Fact-checked by the SnapMessages editorial team
A 2024 joint review by the Federal Trade Commission, ICPEN, and the Global Privacy Enforcement Network examined 642 subscription websites and mobile apps and found that nearly 76% employed at least one dark pattern, a manipulative design tactic engineered to push users into choices they would not otherwise make. For health and wellness apps specifically, this is not a minor technical nuisance. Cycle logs, mood journals, sleep scores, and therapy intake answers represent some of the most intimate data a person can generate, yet almost none of it falls under HIPAA’s protections. That is the exact environment where app dark patterns data collection thrives: legal, largely invisible, and strikingly common.
The same FTC/ICPEN sweep found that nearly 67% of examined apps used multiple dark patterns simultaneously, meaning most users encounter stacked manipulation, not a single trick. Apps with third-party advertising SDKs have been documented transmitting device identifiers to multiple ad networks within 200 milliseconds of launch, before a user has touched any consent screen. Wellness platforms were found selling menstrual cycle data, mental health session details, and chronic condition information to advertising networks and data brokers, often without explicit consent, because health data commands premium prices precisely due to its medical specificity. The FTC’s 2024 investigation confirmed this is not fringe behavior; it is standard industry practice for a sector handling some of the most vulnerable personal disclosures imaginable.
This guide breaks down five specific dark pattern techniques that apps use to extract more data than you intend to share. After reading, you will be able to recognize each tactic on sight, audit the apps already on your phone, and take concrete steps to limit the data flowing out without your meaningful consent.
Key Takeaways
- Nearly 76% of 642 subscription apps and websites reviewed by the FTC and ICPEN in 2024 used at least one dark pattern, and 67% used multiple patterns simultaneously.
- More than 89% of privacy policies reviewed in the 2024 GPEN Sweep were excessively long (over 3,000 words) or used deliberately confusing language, a recognized dark pattern in itself.
- Ireland’s Data Protection Commission fined TikTok €345 million in September 2023, partly for using dark patterns to steer child users toward more privacy-invasive settings in violation of GDPR.
- HIPAA does not apply to most consumer health and wellness apps because they are not “covered entities”, meaning mental health, fertility, and nutrition app data sits in a legal gap where medical-grade privacy protections do not reach.
- Device identifiers from apps embedded with ad SDKs have been documented as being transmitted to multiple ad networks within 200 milliseconds of launch, before any consent interface appears.
- The FTC’s amended Health Breach Notification Rule, effective July 2024, extended coverage to fitness, fertility, and mental health apps not covered by HIPAA, but enforcement still lags well behind the pace of new design tactics.
In This Guide
- Why Your Wellness App Knows More About You Than Your Doctor Does
- Dark Pattern #1: The Pre-Ticked Consent Trap
- Dark Pattern #2: The Privacy Policy Wall of Text
- Dark Pattern #3: Permission Creep, One Ask at a Time
- Dark Pattern #4: Quizzes, Assessments, and the Health Score Hook
- Dark Pattern #5: The Roach Motel, Easy In, Impossible Out
- The Legal Gap That Makes All of This Possible
- How AI Is Making Dark Patterns Harder to Spot
- How to Audit Your Wellness Apps Right Now
Why Your Wellness App Knows More About You Than Your Doctor Does
Health and fitness apps collected over 3.6 billion downloads globally in 2024. That number includes period trackers, sleep monitors, therapy platforms, calorie counters, and mood journals, apps that handle data most people would never discuss openly with a stranger, yet willingly type into a phone screen because the interface feels private and helpful. The problem is structural: most consumer wellness apps are not “covered entities” under HIPAA’s Privacy Rule. The U.S. Department of Health and Human Services has confirmed in updated guidance that the HIPAA Privacy Rule does not govern apps that fall outside the covered entity definition, which means your therapy app’s record of your panic attacks receives less legal protection than your doctor’s notes about a sprained ankle.
This matters because the data wellness apps collect is unusually sensitive and unusually permanent. A fertility app knows your cycle length, ovulation window, and whether you’re trying to conceive. A mental health app knows when you’re struggling and what you disclosed during intake. A nutrition app logs what you eat, when you eat it, and if location access is granted, where. Taken individually, each piece seems benign enough. Combined with data from other apps and matched against shopping behavior and social media activity, these fragments assemble into a health profile that advertisers and data brokers will pay premium prices to access.
