Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm

Abstract

This paper evaluates the extent to which Android apps on Google Play comply with GDPR Article 13(2)(b), which requires clear disclosure of personal data retention periods. The authors introduce an automated methodology using GPT-4 to classify privacy policy statements regarding data retention and apply it to a large-scale dataset.

Out of 2,235 analyzed policies, over 50% were deemed potentially non-compliant, often failing to specify how long personal data would be stored or using vague criteria. The study also reveals that 20.85% of apps allow indefinite retention and that 34.18% of compliant policies describe multiple data retention cases—highlighting both opacity and complexity in how policies are written.

Key Contributions

• 🧠 Developed a GPT-4 based classifier to evaluate GDPR compliance on data retention.
• 📱 Analyzed 2,235 Android app privacy policies; over 50% failed to meet transparency standards.
• 🕵️‍♂️ Created a new taxonomy of 6 disclosure categories, validated by legal experts.
• 🧪 Public dataset and method released for future research on privacy policy auditing.
• 📉 Found statistically significant correlation between app popularity and likelihood of compliance.

👉 Read the full paper

Recommended citation: D. Rodríguez, C. Fernández-Aller, J.M. Del Alamo, N. Sadeh. "Data Retention Disclosures in the Google Play Store: Opacity Remains the Norm." IEEE EuroS&P Workshops 2024. https://doi.org/10.1109/EuroSPW61312.2024.00009
Download Paper