Apple tightens privacy rules for health apps

Developers face restrictions on use of personal data

Apple is tightening up its privacy rules to ensure a new generation of health and fitness apps are not thwarted by growing concerns over how developers use personal data.

The rules will stop personal data collected through Apple’s new HealthKit platform being used to target adverts for products such as weight loss remedies.

HealthKit, which will track data including exercise levels and sleep, is one of the key features of a new mobile operating system that will next month launch alongside a new iPhone and a highly anticipated wearable device, dubbed the iWatch by pundits.

Shares in Apple touched a fresh high on Thursday after Apple sent out invites for a media launch on September 9, at which the group is expected to unveil new iPhones and possibly a wearable device.

Health apps, which can track intimate data such as heart rate, have seen a spike in popularity in the past year. But studies by regulators and privacy groups have found some developers pass user data on to advertising networks, often without telling the customer.

In the latest update to Apple’s iOS developer program licence agreement, Apple said developers must “not sell an end-user’s health information collected through the HealthKit API to advertising platforms, data brokers or information resellers”.

The privacy clampdown comes as Apple seeks to differentiate itself against rival Google, which relies on targeted ads for much of its income.

In June, Apple unveiled its Health app, a new dashboard to allow iPhone owners to track their heart rate, calorie intake, movement and other fitness metrics from a variety of different apps in a single place. Underlying the dashboard is the HealthKit system, which allows developers to contribute data from their own apps and draw on information from others if users grant permission.

Developers who want to tap into HealthKit's application programming interface (API) must commit to a new set of rules, including a requirement to link to a privacy policy.

HealthKit apps must not use the API or any information obtained through it “for any purpose other than providing health and/or fitness services”, Apple’s new rules state. All apps participating in the scheme must offer privacy policies

Apps that break these rules risk ejection from the App Store, while any breach of a privacy policy could involve federal regulatory enforcement.

The move from an App Store dominated by games and chat apps into health and fitness introduces much greater regulatory complexity for Apple and the people who create software for its iPhone and iPad.

Above and beyond its already-strict rules for developers, Apple is being extra careful in how it curates Health apps, after consulting with regulators. In January, Apple executives discussed “medical applications” with the US Food and Drug Administration, the agency’s records have shown.

In June, Flurry, a mobile analytics firm recently acquired by Yahoo, reported a 62 per cent increase in usage of health apps, outpacing the wider market’s growth.

Many of those apps, especially if they are free to download, rely on advertising for their income.

Last year, Privacy Rights Clearinghouse, a consumer advocacy group, found that 43 per cent of the health apps it studied shared user-generated personally identifiable information with advertisers. A study earlier this year by the US Federal Trade Commission found that a sample of 12 fitness apps transmitted users' information around dietary and workout habits to 76 third parties.

HealthKit is aggregating data from what will likely be multiple sources … Apple is being very careful as to how that is utilised or controlled. It’s Apple tightening control on developers

Geoff Blaber, analyst at CCS Insight

Some app makers are already working to combat these concerns.

Earlier this month, Fitbit, a leading maker of fitness tracking devices, put out a reworded privacy policy that made no changes to its terms but tried to explain them in clearer language. “We don’t sell any data that could identify you,” Fitbit's new policy says.

“HealthKit is aggregating data from what will likely be multiple sources within one location on the device,” says Geoff Blaber, an analyst at CCS Insight. “Apple is being very careful as to how that is utilised or controlled. It’s Apple tightening control on developers.”

The new protections around health data follow Apple’s previous attempts to offer more privacy controls around developers’ access to an iPhone’s location or uploading their address book, areas which have caused controversy in the past. Just last month, Apple faced criticism from the Chinese media over the iPhone's location-tracking capabilities; Apple denied any risk to national security.

In the wake of Edward Snowden’s revelations about spy agencies’ attempts to tap tech companies’ huge data troves for surveillance, the new iOS 8 update will include several other new privacy features. These include regular prompts to confirm that apps can continue to track location, new ways to block tracking cookies in its Safari web browser, and end-to-end encryption of iMessages.

“Apple faces this increasingly tricky balance of ensuring they are carefully regulating the data developers have access to, with developers’ desire to create ever more innovative apps and services,” Mr Blaber said. “Apple has always closely controlled what comes through the App Store, far more so than Google.”

“There are lots of privacy and ethical implications, for sure, but there is also great opportunity here to make a meaningful difference on the aggregate health of the world,” says Jason Jacobs, chief executive of exercise app Runkeeper, of Apple’s Healthkit initiative. “If they are successful, it could make things both easier for developers and more valuable for consumers and for healthcare in general.”

This article has been amended to correct the name of an organisation

Copyright The Financial Times Limited 2016. All rights reserved. You may share using our article tools. Please don't cut articles from and redistribute by email or post to the web.

More on this topic

Suggestions below based on Internet privacy

Apps: Growing pains

Once a thriving cottage industry, bigger players are now dominant and profits are squeezed