Published on 30.07.18 in Vol 6, No 7 (2018): July
Preprints (earlier versions) of this paper are available at http://preprints.jmir.org/preprint/9871, first published Jan 17, 2018.
The Complexity of Mental Health App Privacy Policies: A Potential Barrier to Privacy
Background: In 2017, the Supreme Court of India ruled that privacy is a fundamental right of every citizen. Although mobile phone apps have the potential to help people with noncommunicable diseases, such as diabetes and mental illness, they often contain complex privacy policies, which consumers may not understand. This complexity may impede the ability of consumers to make decisions regarding privacy, a critical issue due to the stigma of mental illness.
Objective: Our objective is to determine whether mental health apps have more complex privacy policies than diabetes apps.
JMIR Mhealth Uhealth 2018;6(7):e158
The Supreme Court of India’s August 2017 ruling that privacy is a fundamental right of every citizen underscores the need for greater attention to privacy rights in all contexts of Indian society . Indians’ rights to privacy are only truly protected if Indians are able to make conscious decisions about their privacy-related decisions in all contexts, including while surrendering rights in the process of agreeing to privacy policies. The issue of privacy is especially important for mHealth apps, which are showing strong potential for addressing noncommunicable disease in developing nations such as India [ ]. Although more than 40% of Americans believe that mental illness is similar to physical illness, less than 20% of Indians agree with this sentiment [ ]. Due to this attitudinal difference, it is possible that there is a greater distinction between the privacy policies of apps for mental health versus physical health in India than in the United States.
Although privacy is an important issue for all users of mHealth apps, regardless of condition or location, in 2013, India lost more than 30 million disability-adjusted life years (DALYs) to mental, neurological, and substance abuse disorders—a 61% increase over the quantity in 1990. By comparison, all developed countries combined lost 50 million DALYs . Noncommunicable physical illnesses are also afflicting a substantial number of Indians. India has been named the diabetes capital of the world [ ]. It had a population of more than 72 million citizens with diabetes in 2017 and is projected to have 151 million citizens with diabetes in 2045 [ ]. Given the substantial and growing number of people experiencing mental illness and diabetes within India and the greater degree of stigma associated with mental illness in India than in the United States [ ], the potential for users of both physical and mental health apps to make informed privacy decisions is important to assess. The recent declaration of a fundamental right to privacy in India has amplified the importance of assessing the potential difficulty that users of Indian mHealth apps may have while attempting to preserve their privacy.
Study Design and Data Sources
This study examined the complexity of privacy policies found within Indian apps for issues related to diabetes and mental health. The study used a novel dataset composed of privacy policies extracted from apps found on the Google Play app store for the Android operating system between May and June 2017 by a researcher based in India. Institutional Review Board approval was unnecessary because the subject of the research was software rather than people.
Outcomes and Analyses
Apps were categorized according to whether they were interactive, noninteractive, or related to e-commerce, and then again categorized according to whether they were clinical, nonclinical, or related to e-commerce. (The same apps were placed in the e-commerce category under both categorizations.) Interactive apps were defined as apps that facilitate two-way discussions with a health expert (eg, doctors, therapists, nutritionists), apps which facilitate group chats, and apps with discussion forums. Apps involving interactions with supporting staff (eg, receptionists/customer care executives for online appointment booking) were categorized as noninteractive apps. A subset of the interactive apps was categorized as clinical if they involved interaction with a health expert; apps outside of the subset were categorized as nonclinical if they were not related to e-commerce.
Multiple metrics were used to evaluate the complexity of the app privacy policies: word count, sentences per paragraph, words per sentence, characters per word, average number of sentences per 100 words, average words with six or more characters, average number of sentences per 100 words, Flesch Reading Ease, Flesch-Kincaid Grade Level, Gunning Fog Score, SMOG Index, Coleman Liau Index, Automated Readability Index, Fry Grade Level, and Raygor Estimate Graph Grade Level. The mean, standard deviation, median, and interquartile range were calculated for each metric, separately for the diabetes and mental health apps. Metrics for diabetes apps and mental health apps were compared using t tests and Wilcoxon rank sum tests to assess for significant differences in mean and median, with P<.05 used as an indicator of significance. Chi-square tests were used to assess whether diabetes and mental health apps were similarly distributed between the interactive, noninteractive, and e-commerce categories, as well as between the clinical, nonclinical, and e-commerce categories, with P<.05 again used as an indicator of a significant association. All statistical analyses were conducted using STATA software version 13.
As is shown in, a total of 267 potential Indian diabetes apps were found by searching the Google Play store. Of these apps, only 41 (15.4%) were included after the various exclusions were applied (nearly half the apps were unrelated to health despite containing health-related keywords). A similar process, shown in , was applied to obtain the mental health app privacy policies. A total of 623 apps were returned by the initial searches of the Google Play store, but only 29 (4.7%) were included in the study after the exclusion criteria were applied. Of the total 70 apps included for analysis, eight apps (11%) were common for both diabetes and mental health.
There were some differences in the nature of diabetes apps versus mental health apps, as shown in in. The vast majority of mental health apps (85%, 23/27) were interactive, whereas only a slight majority (23/39, 59%) of diabetes apps were interactive, a significant difference (P=.04). Mental health apps were likewise more likely to be clinical (82%) than diabetes apps (61%), although the distribution of apps between the clinical, nonclinical, and e-commerce categories was not significantly associated with app type (P=.06).
|Readability metric||Diabetes apps (n=41)||Mental health apps (n=29)||P valuea|
|Mean (SD)||1874.5 (1447.9)||2420.5 (2101.7)||.20|
|Median (IQRb)||1520 (733-2278)||1783 (1117-3049)||.35|
|Sentences per paragraph|
|Mean (SD)||2.9 (1.9)||2.5 (1.0)||.29|
|Median (IQR)||2.6 (2.0-3.2)||2.2 (2.0-2.7)||.28|
|Words per sentence|
|Mean (SD)||23.4 (4.9)||22.8 (5.2)||.60|
|Median (IQR)||24.1 (21.4-26.9)||23.7 (20.6-25.2)||.40|
|Characters per word|
|Mean (SD)||5.1 (0.2)||5.0 (0.2)||.47|
|Median (IQR)||5.1 (5.0-5.2)||5.1 (5.0-5.1)||.54|
|Average number of sentences per 100 wordsc|
|Mean (SD)||5.9 (5.1)||4.8 (0.9)||.27|
|Median (IQR)||5 (4.2-5.8)||4.7 (4.2-5.3)||.34|
|Average words with ≥6 charactersd|
|Mean (SD)||19.8 (2.5)||19.4 (2.5)||.52|
|Median (IQR)||20 (18.0-22.0)||20 (17.5-21)||.62|
|Average number of sentences per 100 wordsd|
|Mean (SD)||5.1 (1.3)||4.8 (0.9)||.33|
|Median (IQR)||5.0 (4.2-5.8)||4.7 (4.2-5.3)||.52|
|Flesch Reading Ease|
|Mean (SD)||35.1 (8.8)||37.1 (8.6)||.36|
|Median (IQR)||36.5 (28.3-38.2)||37.3 (31.3-42.5)||.41|
|Flesch-Kincaid Grade Level|
|Mean (SD)||13.9 (2.3)||13.6 (2.4)||.50|
|Median (IQR)||14 (12.7-15.1)||14 (12.4-15.0)||.51|
|Gunning Fog Score|
|Mean (SD)||15.2 (2.2)||15.4 (1.8)||.72|
|Median (IQR)||15.0 (13.9-16.8)||15.3 (14.7-16.1)||.55|
|Mean (SD)||12.1 (1.7)||12.1 (1.3)||.90|
|Median (IQR)||11.9 (10.7-13.1)||12.2 (11.7-12.5)||.66|
|Coleman Liau Index|
|Mean (SD)||14.2 (0.8)||13.9 (0.9)||.18|
|Median (IQR)||14.5 (13.6-14.7)||14.2 (13.1-14.6)||.17|
|Automated Readability Index|
|Mean (SD)||13.4 (2.8)||13.5 (2.2)||.86|
|Median (IQR)||13.3 (11.5-14.9)||13.3 (12.8-14.6)||.85|
|Fry Grade Level|
|Mean (SD)||11.6 (3.1)||12.4 (1.5)||.20|
|Median (IQR)||12,0 (11.0-14.0)||13.0 (12.0-14.0)||.36|
|Raygor Estimate Graph Grade Level|
|Mean (SD)||6.9 (1.1)||7.4 (2.2)||.25|
|Median (IQR)||7.0 (6.0-8.0)||7.0 (7.0-8.0)||.70|
aP values are from using t tests of significance for the means and Wilcoxon rank sum tests for the medians.
