Exercising caution: how top fitness apps in the UK can compromise your privacy
Spring is in the air and, with the marathon season coming up, so are the starting pistols ushering in the start of running season. Competitors in these races have already been preparing for months, but now’s the time regular folk take to the streets, footpaths, and trails to start or restart their fitness journeys.
In a time when there’s an app for everything, it’s not surprising that people are reaching for fitness apps to help achieve their health and fitness goals. But what’s the trade-off that comes with using these apps? Whether free, paid, or subscription-based, apps like these help themselves to users’ personal data.
Many of the same reasons health and fitness data is so sensitive are also what makes it so valuable to data brokers. Insurance companies, advertisers, and governmental bodies1 all have their uses for such information, and data brokers are only too happy to oblige. An app that tracks users’ eating and exercise habits, location, and more is a treasure trove of personal data.
Incogni’s researchers gathered information on the leading fitness and sports apps in the UK by revenue2 and examined what data they collect and share by consulting their developers’ data collection disclosure statements. The results reveal some concerning data collection practices while also suggesting a path forward for those looking for a leg-up on their way to a healthier lifestyle.
Key insights
- The top fitness apps in the UK collect an average of 13.8 personal data points each about their users, with exercise tracker Fitbit collecting the most at 21 data points.
- Five out of ten apps (Fitbit, Strava, AllTrails, Runna, and MyFitnessPal) collect precise location data, seven apps collect photos, while Strava also collects videos.
- Runna collects and shares with third parties all 13 data points, including photos, videos, and health and fitness information.
- MyFitnessPal shares precise locations, Runna shares names and email addresses, Calm also shares email addresses, and AllTrails and Calm share purchase history and app interactions.
- The vast majority (73%) of collected data points are non-optional, meaning that using these apps is synonymous with agreeing to the collection (and possibly sharing) of these data points.
- Shared data ends up in the hands of third-party companies, which can include data brokers, and can subsequently be sold to hedge funds, insurance companies, advertisers, and government agencies.
Data collection and sharing in fitness apps
There are two things a fitness app can be set up to do with users’ personal data: collect it from the user’s account information, device, and interactions with the app, and share it with third parties, including by selling or siphoning it through to data brokers and other companies. An app may collect data without sharing it.
The 10 apps under investigation were found to collect an average of 13.8 data points each. The Fitbit app stands out as the most data-hungry, with 21 data points collected (41% more than average), while the Shuteye app collects the least at 1 data point (with two points shared but not collected).
Notably, 6 apps collect precise location data (Fitbit, Strava, AllTrails, Flo, Runna, and MyFitnessPal), while some also collect approximate location (Fitbit, Strava, AllTrails, Calm, Flo, Headspace).
Our researchers found that 9 out of the 10 apps collect email addresses (only ShutEye doesn’t) and 8 of those 9 also collect people’s names (all but the ShutEye and MyFitnessPal apps).
A total of 7 apps collect photos (Calm, Headspace, and ShutEye being the exceptions here), with Strava also collecting videos (it’s the only app to do so). Fitbit is the only app to collect users’ phone numbers. Both Fitbit and Strava gather information about the other apps installed on users’ devices, while the Fitbit, Strava, and AllTrails apps all help themselves to users’ contacts lists.
This is already cause for concern, but then there are the vaguely defined (possibly catch-all) categories of personal data, like “other info,” which is collected by 5 out of the 10 apps: Fitbit, Strava, AllTrails, Calm, and Calorie Counter. The similarly ill-defined “other user-generated content” is collected by all but the Headspace app (9 out of 10 apps).
All of the above concerns the data points that these apps collect, but what do the developers of these apps do with such data once they have it? One major thing they do is share that data with third parties. “Sharing” here can mean, among other things, selling the data to any individual or organization that’s willing to pay.
On average, the studied fitness apps share 4.1 data points each. This average, though, includes 3 apps that claim not to share any data with third parties (Fitbit, Flo, and Calorie Counter) and one app (Runna) that shares all 13 (100%) of the data points it collects.
The AllTrails app shares 8 out of the 18 data points it collects (44%), Headspace shares 7 out of 9 (78%), Calm shares 6 out of 16 data points, Strava and MyFitnessPal each share 3, and ShutEye shares 2.
App developers are obliged to state reasons for collecting and sharing personal data through their apps.3 Although open to manipulation, this Google Play Store requirement gives users at least some insight into the purposes behind some of the data collection and sharing to which they’re exposing themselves.
“Advertising” is one such purpose, and many of the developers of the apps we examined declare it as a purpose for sharing a range of personal information. MyFitnessPal shares precise locations for advertising purposes, Runna shares names, Calm and Runna share email addresses, AllTrails and Calm share purchase history, and AllTrails and Calm share app interactions.
The story is similar when it comes to data collection. Strava collects 8 data points for advertising purposes, including users’ fitness info, their approximate locations, and email addresses. Flo collects 7 data points, including approximate locations, names, and email addresses. While the Calm app collects 5 data points for advertising purposes, including also email addresses.
The stated purposes behind all this data collection and sharing
Given that the Google Play Store requires app developers to state the purposes behind the collection and sharing of data through their apps, our researchers were able to dig deeper into this aspect of their operations.
One line of thought that motivated our researchers was the idea that the more purposes that are given for collecting or sharing data, the more is likely being done with it. This, in turn, would mean more people and companies seeing and handling that data, making it an important metric for assessing privacy risks.
Strava takes second place in terms of how much data it collects (19 data points), and its developers provide the second-highest number of purposes per data point collected, at 3.5. It only has one purpose ascribed to each of the 3 data points it shares, though.
