How much data are we parting with for the ease of using an app

Author: Aaron Green LLB CIPD, Operations Manager.

Imagine walking in to your local shop to pick up a chocolate bar and the shop keeper not serving you until they have your full name, date of birth, email address, telephone number, address, a list of all the chocolate bars you have bought in the past, locations where you purchase chocolate bars, how you pay for chocolate bars and whether you talk about chocolate bars with your friends.  

Or walking into the pub and having to let them know your name, address, email address, telephone number, how many pubs you go into and which ones, how many drinks you buy and what your favourite drink is.  

You wouldn’t freely give that information, would you?  

But we are giving that information out every time we use an online ordering app. 

The use of apps to purchase shopping, order drinks in pubs and have clothing delivered to us has increased with 218 billion apps being downloaded worldwide in 2020.  

These apps are a goldmine for data collection and over the last 18 months we have had little choice but to use them, but with data being so valuable, why are we giving away our data so freely and what are the companies doing with our data? 

The first point to note is that the apps are not free to the companies – they have to pay 2-3% per transaction to the app developer in some instances, so they have a vested interest in monetising your data in order to recoup the cost and make a profit.  

The delivery companies rely on you wanting speed and convenience and opting in to their data collection without reviewing their data privacy notices and without knowing what will happen to your data.  

On checking the mobile app privacy policy of a grocery delivery company that has popped up in the pandemic, we can see that the company will collect the following details: 

  • First name and surname,  
  • Phone number 
  • Email address  
  • Payment details and payment methods 
  • Shopping history, order information, invoice information 
  • Details of enquiries or complaints including call recordings 
  • Location information 
  • Ranking and rating details of products and experience  
  • Allergy information or health-related information  
  • IP address, device type, unique device identification numbers, browser type, device location, advertisement ID, transaction records, application usage information, commercial electronic communication consent logs.  
  • Personal information from social media (name, age, gender, profile picture, profile information)  


Other companies also collect: 

  • Location information including other phones who use the same app in the same location [thus recording who you were socialising with]  

The company will use some of this information for contractual purposes such as needing to know your address to know where to deliver your groceries to, however, they will also use the data to determine your preferences, likes, interests, usage habits and location 


But how can they do this when GDPR and DPA are in place to ensure the security of personal data? The key is consent and legitimate interest reasonable use of processing information.  

When you download the app you are asked to consent to the processing within the privacy notice. How many of us read that privacy notice before we consent? More often than not, in our immediate requirement culture, we just click through and accept.  

Where consent hasn’t been freely given, the company will rely on their legitimate interest outweighing any privacy concerns to you – for example, we know you purchase a certain chocolate bar from us once a week, so we will tell you about an offer we have on chocolate bars, or show you on social media linked products you might be interested in.  

All of this seems harmless and indeed can benefit the individual – giving them information about goods and services that may be of interest to them, but where can the delivery company send your data to? 

As above, with it costing the delivery company money to get your information, they can sell it on to other companies with your consent. That is key to the disclosure of your personal information to 3rd parties – except for in certain legal situations, it can only be done with consent. So when we are clicking through agreeing to the terms and conditions, we are consenting to our data being passed to third parties.  

This could be other brands within the same company or it could be a different company all together. 52% of apps share your data with third parties, and in the top 10 are the likes of Uber Eats, Just Eat and Grubhub alongside the social media companies (who’s data sharing practices have been widely discussed)  

Some well known food delivery companies also share their data with Epsilon Abacus – an alliance of UK retailers who share data on customer spending habits which is where problems can arise. Whilst sharing your drinking habits with a pub seems natural, if the pub chain then sells that information to a life insurance company, you could see your premiums rise.  

There is a way of checking what companies are doing with your data and who they have sent it to and this is by completing a subject access request.  

We tried this with an app that allows you to order food and drink in a bar which was necessary during Covid. We completed the subject access request on 18 August 2021 by sending their Data Protection Officer an email (details found in their privacy policy) stating that we were making a subject access request and wanted details of all the personal data being processed using the app.  

Unfortunately, the company admitted that they were having difficulty in complying with our request as they were subject to a data breach highlighting the lack of control we have once we part with our data.  

So, how can we protect our data? The key is to make informed decisions. It might be worthwhile giving up some data to benefit from the services we want to obtain but when this falls too much in favour of the company and you are giving up too much data, you can request that they stop processing your data.