bIQR: interquartile range.
cFry word statistics.
dRaygor estimate word statistics.
|Strata||Diabetes apps, n (%)||Mental health apps, n (%)||P valuea|
|Interactive||23 (59.0)||23 (85.2)|
|Noninteractive||6 (15.4)||3 (11.1)|
|E-commerce||10 (25.6)||1 (3.7)|
|Clinical||25 (61.0)||23 (82.1)|
|Nonclinical||6 (14.6)||4 (14.3)|
|E-commerce||10 (24.4)||1 (3.6)|
aP values are from chi-square tests of significance.
Although readability measures could be applied to any English-language privacy policies, there are a number of factors that make India a robust country to study. Because India is home to the world’s second-largest population of English speakers (after the United States) , the world’s second-largest base of mobile phone users (after China) [ ], and legally enforces privacy rights [ ], it has a well-developed market for English-based mHealth apps containing privacy policies. Given that the 2011 Census found that only 6% of the Indian population has a college education [ ], whereas 30% of United States adults have a college education [ ], the impact of privacy policies written at a college level is even more acute in India than in the United States. Furthermore, there is a great need for mHealth apps in India due to limited access to care in some parts of the country [ ].
Many other materials presented to the Indian public online are not this complex. Prior researchers have measured the Flesch-Kincaid Grade Level of a number of different websites administered by the Indian government and found their grade levels to be more moderate. For instance, the website of the Indian Air Force was written at an 8.4 grade level, whereas the website of the High Court of Bombay was written at a 6.6 grade level . Although government-oriented websites may be inherently less complex than privacy policies, they do demonstrate that it is possible to convey information to the masses in a simple format.
Privacy policies do not need to be incomprehensible. Complex concepts can be explained graphically to make them more accessible to people with limited reading comprehension. For instance, Creative Commons has created a standardized set of logos that indicate the rights that the authors of media have reserved . These logos can be understood at a glance by people informed of their meaning. A similar approach could be applied to privacy policies if a standardized set of policies, with associated logos, were created.
Furthermore, standardized licenses like the GNU General Public License enable users to avoid the hassle of re-reading a long document each time they agree to use software by providing consistency across licenses . Although users with lower levels of reading comprehension may not be able to understand standardized licenses, they too can benefit because more educated users have thoroughly vetted the policies to ensure that they are fair. When nonstandard policies are used, the likelihood of them being read by anyone (regardless of ability) is lower than when standardized policies are used. Furthermore, abstract concepts, such as deidentification and anonymization, can be explained with graphical representations so that they may be more widely understood. Finally, outreach efforts to help educate and explain the risk and benefits of digital technologies such as apps may be necessary to ensure individuals are equipped to make informed decisions regarding use. Already, online resources for digital technology ethics and privacy are emerging, such as the free-to-access and use Connected and Open Research Ethics Initiative [ ].
The results of this study reflect two categories of health apps, from one country, from one app store, examined at one period in time. It is possible that the findings from this study are not generalizable to other types of apps, to other app stores (eg, the iTunes App Store), or to apps that are not of Indian origin. It is also possible that the privacy policies of apps may evolve over time. Furthermore, although apps addressing a broad selection of mental illnesses were analyzed, only apps addressing a single physical illness (diabetes) was analyzed. It was necessary to analyze apps addressing multiple mental illnesses rather than a single mental illness due to the relative paucity of apps addressing each illness. Even after this accommodation, the sample of apps related to mental health was substantially smaller than the sample of diabetes apps. The findings of this study may have been impacted by the set of keywords used during the app sample selection process. The 2017 actions of the Indian Supreme Court , which occurred after the data collection for this study was complete, may cause India-based app developers to evaluate whether their privacy policies remain consistent with the needs of Indian users and with Indian law.
The authors acknowledge financial and administrative support provided by the Max Institute of Healthcare Management at the Indian School of Business. JT is supported by the Myrtlewood Foundation and a T15 Training Grant (4T15LM007092-25) from the National Library of Medicine. No organization or individual other than the authors determined the subject or content of the research, or had oversight over whether results were published.
