Inconsistent Privacy Labels Don't Tell Users What They Are Getting

DATA PRIVACY MOBILE SECURITY Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Inconsistent Privacy Labels Don't Tell Users What They Are Getting Data privacy labels are a great idea for mobile apps, but the current versions just aren't good enough. Bree Fowler,Contributing Writer April 3, 2026 4 Min Read SOURCE: APHITHANA CHITMONGKOLTHONG VIA ALAMY STOCK PHOTO At first glance, the data privacy labels on app stores look helpful, but it will take more than that to protect users' privacy.  In the same way that nutrition labels give consumers a better idea of the nutrients a food might contain, app labels are intended to give people insights into what kinds of personal data a particular mobile app collects, how it's used, and who it might be shared with. That way, just as with the food they buy and eat, consumers can make an informed choice about whether to download the app onto their mobile device. That may sound great, but just as food nutrition labels haven't solved America's obesity crisis, data-privacy labels aren't enough by themselves, according to Lorrie Cranor, director and Bosch distinguished professor at Carnegie Mellon University's CyLab Security & Privacy Institute. "We're not kidding ourselves, having these labels is not going to actually protect privacy," Cranor said during her talk at the recent RSAC Conference in San Francisco. "But it's going to be a way for us all to get more information and hopefully lead to better privacy practices and help people protect privacy." Related:AI Rising: Do We Know Enough About the Data Populating It? Kelly Peterson, chief privacy and compliance officer at artificial intelligence startup Yobi, is skeptical, as well. When it comes to data privacy, companies have long been more concerned about compliance than actually informing consumers about what's being done with their data, she says. When companies post a data privacy label, they're often just putting it out there for information purposes and implying that what's in it is true, without necessarily doing the due diligence to prove it, says Peterson. They're not doing anything to address the data privacy problems the labels might point to. LOADING... "I like the concept," Peterson tells Dark Reading. "I like trying to make this really hard, technical stuff attainable for someone who's like: 'I don't know if I want to use this app or not,' but I don't think that they're solving a problem."  Problematic, and Innacurate Cranor, one of the country's top researchers in data privacy, began working with her Carnegie Mellon students in 2010 to create labels for websites. While she says those labels did well in testing, they were ultimately never adopted. They also explored creating labels for Internet of Things (IoT) devices before shifting their focus to mobile apps in 2013.  It wasn't until 2020 that Apple announced it would start including privacy labels in its app store. A similar announcement from Google came shortly thereafter. Related:While ECH Adoption Is Low, Risks Remain for Enterprises, End Users "When these came out, we were at first very excited that they were finally doing something," Cranor said. But very quickly, she said, people discovered that the labels were problematic, noting that several reports found companies weren't being honest in their labeling. A subsequent study done by Cranor and her researchers found numerous inaccuracies in data privacy labels. But it also found that those inaccuracies were more the result of honest mistakes and developer misunderstandings than of attempts to mislead consumers. Further complicating things, Apple and Google use different methodologies in their labels, she said. For example, Google defines data collection as any data transmitted from a user's device. But Apple only considers data collected if it's transmitted from a user's device and stored. Making Labels Useful Peterson, who previously served as chief privacy officer at Grindr and held privacy leadership roles at Amazon, said consumers are often better off heading to a company's online trust center for guidance or reading its privacy policies. Admittedly, that can be a mammoth task, which is why she says companies should be able to give consumers access to simplified versions of their privacy policies, while leaving the long, jargon-filled statements for the lawyers. Cranor said that while app privacy labels have the potential to help consumers, some things need to change. As it stands now, she says the current versions of the labels are "not at all useful." What's worse is they make it look like companies are doing something good for consumer privacy when they actually aren't.    Standardizing the app privacy labels would make things much easier for both developers and consumers, Cranor says. She recommends that labels be more prominently featured in app store listings and that tools be created to help developers create accurate labels and allow app stores to verify their accuracy. In an age of AI, consumers could have access to tools that let them search for apps that align with their privacy preferences, Cranor says. She echoes Peterson's sentiments that even if the privacy labels are perfectly accurate, nobody wants to spend all day reading them. Read more about: CISO Corner About the Author Bree Fowler Contributing Writer Bree Fowler writes about cybersecurity and digital privacy. Previously, she was a senior writer for CNET. Prior to joining CNET, she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, three-star world marathoner, and champion baker of over-the-top birthday cakes and all things sourdough. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 The ROI of AI in Security Access More Research Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN More Webinars You May Also Like DATA PRIVACY Paragon Commercial Spyware Infects Prominent Journalists by Alexander Culafi, Senior News Writer, Dark Reading JUN 19, 2025 DATA PRIVACY The Dark Side of Digital: Breaking the Silence on Youth Mental Health by Arielle Waldman MAY 05, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 DATA PRIVACY NIST Updates Privacy Framework With AI and Governance Revisions by Arielle Waldman APR 16, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBERSECURITY OPERATIONS Geopolitics, AI, and Cybersecurity: Insights From RSAC 2026 APR 2, 2026 CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security APR 2, 2026 CYBERSECURITY OPERATIONS Ransomware Will Hit Hospitals. Rehearsals Are Key to Defense APR 1, 2026 CYBERSECURITY ANALYTICS Are We Training AI Too Late? APR 1, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS