An investigation into data safety labels on the Google Play Store has allegedly uncovered “serious loopholes” that allow apps like Twitter, TikTok, and Facebook to easily provide false or misleading information regarding how user data is shared. The study, conducted by the Mozilla Foundation, identified 40 of the most globally downloaded Android apps on the Google Play Store and discovered almost 80 percent had discrepancies between their privacy policies and the information listed on Google Play’s data safety section.
Google launched its data privacy section for the Play Store last year, noting that developers had sole responsibility to provide “complete and accurate declarations” for the information collected by their apps by filling out a Google Data Safety Form. Mozilla argues that these self-reported privacy labels may not accurately reflect what user data is actually being collected due to shortcomings in the safety form’s honor-based system, such as having vague definitions for “collection” and “sharing” and failing to require apps to report data shared with “service providers.”
Mozilla studied the top 20 free apps and top 20 paid apps and then graded them with a score of “poor,” “needs improvement,” or “OK” based on its findings. Sixteen of the 40 total apps, including Twitter, Minecraft, and Facebook, received a “poor” grade, while 15 apps — including TikTok, YouTube, Google Maps, Gmail, WhatsApp, and Instagram — achieved “needs improvement.” Just six apps received an “OK” grade, most of which were mobile games such as Candy Crush Saga and Subway Surfers. Three apps — UC Browser-Safe, Fast, Private; League of Stickman – Best acti; and Terraria — hadn’t even filled out the Google Data Safety Form.
Mozilla’s grading for the top 20 paid Android apps on Google Play.
“Consumers care about privacy and want to make smart decisions when they download apps. Google’s Data Safety labels are supposed to help them do that,” says Jen Caltrider, project lead at Mozilla. “Unfortunately, they don’t. Instead, I’m worried they do more harm than good.”
Mozilla’s grading for the top 20 free Android apps on Google Play.
In one example within the report, Mozilla highlights that TikTok and Twitter both claim to not share any data with third parties in their Data Safety Forms, despite clearly stating that data is, in fact, shared with third parties in their respective privacy policies. “When I see Data Safety labels stating that apps like Twitter or TikTok don’t share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties,” says Caltrider. “Consumers deserve better. Google must do better.”
Google has since issued a statement dismissing the study (seen via TechCrunch), claiming that Mozilla’s grading system is inefficient. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects,” says a Google spokesperson. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”
Apple has also been criticized for its own developer-submitted privacy labels, with a 2021 report from The Washington Post finding that many iOS apps similarly provided misleading information, with some of the apps falsely reporting that they didn’t collect, share, or track user data.
Mozilla suggests that both Apple and Google should adopt a universal standardized data privacy system across their platforms to address these concerns and recommends that large tech companies take greater responsibility and enforce action against apps that fail to provide accurate information regarding data sharing. “Google Play Store’s misleading Data Safety labels give users a false sense of security,” says Caltrider. “It’s time we have honest data safety labels to help us better protect our privacy.”