Conflicts of Interest
AP reports employment at Payer+Provider Syndicate, scientific/medical advisory board member with the Mary Christie Foundation and PsyberGuide, and stock ownership of Payer+Provider Syndicate, Select Medical Holdings, Team Health Holdings, AmSurg Corp, Centene Corp, CVS Health Corp, Community Health Systems, HCA Holdings, Inc, Quorum Health Corporation, and Tenet Healthcare Corp. PS and JT have nothing to disclose. None of the authors have a direct conflict of interest with the study.
- AP News. 2017 Aug 25. India’s Supreme Court rules privacy is a fundamental right URL: https://apnews.com/12c1222843d24573a74388c3f68d1f69 [accessed 2018-05-04] [WebCite Cache]
- Peiris D, Praveen D, Johnson C, Mogulluru K. Use of mHealth systems and tools for non-communicable diseases in low- and middle-income countries: a systematic review. J Cardiovasc Transl Res 2014 Nov;7(8):677-691. [CrossRef] [Medline]
- Seeman N, Tang S, Brown A, Ing A. World survey of mental illness stigma. J Affect Disord 2016 Jan 15;190:115-121. [CrossRef] [Medline]
- Charlson FJ, Baxter AJ, Cheng HG, Shidhaye R, Whiteford HA. The burden of mental, neurological, and substance use disorders in China and India: a systematic analysis of community representative epidemiological studies. Lancet 2016 Jul 23;388(10042):376-389. [CrossRef] [Medline]
- Malik R. Times of India. 2016 Jan 28. India is the diabetes capital of the world! URL: https://timesofindia.indiatimes.com/life-style/health-fitness/health-news/India-is-the-diabetes-capital-of-the-world/articleshow/50753461.cms [accessed 2018-05-04] [WebCite Cache]
- International Diabetes Foundation. 2018. IDF SEA Region URL: https://www.idf.org/our-network/regions-members/south-east-asia/members/94-india.html [accessed 2018-05-04] [WebCite Cache]
- Blenner SR, Köllmer M, Rouse AJ, Daneshvar N, Williams C, Andrews LB. Privacy policies of android diabetes apps and sharing of health information. JAMA 2016 Mar 08;315(10):1051-1052. [CrossRef] [Medline]
- Rosenfeld L, Torous J, Vahia I. Data security and privacy in apps for dementia: an analysis of existing privacy policies. Am J Geriatr Psychiatry 2017 Aug;25(8):873-877. [CrossRef] [Medline]
- Glenn T, Monteith S. Privacy in the digital world: medical and health data outside of HIPAA protections. Curr Psychiatry Rep 2014 Nov;16(11):494. [CrossRef] [Medline]
- DeSalvo KB, Samuels J. Health IT Buzz. 2017 Jul 19. Examining oversight of the privacy & security of health data collected by entities not regulated by HIPAA URL: https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/examining-oversight-privacy-security-health-data-collected-entities-not-regulated-hipaa/ [accessed 2018-05-04] [WebCite Cache]
- Granville K. The New York Times. 2018 Mar 19. Facebook and Cambridge Analytica: what you need to know as fallout widens URL: https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html [accessed 2018-05-03] [WebCite Cache]
- Marvel CL, Paradiso S. Cognitive and neurological impairment in mood disorders. Psychiatr Clin North Am 2004 Mar;27(1):19-36, vii [FREE Full text] [CrossRef] [Medline]
- Trivedi J. Cognitive deficits in psychiatric disorders: current status. Indian J Psychiatry 2006 Jan;48(1):10-20 [FREE Full text] [CrossRef] [Medline]
- Seeman N, Tang S, Brown AD, Ing A. World survey of mental illness stigma. J Affect Disord 2016 Jan 15;190:115-121. [CrossRef] [Medline]
- Sunyaev A, Dehling T, Taylor PL, Mandl KD. Availability and quality of mobile health app privacy policies. J Am Med Inform Assoc 2015 Apr;22(e1):e28-e33. [CrossRef] [Medline]
- Reidenberg J, Breaux T, Cranor L, French B. Disagreeable privacy policies: mismatches between meaning and users’ understanding. Berkeley Tech LJ 2015;30(1):39. [CrossRef]
- Mcdonald AM, Reeder RW, Kelley PG, Cranor LF. A comparative study of online privacy policies and formats. 2019 Aug 05 Presented at: International Symposium on Privacy Enhancing Technologies Symposium; Aug 5, 2009; Berlin p. 37-55. [CrossRef]
- Graber MA, D'Alessandro DM, Johnson-West J. Reading level of privacy policies on Internet health Web sites. J Fam Pract 2002 Jul;51(7):642-645. [Medline]
- Ermakova T, Fabian B, Babina E. Readability of privacy policies of healthcare websites. 2015 Presented at: 12th International Conference on Wirtschaftsinformatik; Mar 4-5, 2015; Osnabrück, Germany p. 1085-1099.
