Last year, Google made a big change to the Play Store, forcing all app developers to add data safety labels to their Play Store listings. This is supposed to help users understand which private data is accessed by the app and which of it, if any, is shared with third parties. Like with Apple’s Privacy Nutrition Labels, the goal is to make the most important bits of an app’s privacy policy easily understandable at a glance. A new study from Mozilla reveals that many top apps in the Play Store had at least some discrepancies between their privacy policies and the Play Store labels.

For its study, Mozilla took a look at the top 20 paid apps and the top 20 free apps on the Play Store. Out of these, 80% had at least some discrepancies between their privacy policies and the Play Store disclosures. About 40% even had major discrepancies, and only six out of the 40 apps received a positive rating from Mozilla.

SCR-20230223-cte
Source: Mozilla

Among the poorly rated free apps are big and renowned services including multiple Facebook apps, Twitter, Snapchat, and the Samsung Push Services. TikTok’s privacy labels earned the worst overall rating, with the company apparently outright lying. Its Google Play Data Safety Form says it doesn’t share any date with third parties, but its privacy policy lists multiple service providers including Google and Facebook, and it also reveals that the company may share data with advertisers and creators.

SCR-20230223-ctp
Source: Mozilla

Even Google’s own apps need improvement, according to Mozilla. YouTube, Chrome, Google Maps, and Gmail reportedly show some discrepancies between their privacy labels and their policies. Only Google Play Games received a top rating in the study, along with the game Subway Surfers and Candy Crush Saga.

Mozilla also found a few issues with the way Google surveys app developers for the safety data provided in Play Store listings. For one, the company seems to put developers on the spot — they alone are responsible for providing correct data, implying that there are no further checks from Google. A lot of the discrepancies found by Mozilla can also be explained by the way Google defines terms and requirements for disclosures. Mozilla says that data sharing with “service providers” doesn’t have to be reported, and Google reportedly has narrow definitions for the “collection” and “sharing” of data, which makes it possible for developers to conceal details and mislead users.

Jen Caltrider, Project Lead at Mozilla, summarizes,

Consumers care about privacy and want to make smart decisions when they download apps. Google's Data Safety labels are supposed to help them do that. Unfortunately, they don't. Instead, I'm worried they do more harm than good. When I see Data Safety labels stating that apps like Twitter or TikTok don't share data with third parties it makes me angry because it is completely untrue. Of course Twitter and TikTok share data with third parties. Consumers deserve better. Google must do better.

The challenge for both Google and Apple’s privacy labels is that they are trying to simplify and standardize complicated privacy policies. As long as companies publishing apps on the Play Store or App Store don’t have to actually revise their privacy policies to be easier to understand, these discrepancies will likely continue to exist, no matter how good the system gets. Both Apple and Google definitely have the right idea with the privacy labels, though — it’s just clear that the execution needs to be better.

You can read the full report on Mozilla's website.

We've reached out to Google for comment on the report, and a spokesperson told us,

This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects. The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.

UPDATE: 2023/02/23 11:53 EST BY MANUEL VONAU

Updated with Google comment

We've updated the article with a statement from a Google spokesperson.