You labels and our own tests across the top downloads. (Information collected between March 17 and 26, 2021.)
17 out of the top 20 shopping apps we looked at said they collected and shared data for tracking
In our tests, these apps sent data to an average of three third-party trackers. (The Amazon app, for one, shares only identifiers, while Wish collects and shares your location, contact info, identifiers, purchases, search history, usage data, and browsing history.) Since online shopping is heavily interwoven with online advertising, it isn’t surprising that a large number of shopping apps engage in this behavior, but we were still stunned to see just how much these apps collect and presumably share about people’s habits.
13 out of 20 health and fitness apps we looked at indicated data gathering under their Data Used to Track You label
In our tests, we found that the 13 apps shared with an average of three third-party trackers. Because of the personal nature of health and fitness data, we were a bit unnerved to learn that the majority of such apps were freely sharing data. It’s difficult to track exactly how data brokers or advertisers use information, but we do know about some tools, such as Deloitte’s PredictRisk, which uses information from data brokers (who may or may not collect data from apps) to generate a health-risk prediction score that is then provided to life insurance companies to assess whether people may be interested in their product.
12 out of 13 of the house- or apartment-hunting apps we looked at used data for tracking
Bad news for privacy fans who are dream-scrolling Zillow for houses: Of all the categories we looked at, these apps shared the most data, everything from browsing history outside the app to contact info to “User Content.” This makes sense given that new-homeowner and new-apartment-renter profiles are likely to lead to easy ad-driven sales as they come packed with predictable shopping needs. In our tests, we found that these apps sent many types of data to an average of five third parties.
All 13 of the news apps we looked at used data for tracking
In most cases, these apps indicated on their privacy labels the collection of obvious types of data, such as identifiers, usage data, and contact info, but occasionally they’d list more: The CBS News and BBC News apps, for example, both use browsing history, and a handful of others also use location information. Considering that news apps have ads, this result isn’t shocking, but most of these apps also charge subscription fees. In our tests, we found that these 13 apps, including the New York Times app, sent data to an average of five trackers each.
12 out of 13 dating apps we looked at listed data gathering on their Data Used to Track You label
Dating apps also share a lot of data, sending that data to two trackers on average in our tests. Though none of these apps listed Apple’s official “Sensitive Info” type on their labels as being used for tracking purposes, they do track and share data that can be sensitive—at least three share your location history, and just having some of them installed might reveal your orientation. It’s unfortunate there aren’t more privacy-focused options in this app category.
How to minimize your exposure to data tracking
Personalized ads tracking you all over the place are creepy, but creepiness shouldn’t be your only concern in regard to how much of your data gets shared. In the past year, federal agencies have used location information from a data broker for immigration enforcement (subscription required to read article). The US military has purchased location data from apps, too, and last year a data broker claimed it could trace and break down the demographics and location of protestors.
Once your data goes from an app to third-party data brokers, it’s particularly difficult to track how these other parties use all the data they collect. Data brokers, as an industry, sell to everyone from ad companies to debt collectors to governments. And the data can reveal all sorts of surprising things, such as health-risk prediction scores or financial information. Although Apple’s new rules will put a stop to your IDFA ending up in their data sets, it’s much harder to regulate the use of any of the other personal information and history floating out there. If you’ve lost track of what apps do what, you can take a few steps to minimize the amount of tracking on your device overall:
- Disable tracking on your iPhone or iPad: You can disable tracking entirely by heading to Settings > Privacy > Tracking and then disabling Allow Apps to Request to Track. If you want to allow some apps to track your activity, you can customize which ones can and can’t track you on this screen. Note that Apple’s new tracking rules apply only to data coming from the app on your iOS device. If you want to block tracking elsewhere, such as on your computer’s browser, we have a list of browser extensions for just that purpose.
- Delete apps you don’t use: Review the apps you don’t use and delete them. You might have dozens of old apps you used only once just sitting there, still selling your data. If you download anything new, scrutinize the privacy label to ensure you’re comfortable with what the app will do with your data.
- Avoid the big tech companies: Read through any privacy label for an app made by Facebook or Google, and you’ll see how much data they collect about your behavior. Now is a good time to consider avoiding the apps from such tech behemoths on your phone or to consider using those services in your browser instead. While you’re at it, consider a new browser, too. Apple’s default Safari app isn’t bad in this regard, but some alternatives, such as Brave, DuckDuckGo, and Firefox, are even more focused on privacy, and all of them integrate more privacy protections inside the app than Safari does.
Apple’s improvements are only a small step
In general, we found the new privacy labels informative for apps in more narrow-interest categories and for apps from smaller companies, such as productivity apps. It’s helpful to see what types of data your to-do app might gather up or share, for example, and that knowledge may influence you to choose another option. And perhaps it’ll be eye-opening to see what that free photography app you use to make Instagram collages shares about you (it’s likely not the photo itself, but the data might include what other apps you use or which ads you’ve clicked). Even though the labels are not always useful for understanding the behavior of every category of app, we did find them helpful to discern between one niche app, such as a notes app, and another when it came to their privacy practices. When you get into the big-name social media, dating, or shopping apps, however, Apple’s privacy labels quickly become incomprehensible.
But we have seen some subtle shifts with the launch of iOS 14.5. Before iOS 14.5, apps could list relevant types of data collection in their labels’ Data Used to Track You section but weren’t required to ask you for that permission. On April 29, 2021, however, we noticed that a few high-profile apps—including those of Compass Real Estate, HBO Max, and Tinder—had removed the tracking section of their privacy labels since our initial look at them a month prior, suggesting that in the future we may see a shift in how apps approach sharing data when they’re required to ask you for permission.
Outside of the App Store, the broader tech world still has a ways to go to become transparent about its data-collection practices, and that measure of change will require updates to privacy laws. As independent researcher and consultant Ashkan Soltani notes, although Apple can currently block a specific type of tracking, “there’s going to be new technologies and new developments—and how proactively is Apple going to be in seeking those out?” We’ve already seen some proofs of concept (subscription required to read article) for different techniques that get around Apple’s rules. Soltani points to Global Privacy Control, which he created, as one part of a broader solution, which “provides the ability to set the setting in your browser and be opted out automatically.”
The importance of transparency, rules, and regulations isn’t going anywhere. “The surveillance economy is pervasive in ways that are unknown to nearly everyone, and it’s designed to stay unknown,” Brave’s Pete Snyder points out. “And the tech companies most responsible are doubling down by encouraging ecosystems that give users less control, less understanding of how what’s being recorded about them, and less power over their own lives.” With Apple’s privacy nutrition labels, now people at least have one more tool for better understanding how their data gets used, shared, and sold.
1. Full lists of the apps we reviewed are available as CSV files. We collected this data during the period of March 17–26, 2021, and apps may have changed their policies since then. You can see the lists for all 250 apps, apps with entries under Data Linked to You, apps with entries under Data Not Linked to You, and apps with entries under Data Used to Track You. Jump back.
1. Pete Snyder, senior privacy researcher and director of privacy at Brave, email interview, April 09, 2021
2. Ashkan Soltani, independent researcher, phone interview, April 09, 2021
3. Christy Harris, director of technology and privacy research at Future of Privacy Forum, Zoom interview, March 31, 2021