Revealed: The UK health and fitness apps selling your personal data

The UK’s most popular health and fitness apps collect 14 personal data points about their users on average, with the exercise tracker Fitbit collecting the most information
Data harvesters who sell on your personal information can legally gather your location, photos, videos and health and fitness details from these apps
Running coach app Runna shares 13 data points with third parties, including users’ location, photos, and health and fitness information
Six out of 10 apps analysed collect users’ photos and five collect their precise current location
Data protection service Incogni warns consumers to be wary of what they share with apps which then pass on personal information to data brokers

The UK’s most popular health and fitness apps collect an average of 14 personal data points about their users, which can then be sold on to data harvesters who profit off people’s personal details, new analysis by the data protection service Incogni has found.

Millions of people use fitness apps and trackers to record their runs, workouts and diets — but there can be a privacy trade-off. Those who use fitness trackers, such as the 50,000 competitors who ran in April’s London Marathon, regularly upload personal details including their precise location and heart rate alongside their lap times.

Yet unbeknown to many users, data brokers could be buying this personal information from the fitness app companies, and then selling it on. Insurance companies, advertisers, and public bodies all have their uses for such information.

Incogni’s analysis of the biggest fitness apps in the UK by revenue found that the exercise tracker Fitbit, which can connect to smartwatches, is the most data-hungry app, collecting a total of 21 data points from its users.

Six out of 10 apps studied collect users’ photos, while five collect their exact current location (Fitbit, Strava, AllTrails, Runna, MyFitnessPal), meaning app developers know where their users train and possibly other places they visit regularly.

Not all of the apps that collect data sell it on, but the running coach app Runna, which collects 13 data points, shares all of them with third parties like data brokers. This includes users’ precise location, name and email addresses, photos, and health and fitness information.

In total three fitness apps — Runna, MyFitnessPal and AllTrails — share users’ location data with third parties.

Chart: User data points collected and shared by fitness apps

Five of the 10 apps (Fitbit, Strava, AllTrails, Calm and Calorie Counter) collect a vaguely defined, catch-all category of personal data called ‘other info’. The similarly ill-defined ‘other user-generated content’ is collected by nine out of 10 apps, with Headspace being the exception.

Incogni has published its findings in a report entitled ‘Exercising caution: how top fitness apps in the UK can compromise your privacy’.

Darius Belejevas, head of data protection service Incogni, comments:

“Apps that record and track exercise data can be a great motivational tool that millions of Brits use to get more out of their workouts, eat better, keep running or just keep active.

“But without realising it, many of us are giving away personal data that doesn’t just show how many calories we’ve eaten or steps we’ve walked, but also reveals the precise location where and when we took those steps.

“Sensitive, personal health and fitness information is highly valuable to data brokers because there are hundreds of interested parties — both legal and illegal — willing to pay for such information, including insurance companies and marketers.

“It is especially worrying that some apps collect ‘other info’ and ‘other user-generated content’ without specifying what these vague terms involve.

“Most people are shocked at just how much information data brokers hold about all of us — and the only effective way to avoid them profiting from your privacy is to use a data protection service to remove your information from each and every data broker’s lists.”

May 1, 2024Chris Price

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month 1 day	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it before the share count cache is updated.

Cookie	Duration	Description
browser_id	5 years	This cookie is used for identifying the visitor browser on re-visit to the website.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
disqus_unique	1 year	Set to record internal statistics for anonymous visitors.
is_unique	1 year 1 month 4 days	StatCounter sets this cookie to determine whether a user is a first-time or a returning visitor and to estimate the accumulated unique visits per site.
sc_is_visitor_unique	1 year 1 month 4 days	StatCounter sets this cookie to determine whether a user is a first-time or a returning visitor.
uvc	1 year 1 month 1 day	addthis.com sets this cookie to determine the usage of addthis.com service.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
loc	1 year 1 month 1 day	AddThis sets this geolocation cookie to help understand the location of users who share the information.
scribd_ubtc	10 years	Scribd sets this cookie to gather data on user behaviour across several websites and maximise the relevancy of the advertisements on the website.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
_ir	session	This is a Pinterest cookie that collects information on visitor behaviour on multiple websites. This information is used on the website, in order to optimize the relevance of advertisement.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Cookie	Duration	Description
wp_api	past	Description is currently not available.
wp_api_sec	past	Description is currently not available.
xtc	1 year 1 month 1 day	Description is currently not available.

Revealed: The UK health and fitness apps selling your personal data

The UK’s most popular health and fitness apps collect 14 personal data points about their users on average, with the exercise tracker Fitbit collecting the most information

Data harvesters who sell on your personal information can legally gather your location, photos, videos and health and fitness details from these apps

Running coach app Runna shares 13 data points with third parties, including users’ location, photos, and health and fitness information

Six out of 10 apps analysed collect users’ photos and five collect their precise current location

Data protection service Incogni warns consumers to be wary of what they share with apps which then pass on personal information to data brokers

Like this:

Related