AllTrails provides an average of 4.5 purposes for each data point shared and 3.6 for each one collected. Calm provides an average of 3.8 purposes for each data point shared and 3.3 for each one collected. Headspace provides an average of 3.3 purposes for each data point shared and 3.2 for each one collected.
For collected data, app functionality and analytics each account for around a quarter of all the purposes provided, while analytics notably dominates the purposes given for sharing data.
Data that’s shared is slightly more likely to be used for marketing purposes (15.2%) than when it’s collected (11.7%). Similarly, data is shared for the purpose of analytics 28.7% of the time, while it’s collected for the same purpose only 24.3% of the time. Likewise for the purpose of account management: it accounts for 14.8% of all purposes given for data sharing and 10.9% of those given for collection.
Optional data
Something most users are unlikely to realize is the fact that not all the data points these app developers collect and share are required to use their apps. Users can simply skip over some input fields when signing up for and setting up these apps, protecting themselves from having their personal data exploited.
For example, precise location data is optional in all 5 of the cases in which it could be collected. Photos—collected by 7 out of the 10 apps—are optional in every case, as are contacts (collected by Fitbit, Strava, and AllTrails). The phone numbers Fitbit collects are optional, and so are the videos Strava collects.
Some noteworthy data points are required by some apps, but optional in others:
- Health info is optional when collected by Fitbit and Flo, but not optional for users of Calorie Counter or Runna.
- Fitness info isn’t optional when collected by Fitbit, MyFitnessPal, Flo, Calm, and Runna, but is optional for Strava users.
- Users of Strava, Calorie Counter, and AllTrails have no say in their purchase history data being collected, whereas it’s optional when collected by Fitbit, Flo, and Calm.
- Email addresses, collected by 9 out of 10 apps (all except for ShutEye), are optional for only 2 out of these 9 apps (AllTrails and Flo).
- Other user-generated content was optional in all cases in which it was collected (by all apps except for Headspace and ShutEye) except for Strava, where it’s required.
Some of the data points collected by the apps we examined are required in every instance:
- Data concerning installed apps (collected by Strava, Calorie Counter, and Fitbit) is never optional.
- App interactions (collected by all apps except for ShutEye) are not optional in any of the apps that collect it.
- In-app search history (collected by all apps except ShutEye and Runna) is not optional in any of the apps that collect it.
Conclusions
There’s no doubt that fitness apps—whether used for planning and logging training sessions or formulating and sticking to a diet—can be a huge help in achieving health and fitness goals. It’s not all benefits and gains with these apps, though. Whether the user pays money for a given app or not, they certainly pay with their privacy.
But privacy can mean many things to many people. Users of apps like these exchange personal information such as their contact details, demographic data, and precise location for access. Many of these apps will also track and report on the user’s interactions with the app.
The problem is that most users are likely unaware that this is the deal they’re making with the app developers. Even fewer users are likely to realize what consequences can come from having their personal data harvested and sold to data brokers.
Health and fitness information is both particularly sensitive and particularly valuable to data brokers. There’s a range of interested parties willing to pay for such information, including insurance companies, marketers, and all manner of spammers and scammers.
Allowing personal data to reach these third parties can lead to more robocalls, spam emails, and junkmail. More than that, it can result in users receiving more and better-targeted scam attempts, having loans mysteriously rejected, and seeing insurance premiums go up for no apparent reason.
Thankfully, Britons looking for a new fitness app have tools like the Google Play data collection disclosures at their disposal. Armed with these and the knowledge that at least some collected data points are optional, users are able to make informed decisions about which apps to allow onto their devices and into their lives, and how to limit the data collection potential of those they do end up choosing.
Methodology
Having identified the top 10 health and fitness apps in the UK by revenue, Incogni’s researchers collected information about each of them from the Google Play Store. In cases where several apps were published by the same company, apps aimed primarily at health monitoring were prioritized.
Incogni’s researchers then noted what user information the selected apps’ developers declared collecting and sharing and what purposes they gave for doing so. This data was collected from the apps’ data collection disclosures on the Google Play Store on March 27, 2024.
The data used in this study is available here: public dataset.
Note on data:
The list of most popular fitness apps by revenue included two apps made by Fitbit. Only one of those was available on the Google Play Store, so only it made it into the analysis above.
Disclaimer
After the release of our research, the developers of the Runna app reviewed and updated their privacy policy, which is disclosed on Google Play. According to information provided on May 2, 2024, the Runna app does not share data with third parties. Data that the app collects (along with collection purposes) include:
- Device or other IDs (analytics, advertising or marketing), Photos (optional for app functionality)
- App interactions (analytics)
- Other user-generated content (optional for app functionality)
- Fitness info (app functionality)
- Name (app functionality, advertising or marketing, account management)
- Email address (app functionality, advertising or marketing, account management)
- Crash logs (analytics)
- Diagnostics (analytics)
- Other app performance data (analytics)
- Precise location (optional for app functionality)
The developer also provides a way for users to request deletion of their data.
Sources
- Electronic Frontier Foundation (EFF). “Location Data Brokers.” Accessed April 8, 2024. https://www.eff.org/issues/location-data-brokers.
- Similarweb. “Top Grossing Health & Fitness Apps Ranking in United Kingdom on 19 April.” Top Apps Ranking. Accessed April 22, 2024. https://www.similarweb.com/top-apps/google/united-kingdom/health-fitness/top-grossing.
- Google. “Understand app privacy & security practices with Google Play’s Data safety section.” Google Play Help. Accessed April 8, 2024. https://support.google.com/googleplay/answer/11416267.
Visuals
We welcome the reuse of our images if proper attribution is given to Incogni. The charts, graphs, and tables used in this research can seamlessly embed into your website. Use the menu that appears at the top right of the visual when you hover over it with your mouse. When embedded, these visuals maintain their interactivity and preserve their original quality.