JMIR Publications

ABSTRACT

Background:

Driven by technological advancements, the proliferation of mobile sports and health applications (apps) has revolutionized health management by improving efficiency, cost-effectiveness, and accessibility. While the widespread adoption of these platforms has transformed public health practices and social well-being in China, emerging evidence suggests that inadequacies in their privacy policies may compromise personal information (PI) protection.

Objective:

This study conducts a systematic evaluation of privacy policy compliance among 100 leading mobile sports and health apps in mainland China, benchmarking them against the Personal Information Protection Law (PIPL) and associated regulatory guidelines.

Methods:

This study develops a privacy policy compliance indicator scale based on the information life cycle and the legal framework for PI protection in the Mainland of China. This scale consists of 5 level 1 indicators and 37 level 2 indicators that assess the privacy policy compliance.

Results:

The mean compliance score of the 100 sports and health apps is 58.375. 42% of the 100 apps score below the average, with 57.14% (n=24) scoring less than 40 points and 20% (n=20) scoring more than 80 points. The 5 level 1 indicators have the following scores: 75.22% for the collection of PI, 52% for the storage of PI, 52.21% for the use of PI, 61% for the entrusted processing, the sharing, the transfer, and the disclosure of PI, and 60.6% for the consultation and feedback on PI. The compliance level among Apple system apps surpasses that of Android system apps. Despite identical qualified rates for Apple and Android apps, both at 17 out of 50, the proportion of Apple apps rated as excellent (12%) and good (12%) markedly surpasses that of Android apps, which stand at 6% for excellent and 10% for good. The compliance evaluations for these 37 level 2 indicators, 18 show a mean compliance rate below 60%. Three indicators exhibit compliance rates below 20%: de-identified display and use of PI at 16%, storage of sensitive PI at 13%, and processing rules of deceased users at 11%. While the majority of 100 apps indicate that the collected PI will be retained in the Mainland of China for a reasonably necessary duration (mean 71%[SD 45.60%]), and that separate authorization will be required otherwise (mean 80%[SD 40.20%]), in accordance with the principle of necessity outlined in Article 19 and the principle of domestic storage in Article 39 of the PIPL, fewer than half (mean 44%[SD 49.89%]) of the evaluated apps will de-identify the data promptly through security measures after PI collection.

Conclusions:

Although some apps establish commendable policies, there are some shortcomings that compromise the efficacy of PI protection. In light of this, this paper puts forward suggestions from the perspective of privacy policy formulation, regulatory reform, and legislative improvement.