Privacy Policy Flaws Found on Popular Finance Apps

A recent study found that 90% of mobile apps offering personal financial services on Chinese consumers’ smartphones have flaws in their privacy policies that may put users’ personal information at risk.

The report, released by the Centre for Fintech and Internet Security of Renmin University of China, reviewed 200 popular personal finance apps, including Alibaba’s payment service Alipay, JD.com’s wealth management platform JD Finance and online peer-to-peer lender Renrendai.

Over half of apps reviewed showed low transparency in their privacy policies, which describe how companies collect, use and share with third parties users’ personal information and usually pop up when users first time sign up the apps, the report said.

The report found 20 apps didn’t even have a privacy policy, which means these apps collect information on users’ identifications, bank accounts and credit history without any contractual promise to protect the information.

All but four apps have no provisions in their privacy policies on how they would deal with users’ personal information once they no longer provide the products or services to users, such as promise to stop collecting and delete user’s personal information.

China’s Ministry of Industry and Information Technology has issued rules requiring telecom operators and internet service providers to stop collecting and using users’ personal information once the users no longer use their services.

Only six apps state in their privacy policies that users have the right to unsubscribe or refuse to receive promotions or other related business messages or emails from the companies. All other apps neither mention anything about unsubscription nor provide any steps for users to unsubscribe.

The report found a majority of apps state in their privacy policies that they can share users’ information with third parties and use the information on promotions.

The report said most privacy polices use vague and standard language on information sharing and disclosure to shirk companies’ responsibilities.

They promise to protect users’ personal information according to industry standards, but don’t guarantee information leaks due to “technical limitations.” the report said.

The review also tested how these apps collect users’ information using microphones, contact lists, text messages and locations on users’ phones.

The report found many apps make users agree to allow the app to get access to their microphones, text messages, contact lists and location information, which violates the principle that companies should only collect the minimum amount of personally identifiable information necessary to conduct the functions of the apps.

Lawyers said consumers are vulnerable when facing powerful service providers with privacy policies unfavorable to users.

“With most apps or websites, if users don’t agree to their privacy policies, they can’t use the service,’ said Liu Xinyan, a senior partner at Beijing law firm Tisize & Partners. He warned that consumers would have few options when Internet services are increasingly controlled by several big players.