EN

|

DE
This is some text inside of a div block.

The biggest data octopuses in the App Store

heyData analyzed over 100 popular applications from the German Apple App Store

Since the launch of the iPhone in 2007, we have witnessed the rapid spread of smartphones first hand. Since 2009, the number of smartphone owners has increased tenfold from 6,3 million to 62,6 million in 2021 (Statista). For almost every one of us, mobile applications - apps - have become an essential part of everyday life. On average, we spend almost four hours a day with and on the devices (FAZ). From banking to transportation to grocery shopping and mental health care, there are now apps for just about everything. More than two million apps are available for download in Apple's App Store alone. More than 90 percent are free. This raises the question, how do the developers of these apps make their money?

A recent study of the Google Play Store has already revealed that some of the most popular free apps for their use Request access to sometimes more than 70 private data points. Thanks to the GDPR, prior user consent is required, but once access is granted, the apps can use our personal data to their advantage. For example, by selling it to other advertisers.

In our latest analysis, we took a look inside Apple's App Store and examined more than 120 of the most popular iPhone apps in Germany. We wanted to find out which applications are particularly interested in our data in order to:

  • Sell ​​to third party advertisers and advertisers
  • use for your own marketing
  • use it to track us on other apps and websites

These apps diligently sell user data to third parties

The meta apps Messenger, Facebook and Instagram monetize a lot of our “donated” data. Of a total of 32 access requests that each of the three apps makes before use, a majority of 75 percent are used for third-party advertising purposes. Close behind is another US platform giant, LinkedIn, followed by the news app of the Frankfurter Allgemeine Zeitung. 79 percent of the access requests for the FAZ app are used to sell the data to third parties for advertising purposes.

These apps always know where we are

A request to access our site is not automatically negative. For transport and delivery apps, such as Uber or Lieferando, the request to fulfill the service is essential. For other applications, knowledge of the exact location seems irrelevant to the function. That raises questions. Some apps even use tracking to monitor our activity across apps on other apps and websites. Duolingo tops the list: the language learning app makes 19 access requests, 68 percent of which are used for tracking, some of which go beyond the app.

These apps use data for their own advertising purposes

Businesses also generate revenue from free-to-use apps by using them as a venue for their own marketing activities. The meta apps Messenger, Facebook and Instagram also lead the list in this area. 75 percent of their access requests relate to tracking for internal advertising purposes. The mobility platform Circ uses almost 92 percent of its access requests for its own marketing. Among the dating apps, LOVOO is the app that uses our personal data most often for its own advertising.

The most data-hungry dating apps

Overall, LOVOO is the most data-hungry dating app with 25 private data points used for either tracking, third-party advertising, or internal marketing purposes. At the other end of the spectrum are eDarling, LoveScout24 and also Tinder, which are less data hungry. This makes them well-suited for those who are looking for love without selling their privacy.

Monetization of health: The data octopuses among mental health apps

According to the WHO, depression was diagnosed about 25 percent more frequently in the first year of the pandemic. This has led to a slew of new apps that aim to help people improve their mental health. An uncomfortable fact is that some mental health apps, like MindDoc, indicate on the App Store that they may sell our personal information to third party advertisers. On the plus side, no other mental health app on our list does the same. Health data is some of the most sensitive data that people can share.

The biggest data octopuses among messenger services

Messenger services and chats are among the most used smartphone apps worldwide. Since their inception, the importance of privacy in these apps has been a hot topic. Some services have even made it their mission to offer the highest level of privacy protection and have become known for it. This includes, for example, the app Signal, which does not ask for any personal data. In contrast, other services, such as Meta's messenger and Snapchat, still use private data for tracking and advertising purposes.

Social Media: Share photos and private data

Social networks like Facebook and Instagram are extremely successful at monetizing our personal information. Because they collect so much information about us (a total of 54 personal data points each), these platforms have become giant marketing machines. The rich user details that operators of these social networks capture and cleverly market generate billions in revenue. In contrast, Discord, Reddit, and Quora consider themselves social networks. The apps from these providers are far less intrusive when it comes to tracking or selling personal information.