- Sheehan K. In poor health: an assessment of privacy policies at direct-to-consumer web sites. J Public Policy Mark 2005 Sep 01;24(2):1. [CrossRef]
- Singh R, Sumeeth M, Miller J. Evaluating the readability of privacy policies in mobile environments. In: Lumsden J, editor. Developments in Technologies for Human-Centric Mobile Computing and Applications. Hershey, PA: IGI Global; 2012:56-78.
- Bellman S, Johnson E, Kobrin S, Lohse G. International differences in information privacy concerns: a global survey of consumers. The Information Society 2004 Nov;20(5):313-324. [CrossRef]
- Wikipedia. 2018. List of countries by English-speaking population URL: https://en.wikipedia.org/wiki/List_of_countries_by_English-speaking_population [accessed 2018-05-04] [WebCite Cache]
- Wikipedia. 2018. List of countries by smartphone penetration URL: https://en.wikipedia.org/wiki/List_of_countries_by_smartphone_penetration [accessed 2018-05-04] [WebCite Cache]
- Office of the Registrar General & Census Commissioner, India. 2017. Census of India URL: http://www.censusindia.gov.in/2011census/C-series/C08.html [accessed 2018-05-04] [WebCite Cache]
- United States Census Bureau. 2017. American FactFinder URL: https://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?pid=ACS_15_5YR_S1501&src=pt [accessed 2017-09-24] [WebCite Cache]
- Deogaonkar M. Socio-economic inequality and its effect on healthcare delivery in India: inequality and healthcare. Electron J Sociol 2004;11:e1.
- Pew Research Center: Global Attitudes & Trends. 2017. Spring 2016 Survey Data URL: http://www.pewglobal.org/datasets/ [accessed 2018-05-04] [WebCite Cache]
- The Changing Mobile Broadband Landscape: Understanding the Diverse Behavior and Needs of Smartphone Mobile Internet Users in Urban India. Stockholm: Ericsson ConsumerLab; 2015 Apr. URL: https://www.ericsson.com/assets/local/news/2015/4/ericsson-consumerlab-the-changing-mobile-broadband-landscape-india.pdf [accessed 2017-10-23] [WebCite Cache]
- Ismail A, Kuppusamy K, Kumar A, Ojha P. Connect the dots: accessibility, readability and site ranking – An investigation with reference to top ranked websites of Government of India. J King Saud U Comp Inform Sci 2017 May 22:A [FREE Full text] [CrossRef]
- Jones R. Gizmodo. 2017 Jul 16. 22,000 People agree to clean toilets for WiFi because they didn't read the terms URL: https://gizmodo.com/22-000-people-agree-to-clean-toilets-for-wifi-because-t-1796959482 [accessed 2018-05-04] [WebCite Cache]
- Creative Commons. 2017. Licenses and examples URL: https://creativecommons.org/share-your-work/licensing-types-examples/licensing-examples/ [accessed 2018-05-04] [WebCite Cache]
- GNU Operating System. 2017. Frequently asked questions about the GNU licenses URL: http://www.gnu.org/licenses/gpl-faq.html [accessed 2018-05-04] [WebCite Cache]
- CORE. 2017. Connected and Open Research Ethics URL: https://thecore.ucsd.edu/ [accessed 2018-05-04] [WebCite Cache]
|DALY: disability-adjusted life years|
Edited by G Eysenbach; submitted 17.01.18; peer-reviewed by E Lewis, L Hassan; comments to author 20.03.18; revised version received 04.05.18; accepted 08.05.18; published 30.07.18
©Adam Powell, Preeti Singh, John Torous. Originally published in JMIR Mhealth and Uhealth (http://mhealth.jmir.org), 30.07.2018.
This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR mhealth and uhealth, is properly cited. The complete bibliographic information, a link to the original publication on http://mhealth.jmir.org/, as well as this copyright and license information must be included.