Data privacy trends in popular apps: shopping and food delivery apps lead in user tracking
December 2023 by Surfshark
In a revealing study of 100 popular apps, Surfshark’s Research Hub uncovers a concerning trend in data privacy. The research highlights shopping and food delivery apps, particularly Amazon Shopping and Wish, as leading categories in user data collection, posing significant privacy concerns. More than a third of shopping & food delivery category apps’ data is tracked (such as shared with a third-party advertising network or data brokers). Research is aided by a free App privacy checker tool where users can select the specific apps they have on their phone and receive a report on the extent of data collection.
“Analyzing 100 popular apps on the App Store, we’ve found a concerning trend: nearly 20% of collected data is used for tracking. Such tracked data can be shared with third-party advertisers or data brokers, who use it to deliver personalized ads targeting the users, or aid companies in market research,” says Agneska Sablovskaja, Lead Researcher at Surfshark. “Understanding an app’s privacy policy is crucial for safeguarding digital autonomy.”
Shopping and food delivery apps collect more data points than average
On average, shopping and delivery apps collect 21 out of 32 possible data points. Moreover, these apps link the most data to the user — 95% of collected data points are linked to the user’s identity. Also, such apps tend to use collected data to track the user the most — a third of collected data points are used for these purposes.
Wish could be named the most data-hungry app within shopping & food delivery apps category, collecting 24 out of 32 data points, linking almost all data points to the user’s identity, and using over a third of data to track its users. That’s considerably more than the average of 15 collected data points across all 100 examined apps. Around 40% of data points collected by Wish and DoorDash are used to track the user, like email address, precise location, and purchase history.
Out of the analyzed shopping & food delivery apps, only one — Amazon — does not use data to track its users. But it collects most of the unique data about the user (25 of 32 possible data points), and also, also all the collected data is linked to the user’s identity.
If we look at food delivery apps specifically, Uber Eats stands out as tracking (sharing with third parties) the most data points out of the collected (12 out of 21), such as phone number, physical address, search history and more. GrubHub tracks 11, Instacart - 10. 10 analyzed Shopping & food delivery apps were: Amazon Shopping, eBay Marketplace, AliExpress, Etsy, Wish. DoorDash, Uber Eats, Grubhub, Deliveroo, Instacart.
Around half of the 100 analyzed apps collect search history and precise location
1523 data points are collected across 100 of the most popular apps. Statistically speaking, that’s an average of 15 unique data points per app out of the 32 unique data points defined by Apple. Around 90% of the apps collect usage, diagnostic, and identifier data such as product interaction, user ID, device ID, crash and performance data. Most are essential for their app functionality.
Two-thirds of the apps collect your name and coarse location, and nearly half collect your precise location. Coarse location is a more general estimation of where you are, while precise location is more detailed and accurate. Over a third of the apps collect your contacts, and a fifth collect your emails or text messages and browsing history.
Facebook and Instagram are the two most privacy-invasive apps. Both apps collect all 32 data points defined by Apple and are the only two to do so. Signal is also the only social media and messaging app to make the top 10 most privacy-sensitive list. It is the second least data-hungry app, collecting just 1 data point (phone number) that is not linked to you or used to track you.
Before downloading apps, it is recommended to check the developer’s reputation and data retention policies and pay attention to constant permission requests to access contact list, camera, storage, location, and microphone and limit the app’s access to information only when the app is in use.
METHODOLOGY
We analyzed a total of 100 apps across 10 app categories. The apps for each category were selected from articles that appeared at the top of search engine result pages for "the most popular appCategoryX apps" keyword. The App Store lists 32 unique data points that can be collected across 12 unique data point categories. We analyzed the data set according to the three layers of collected data points: unique data points collected, number of data that’s linked to the user, and data that’s used to track the user.