The full list of results for all 126 apps analyzed from the Apple App Store can be found here here.

This is how the analysis was done

First, 126 popular and free apps for the iOS operating system were researched (as of June 2022). As part of a major data protection offensive by Apple, every app developer or provider is obliged to provide information about the following data protection information: 

  • Number of permission requests made to access our personal information (for example, to access our purchase or search history) 
  • Information about what data is used for tracking purposes
  • Information about which data is used for advertising purposes by third parties 
  • Information about what data is used for advertising or marketing by the app developer itself

All of the above points were analyzed for all selected apps. Finally, the apps were ranked (highest to lowest) based on the extent to which our personal data was used for tracking, third-party advertising, and developer marketing or advertising.

Get data protection fit with us!

Request a quote now

No customer hotline. customer inquiries only
per
support@heydata.eu

Europe In The Data Protection Ranking

With the adoption of the General Data Protection Regulation (GDPR) in May 2018, the European Union set a milestone in the history of data protection that has received great international recognition. With the aim of achieving a common high level of data protection, rules for the protection of personal information have been standardized for the entire European Union for the first time. In a growing digitized world, in which theoretically every activity can be tracked and personal data generates high financial profits, the possibilities of individuals to control their personal information are limited. At this point, the regulation has created a dense network of rights and obligations that give consumers power and control over their data back.

heyData knows data protection from its daily work with companies. Therefore, three years after the introduction of the GDPR, we wanted to use this study to find out how close the European countries have come when it comes to the level of data protection and to discover which points still need improvement. To do this, we examined the majority of the EU member states, Norway, which also implemented the EU GDPR, and the United Kingdom, in which the regulation was in effect until Brexit.

The study focuses on five overarching categories, which we have evaluated in 24 sub-points using data and statistics from well-known sources, such as the European Commission or the Organization for Economic Cooperation and Development. A comparison of the EU countries was made possible by a simple mathematical point system. The result is the following data protection ranking, which shows the nations with the actually highest data protection level - Ireland, Germany and the Netherlands - at the top.

Europe In Comparison

Enforcement of Laws

Data Protection Violations

% Increase in Data Protection Violations During Pandemic

Fines (€)

About

Data Protection Strategy

Privacy Team

Compulsory Voluntary Training

Further Training

Data Loss

Data Leak

Insurance Cover

Individual Data Protection

Smartphone Malware

Computer Malware

Payment Fraud

Phishing

Data Protection Competence

Advertising

Browser

Cookies

Tracking

Social Media

Apps

Cloud

Social Mood About Data Protection

Fear of Data Abuse

Authority Over Data

Overall Winners in the Data Protection Ranking

Position
Country
Final
Evaluation
Enforcement
Of Laws
About
Individual Data Protection
Privacy-
Expertise
Social
Mood
1
Ireland
100,0
80,6
85,1
100,0
43,9
100,0
2
Germany
80,3
74,6
60,9
81,9
70,9
66,7
3
Netherlands
73,6
88,8
50,9
50,0
95,6
51,3
4
United Kingdom
64,8
52,1
100,0
9,2
58,4
92,3
5
Denmark
59,5
73,1
98,3
0,0
82,3
43,6
6
Finland
58,9
38,9
51,0
64,8
100,0
41,0
7
Belgium
44,3
5,3
51,7
72,1
46,6
79,5
8
Sweden
41,2
100,0
65,3
9,2
72,1
0,0
9
Italy
38,5
79,0
73,2
33,4
0,0
53,8
10
Austria
37,3
2,2
38,7
85,0
68,8
41,0
11
France
31,0
54,5
38,5
12,9
40,7
71,8
12
Latvia
27,8
2,1
63,1
64,2
13,5
66,7
13
Luxembourg
27,4
27,4
35,9
9,8
58,4
76,9
14
Poland
23,0
7,9
35,1
69,9
21,9
61,5
15
Spain
18,6
18,7
55,2
4,6
54,2
51,3
16
Estonia
17,3
0,9
47,3
88,1
41,8
2,6
17
Greece
16,1
1,2
21,8
93,1
7,3
53,8
18
Slovenia
15,7
32,1
30,9
50,6
26,4
35,9
19
Norway
12,9
26,2
45,5
4,2
64,2
28,2
20
Lithuania
0,8
0,0
29,9
76,2
13,3
15,4
21
Hungary
0,0
6,1
0,0
9,0
45,7
71,8

