"Nothing in life is free, except death - and that costs you your life," runs a saying. Another example supporting this claim can be found in supermarket apps on smartphones. These loyalty programs from Lidl, Edeka, and the like are meant to save customers money, yet even these discounts come at a cost.
Discounts for data
Almost all major chains offer attractive promotions in their own apps, including loyalty point collection, exclusive coupons and sweepstakes, as well as tangible discounts. Although the apps are provided free of charge, customers still pay - but with their data.
By using the apps, customers disclose precise information about their individual behavior, such as their location or preferred brands and products. This personal data helps companies to better understand their customers’ shopping habits and to target advertising more effectively. Retail experts see this as a deliberate trade-off - data in exchange for discounts.
Consumer advocacy groups have discovered in an investigation that supermarket operators use the data collected during shopping to analyze customers’ behavior in detail and, from this, draw conclusions about their personal circumstances. Furthermore, as reported by the portal inside-digital.de among others, providers reserve the right not only to use customer data themselves but also to pass it on to third parties. These third parties do not even have to be based in Germany and are therefore not bound by the country’s data protection regulations.
Accordingly, consumer advocates caution users to be wary when using supermarket loyalty apps. Their recommendation: before launching the app for the first time and after every update, users should carefully review the settings and privacy policies.
Danger lurks even while shopping
However, the risk of unintentionally sharing personal data through apps is not limited to supermarket customer apps. The security firm Incogni examined 180 shopping apps to assess what information providers disclosed about the collection and sharing of user data.
The findings are alarming: numerous fashion and clothing apps collect significantly more data than is necessary for the app’s basic functions or order processing. The apps accessed photos (45 apps), location data (31), videos (12), and search history (9). Additionally, twelve apps tracked which applications were installed on the user’s smartphone. Six apps each collected registered SMS and MMS messages as well as users’ sexual orientation.
Among the most popular shopping apps, especially Nike and H&M collected the highest number of data points. According to Incogni, the apps Puma, Under Armour, and The North Face reportedly shared a "worrying amount" of sensitive data with third parties for marketing and advertising purposes.
What happens to the data?
Apps can collect a wide range of data, each carrying different levels of significance: consumption data (for example, from supermarket or fashion apps) reveal preferred styles, products, and brands. Location data can be used to create movement profiles that show when, where, and for how long a user has been in a particular place. From this, one can deduce the user’s home address, workplace, and even leisure habits - such as regular running routes.
All these data are valuable, which is why data is often referred to as "the new gold." App providers frequently pass this information on to data brokers, who process and resell it to third parties. The advertising industry, in particular, uses such data to target ads precisely and increase revenue opportunities. An analysis conducted by Heinrich-Heine-Universität Düsseldorf and Goethe-Universität Frankfurt, based on a sample of 850 apps, shows that 40 percent of apps share personal data - without disclosing this fact.
Access to data: where is the problem and how can you protect yourself?
At this point, some smartphone users might think that having their data collected is no big deal, especially if they have nothing to hide. Or they might even see the benefit in receiving ads that genuinely interest them.
However, an investigation by netzpolitik.org and Bayerischer Rundfunk reveals just how much the data gathered by apps can actually reveal about a person: Using data from a U.S. data broker combined with publicly available information, researchers were able to map movement patterns. From this, they were even able to uncover the identity of an intelligence agency employee.
How can you protect yourself against unnecessary access to personal data? Primarily through a healthy dose of skepticism. Special caution is especially warranted when apps request permissions that are not essential for their core functionality. For example, an alarm clock app doesn’t need access to location data, whereas that is indispensable for a navigation tool. Other frequently requested permissions concern the address book, microphone, or photos. According to a report by SWR, one cannot simply assume that app providers only request the permissions they truly need. Skepticism is key. In any case, it is crucial to use apps only from official app stores.
On your smartphone, you can also manage your apps and their permissions in the settings, limiting access where possible. For instance, you can allow location data to be collected - but only at times when you are actively using the app, if absolutely necessary.
Those who want to take more radical measures and are willing to accept some self-imposed restrictions can activate location services like GPS, Bluetooth, or Wi-Fi only when needed. Alternatively, enabling airplane mode cuts off both phone calls and internet access entirely.