App Store’s privacy labels: Fact or fiction?

Privacy claims mean little if no one’s verifying them. Stay vigilant and don’t take Apple’s privacy labels at face value.
Profile image with a line through it and a warning sign above it.

Apple introduced app privacy labels in the App Store in December 2020 with the aim of showing users downloading any app what sort of data it collects. The labels are meant to act as a summary of the app’s privacy policy that we have all definitely read

Knowing what information apps collect is useful, as it can inform users about whether an app you’re thinking of downloading will harvest your data for advertisers and other third parties to use.

Apple's privacy labels on an iPhone.

But a recent report from Top10VPN has found that these labels are frequently inaccurate. In Top10VPN’s analysis of Apple privacy labels for VPNs, it found that ExpressVPN was the only major VPN app whose privacy labels were completely accurate.

“Our investigation not only revealed the disturbing proportion of apps with inaccurate or missing privacy labels but also highlighted further flaws in Apple’s system even beyond the fundamental problem posed by self-certification,” the report stated.

App Store privacy labels are self-reported by app makers

Apple’s privacy labels allow apps to certify the sort of information they collect, from contact information and physical location, to your financial history and health and fitness data. The labels also indicate whether the information it collects is used to track you or linked to you.

As of now, information listed on app privacy labels is self-reported by apps, without an additional verification system to check that their claims are true. Apple itself says in the page details, “This information has not been verified by Apple.”

[Stay up-to-date on privacy news. Sign up to the ExpressVPN Blog newsletter.]

As one measure of accuracy, Top10VPN checked the privacy labels against the VPN companies’ privacy policies. It also went a step further by performing traffic tests with mitmproxy, an open-source HTTPS proxy. But unless you know exactly what you’re testing and are willing to test every app you consider on the App Store, it is difficult for laypeople to verify the claims each app makes about its data collection.

How Apple privacy labels are still helpful

While it’s important not to take these privacy labels at face value, there is still useful information that can be gleaned from them. When you’re scrolling through the App Store and trying to figure out which apps you can trust, here are three questions to help guide your decision to download the app.

1. Does it have an Apple privacy label?

For starters, avoid apps if they don’t provide any information about the data they collect. While privacy labels are considered mandatory in the App Store, existing apps don’t need to add them until their next update—a loophole for an app maker not wanting to list its practices. Apps that don’t have these labels will say “Data not provided” instead.

2. How long is the label?

Apple’s labels are still somewhat useful to tell if the app is being very transparent about its data collection. The Facebook app, for example, has an extensive list of all the things it collects when you use its app—an oddly transparent display of how much data it links to you.

Normally, the longer the list, the more likely it is that the app is doing business with your information, potentially selling your information to advertisers or be used by other third parties.

There are exceptions. Some apps may claim they’re using lots of data because they’re trying to prevent something bad like fraud from happening, like your personal banking app. Still, it’s good to check.

3. What sort of information does the app collect?

Think about the app’s privacy labels in the context of the app itself. Does a map app need to know your location data? Probably. Does a flashlight app really need to know your location data? Probably not.

With iOS devices, you can toggle the location tracking in your privacy settings, so if you do feel that you need an app for its location tracking function, you can turn it on for that app.

Another one to look out for is your Device ID, especially if it comes with a trove of other data points (see Question 2). Your Device ID is a unique code used to identify your device, which can make it easy for apps to connect the data points back to you across different apps, even if you’re not on the app itself.

To make it more difficult for apps to track you with your Device ID, iOS users can go to their privacy settings, and go to Tracking to toggle “Allow apps to request to track” off. That doesn’t mean they’ve stopped tracking you completely, but it does make it harder for them to connect the dots on the same device.

As a general rule of thumb, the fewer items that are on the list of data the app harvests from you, the better.

You’ll just need to be extra sure that it’s an app you can trust.

Ceinwen focused on digital privacy, censorship, and surveillance, and has interviewed leading figures in tech.