Enforcement of Laws

Position
Country
Category Evaluation
Data Protection Violations
Points
% Increase in Data Protection Violations During Pandemic
%
Points
Fines (€)
Points
1
Sweden
100
119
30,4
1,6 % water content
71,7
111,352 €
95,8
2
Netherlands
89
382
100,0
2,4 % OFF
75,6
14,591
12,6
3
Ireland
81
345
90,2
1,5 % OFF
74,7
14,402
12,4
4
Italy
79
6
0,6
23,4 % water content
50,8
116,242
100,0
5
Germany
75
93
23,8
76,2 % water content
0,0
83,068
71,5
6
Denmark
73
325
85,0
36,2 % water content
38,5
9,811
8,4
7
France
55
8
1,2
10,6 % OFF
83,4
80,862
69,6
8
United Kingdom
52
46
11,1
27,9 % OFF
100,0
65,976
56,8
9
Finland
39
187
48,6
1,6 % water content
71,7
3,755
3,2
10
Slovenia
32
168
43,5
52,3 % water content
23,0
0
0,0
11
Luxembourg
27
147
37,9
8,7 % water content
64,9
0
0,0
12
Norway
26
91
23,1
3,5 % water content
69,9
15,432
13,3
13
Spain
19
7
0,9
54,7 % water content
20,7
30,613
26,3
14
Poland
8
42
10,3
63,6 % water content
12,1
4,494
3,9
15
Hungary
6
16
3,3
72,4 % water content
3,6
10,031
8,6
16
Belgium
5
22
4,8
26,0 % water content
48,3
7,251
6,2
17
Austria
2
28
6,5
18,3 % OFF
90,8
797
0,7
18
Latvia
2
14
2,9
13,7 % OFF
86,4
4,869
4,2
19
Greece
1
3
0,0
14,2 % OFF
86,9
6,951
6,0
20
Estonia
1
25
5,6
14,0 % water content
59,7
31
0,0
21
Lithuania
0
11
2,0
62,7 % water content
13,0
2,89
2,5

