Is It a Trap? A Large-scale Empirical Study And Comprehensive Assessment of Online Automated Privacy Policy Generators for Mobile Apps

TL;DR

This study evaluates the quality, compliance, and market penetration of online automated privacy policy generators for mobile apps through large-scale empirical analysis.

Contribution

It provides the first comprehensive large-scale assessment of APPGs, analyzing their characteristics, market reach, and compliance with privacy regulations.

Findings

Nearly 20.1% of app privacy policies could be generated by existing APPGs.

Generated policies often do not fully comply with GDPR, CCPA, or LGPD.

The study highlights the importance of careful selection of APPGs by developers.

Abstract

Privacy regulations protect and promote the privacy of individuals by requiring mobile apps to provide a privacy policy that explains what personal information is collected and how these apps process this information. However, developers often do not have sufficient legal knowledge to create such privacy policies. Online Automated Privacy Policy Generators (APPGs) can create privacy policies, but their quality and other characteristics can vary. In this paper, we conduct the first large-scale empirical study and comprehensive assessment of APPGs for mobile apps. Specifically, we scrutinize 10 APPGs on multiple dimensions. We further perform the market penetration analysis by collecting 46,472 Android app privacy policies from Google Play, discovering that nearly 20.1% of privacy policies could be generated by existing APPGs. Lastly, we point out that generated policies in our study do not fully comply with GDPR, CCPA, or LGPD. In summary, app developers must carefully select and use the appropriate APPGs with careful consideration to avoid potential pitfalls.