About

Position
Country
Category Evaluation
Data Protection Strategy
%
Points
Data Protection Team
%
Points
Continuing Education Voluntary
%
Points
Compulsory Training
%
Points
Data Loss
%
Points
Data Leak
%
Points
Insurance Cover
%
Points
1
United Kingdom
100
40
%
93,8
45,0
%
0,0
60,0
%
100,0
37
%
84,4
2
%
100,0
1
%
100,0
46
%
80,8
2
Denmark
98
42
%
100,0
69,0
%
75,0
52,0
%
77,8
35
%
78,1
4
%
71,4
2
%
50,0
56
%
100,0
3
Ireland
85
42
%
100,0
61,0
%
50,0
59,0
%
97,2
35
%
78,1
5
%
57,1
2
%
50,0
39
%
67,3
4
Italy
73
28
%
56,3
66,0
%
65,6
47,0
%
63,9
35
%
78,1
4
%
71,4
1
%
100,0
13
%
17,3
5
Sweden
65
39
%
90,6
59,0
%
43,8
44,0
%
55,6
26
%
50,0
8
%
14,3
1
%
100,0
39
%
67,3
6
Latvia
63
25
%
46,9
74,0
%
90,6
60,0
%
100,0
20
%
31,3
7
%
28,6
1
%
100,0
12
%
15,4
7
Germany
61
27
%
53,1
68,0
%
71,9
49,0
%
69,4
17
%
21,9
5
%
57,1
1
%
100,0
20
%
30,8
8
Spain
55
25
%
46,9
67,0
%
68,8
41,0
%
47,2
21
%
34,4
7
%
28,6
1
%
100,0
33
%
55,8
9
Belgium
52
27
%
53,1
77,0
%
100,0
42,0
%
50,0
20
%
31,3
6
%
42,9
2
%
50,0
25
%
40,4
10
Finland
51
35
%
78,1
62,0
%
53,1
54,0
%
83,3
25
%
46,9
5
%
57,1
3
%
0,0
28
%
46,2
11
Netherlands
51
32
%
68,8
74,0
%
90,6
35,0
%
30,6
18
%
25,0
5
%
57,1
2
%
50,0
26
%
42,3
12
Estonia
47
18
%
25,0
54,0
%
28,1
44,0
%
55,6
42
%
100,0
3
%
85,7
2
%
50,0
7
%
5,8
13
Norway
46
22
%
37,5
52,0
%
21,9
41,0
%
47,2
29
%
59,4
4
%
71,4
2
%
50,0
33
%
55,8
14
Austria
39
28
%
56,3
60,0
%
46,9
39,0
%
41,7
22
%
37,5
5
%
57,1
2
%
50,0
18
%
26,9
15
France
39
18
%
25,0
67,0
%
68,8
36,0
%
33,3
19
%
28,1
6
%
42,9
2
%
50,0
39
%
67,3
16
Luxembourg
36
22
%
37,5
63,0
%
56,3
39,0
%
41,7
21
%
34,4
6
%
42,9
2
%
50,0
26
%
42,3
17
Poland
35
18
%
25,0
69,0
%
75,0
26,0
%
5,6
32
%
68,8
8
%
14,3
1
%
100,0
11
%
13,5
18
Slovenia
31
26
%
50,0
61,0
%
50,0
44,0
%
55,6
15
%
15,6
8
%
143
1
%
100,0
4
%
0,0
19
Lithuania
30
22
%
37,5
64,0
%
59,4
42,0
%
50,0
21
%
34,4
9
%
0,0
1
%
100,0
4
%
0,0
20
Greece
22
10
%
0,0
57,0
%
37,5
24,0
%
0,0
10
%
0,0
4
%
71,4
1
%
100,0
25
%
40,4
21
Hungary
0
13
%
9,4
45,0
%
0,0
33,0
%
25,0
10
%
0,0
7
%
28,6
1
%
100,0
4
%
0,0

Individual Data Protection

Position
Country
Category Evaluation
Smartphone Malware
%
Points
Computer Malware
%
Points
Payment Fraud
%
Points
Phishing
Points
1
Ireland
100
2
%
85,7
1,6
%
88,8
0,1
%
100,0
0,93
%
68,9
2
Greece
93
4
%
57,1
2,4
%
79,8
0,6
%
93,0
0,5
%
84,7
3
Estonia
88
1
%
100,0
2,7
%
76,0
1,3
%
82,5
0,7
%
76,7
4
Austria
85
3
%
71,4
0,6
%
100,0
2,1
%
72,6
0,4
%
91,9
5
Germany
82
3
%
71,4
1,1
%
94,4
1,0
%
87,6
0,63
%
81,4
6
Lithuania
76
3
%
71,4
0,6
%
99,9
0,3
%
96,5
0,2
%
98,5
7
Belgium
72
4
%
57,1
1,2
%
93,0
1,9
%
74,2
1,0
%
68,0
8
Poland
70
4
%
57,1
0,7
%
99,1
0,4
%
95,6
0,2
%
100,0
9
Finland
65
3
%
71,4
2 ,, 4
%
79,8
1,7
%
77,6
0,9
%
68,8
10
Latvia
64
4
%
57,1
0,7
%
98,7
1,0
%
87,4
0,3
%
95,8
11
Slovenia
51
4
%
57,1
1,3
%
92,1
1,9
%
74,9
0,6
%
84,3
12
Netherlands
50
3
%
71,4
1,5
%
90,2
2,2
%
71,0
0,80
%
74,4
13
Italy
33
5
%
42,9
1,8
%
86,8
1,9
%
75,0
1,0
%
64,7
14
France
13
5
%
42,
2,8
%
74,8
5,4
%
26,4
1,5
%
45,9
15
Luxembourg
10
5
%
42,9
5,4
%
45,4
3,1
%
58,4
0,9
%
69,4
16
United Kingdom
9
1
%
100,0
2,0
%
84,2
7,3
%
0,0
1,9
%
30,6
17
Sweden
9
3
%
71,4
2,3
%
81,0
3,3
%
55,8
2,5
%
6,5
18
Hungary
9
7
%
14,3
9,3
%
0,0
4,9
%
33,7
0,4
%
89,4
19
Spain
5
8
%
0,0
2,4
%
79,2
3,1
%
58,0
1,0
%
67,3
20
Norway
4
4
%
57,1
2,1
%
83,5
4,4
%
40,8
2,1
%
21,9
21
Denmark
0
4
%
57,1
1,8
%
86,5
5,6
%
23,2
2,6
%
0,0

Data Protection Competence

Position
Country
Category Evaluation
Advertising
%
Points
Browser
%
Points
Cookies
%
Points
Tracking
%
Points
Social Media
%
Points
Apps
%
Points
Smartphone
Points
Cloud
%
Points
1
Finland
100
69,7
%
94,2
41,5
%
91,2
50,1
%
100,0
22,2
%
37,1
56,7
%
87,3
67
%
97,5
22
100,0
50
%
55,3
2
Netherlands
96
72,6
%
100,0
41,4
%
90,9
46,8
%
89,7
29,7
%
54,2
62,7
%
100,0
64
%
90,0
14
52,9
51
%
57,9
3
Denmark
82
63,5
%
81,9
44,2
%
100,0
32,6
%
45,3
25,7
%
45,1
48,8
%
70,6
61
%
82,5
11
35,3
65
%
94,7
4
Sweden
72
43,6
%
42,6
41,5
%
91,1
29,3
%
35,1
26,0
%
45,7
40,
4%
52,6
68
%
100,0
10
29,4
66
%
97,4
5
Germany
71
62,8
%
80,5
30,7
%
55,5
49,1
%
97,1
18,2
%
28,0
40,1
%
52,0
65
%
92,5
17
70,6
33
%
10,5
6
Austria
69
60,3
%
75,6
42,2
%
93,4
36,9
%
59,0
12,1
%
14,0
53,8
%
81,1
53
%
62,5
16
64,7
38
%
23,7
7
Norway
64
47,0
%
49,3
38,8
%
82,2
27,3
%
28,8
24,5
%
42,3
36,8
%
45,1
67
%
97.5
10
29,4
56
%
71,1
8
United Kingdom
58
55,2
%
65,4
28,9
%
49,4
33,7
%
48,8
27,4
%
48,8
45,3
%
63,1
44
%
40,0
10
29,4
54
%
65,8
9
Luxembourg
58
38,4
%
32,2
36,0
%
73,1
40,4
%
69,7
20,3
%
32,7
29,6
%
29,8
63
%
87,5
12
41,2
46
%
44,7
10
Spain
54
62,2
%
79,5
18,3
%
14,4
28,9
%
33,9
13,9
18,2
53,8
%
81,1
57
%
72,5
12
41., 2
46
%
44,7
11
Belgium
47
40,9
%
37,1
15,1
%
3,8
31,4
%
41,5
49,9
%
100,0
27,8
%
25,9
50
%
55,0
9
23,5
49
%
52,6
12
Hungary
46
40,2
%
35,8
25,6
%
38,4
27,2
%
28,4
17,5
%
26,3
35,6
%
42,5
46
%
45,0
8
17,6
67
%
100,0
13
Ireland
44
50,4
%
56,0
15,3
%
4,5
29,6
%
35,9
9,9
%
9,1
42,7
%
57,7
51
%
57,5
13
47,1
50
%
55,3
14
Estonia
42
35,8
%
27,1
25,4
%
38,0
34,5
%
51,3
20,5
%
33,1
27,4
%
25,1
50
%
55,0
12
41,2
44
%
39,5
15
France
41
43,8
%
43,0
25,7
%
38,9
32,8
%
46,1
19,3
%
30,5
34,6
%
40,3
53
%
62,5
10
29,4
34
%
13,2
16
Slovenia
26
34,8
%
25,2
22,7
%
29,0
23,3
%
16,4
18,1
%
27,6
24,9
%
19,8
49
%
52,5
8
17,6
40
%
28,9
17
Poland
22
36,2
%
27,9
15,4
%
4,9
26,3
%
25,8
19,5
%
30,9
30,5
%
31,7
46
%
45,0
9
23,5
29
%
0,0
18
Latvia
14
32,0
%
19,5
15,1
%
3,6
23,6
%
17,3
10,6
%
10,6
31,2
%
33,1
40
%
30,0
7
11,8
34
%
13,2
19
Lithuania
13
32,8
%
21,2
21,0
%
23,3
19,9
%
5,8
13,8
%
18,0
27,7
%
25,8
33
%
12,5
5
0,0
41
%
31,6
20
Greece
7
28,6
%
12,8
14,0
%
0,0
23,3
%
16,4
14,3
%
19,0
24,4
%
18,8
33
%
12,5
7
11,8
33
%
10., 5
21
Italy
0
22,1
%
0,0
27,3
%
%
44,3
18,1
%
0,0
5,9
%
0,0
15,6
%
0,0
28
%
0,0
5
0,0
34
%
13,2

Social Mood About Data Protection

Position
Country
Category Evaluation
Fear of Data Abuse
%
Points
Authority Over Data
%
Points
1
Ireland
100
83
%
100,0
26,0
%
65,5
2
United Kingdom
92
80
%
92,3
26,0
%
65,5
3
Belgium
80
75
%
79,5
33,0
%
41,4
4
Luxembourg
77
74
%
76,9
26,0
%
65,5
5
France
72
72
%
71,8
34,0
%
37,9
6
Hungary
72
72
%
71,8
26,0
%
65,5
7
Germany
67
70
%
66,7
45,0
%
0,0
8
Latvia
67
70
%
66,7
31,0
%
48,3
9
Poland
62
68
%
61,5
21,0
%
82,8
10
Italy
54
65
%
53,8
23,0
%
75,9
11
Greece
54
65
%
53,8
22,0
%
79,3
12
Netherlands
51
64
%
51,3
30,0
%
51,7
13
Spain
51
64
%
51,3
36,0
%
31,0
14
Denmark
44
61
%
43,6
26,0
%
65,5
15
Finland
41
60
%
41,0
16,0
%
100,0
16
Austria
41
60
%
41,0
31,0
%
48,3
17
Slovenia
36
58
%
35,9
25,0
%
69,0
18
Norway
28
55
%
28,2
24,0
%
72,4
19
Lithuania
15
50
%
15,4
17,0
%
96,6
20
Estonia
3
45
%
2,6
21,0
%
82,8
21
Sweden
0
44
%
0,0
31,0
%
48,3

Methodology In A Nutshell

The aim of the study is to evaluate the efficiency of data protection measures as well as the data protection competence of consumers in Europe and to compare them at national level. The objects of investigation are all member states of the European Union (with exceptions) as well as the United Kingdom and Norway.

Bulgaria, Croatia, Malta, Portugal, Cyprus, Romania, the Czech Republic and Slovakia had to be excluded from the study due to insufficient data and to enable a fair comparison between all nations.

For the study, all of the named nations were evaluated in the five research fields “Legal Regulations”, “Companies”, “Private Individuals”, “Data Protection Competence” and “Social Mood”. A total of 24 influencing factors contributed to the final result of the study. All influencing factors were selected based on their informative value in relation to the performance of data protection measures or the data protection competence of consumers.

The result is a ranking of the pioneering nations in terms of data protection. The study ended on May 15, 2021.

A complete presentation of the methodology with all definitions, data and sources can be found here (German version, English version)