The FTC’s 2024 investigation found wellness platforms routinely selling this kind of data without explicit consent. For a health-and-wellness reader, that means the apps you use specifically to improve your wellbeing may be sharing your most vulnerable moments with parties whose interests are the opposite of your own. The dark pattern techniques described in this article are the mechanisms that make that transfer possible, and that keep users from noticing it’s happening.
The U.S. Department of Health and Human Services’ HIPAA Privacy Rule explicitly excludes most consumer health and wellness apps. Mental health session notes, fertility tracking data, and chronic condition logs collected through consumer apps have no federal medical privacy protection equivalent to what applies in a clinical setting.

Dark Pattern #1: The Pre-Ticked Consent Trap
Harry Brignull, the UX researcher who coined the term in 2010, defined dark patterns as “tricks used in websites and apps that make you buy or sign up for things that you didn’t mean to.” The pre-ticked consent trap is perhaps the most direct expression of that definition. An app opens its onboarding flow with a checkbox already checked, “Share anonymized data with analytics partners to improve your experience”, displayed in small text beneath a large, brightly colored “Continue” button. The “Reject” option, if it exists at all, is rendered in grey text several screens deeper into the flow.
The Default Effect in Action
Behavioral economists call this exploitation of the default effect: people disproportionately accept whatever option is already selected, especially when they’re moving quickly through a setup process. App designers know this. Pre-checked consent boxes are not an oversight; they are a deliberate design decision calibrated to maximize the share of users who hand over data without actively choosing to do so. The European Data Protection Board’s Guidelines 3/2022 specifically name pre-ticked consent boxes as a GDPR-violating dark pattern, defining them as interfaces that cause users to make “unintended, unwilling and potentially harmful decisions regarding the processing of their personal data.”
In Europe, these boxes are illegal for personal data under GDPR. In the United States, outside of specific state laws like California’s CCPA, they remain common practice. Ireland’s Data Protection Commission fined TikTok €345 million in September 2023, partly for using exactly this approach to nudge child users toward more privacy-invasive settings.
How It Shows Up in Health Apps Specifically
Mental health and nutrition apps have a particular version of this problem. Their onboarding flows typically begin with an intake questionnaire, depression screening questions, dietary restrictions, medication history, before the user has seen a single feature of the product. By the time someone reaches that questionnaire, they have already passed the pre-checked consent screen authorizing data sharing with analytics partners. They’ve handed over sensitive health history before they have any reason to be cautious. The sequence is not accidental; it places the data-sharing agreement before the moment a user might stop to think about what they’re disclosing.
During any app onboarding, scroll to the bottom of every consent screen before tapping “Continue.” Pre-checked boxes for data sharing are sometimes positioned below the visible fold, where users tap through without ever seeing them. This is especially common in mental health and fitness apps that begin with personal intake questions.
Dark Pattern #2: The Privacy Policy Wall of Text
The 2024 GPEN Sweep found that more than 89% of privacy policies reviewed were excessively long (over 3,000 words) or used technical and confusing language, a recognized dark pattern in itself. Reading every privacy policy for every app a person installs would take, by some academic estimates, over 200 hours per year. App developers are aware of this. A policy that runs 4,000 words of legal language is not just a formality; it functions as a barrier, one designed to ensure that the disclosures technically exist while remaining practically inaccessible to the people they’re supposed to inform.
Buried Disclosures and the BetterHelp Case
The BetterHelp case illustrates the stakes clearly. The FTC found that BetterHelp had shared therapy intake data, including disclosures about suicidal ideation, panic attacks, sexual orientation, and medication history, with advertising companies including Facebook and Snapchat. This data sharing was disclosed somewhere in the platform’s terms, but it was buried in language that functionally no user reads before filling out the intake questionnaire. BetterHelp reached a $7.8 million settlement with the FTC. The Cerebral mental health platform faced a similar action in 2024, also for sharing sensitive user data with advertisers. Two high-profile enforcement actions in the same app category within a short period is evidence of a pattern, not an anomaly.
For anyone who tracks how spyware behaves on mobile devices, the parallel is instructive: both spyware and a privacy-hostile app policy extract sensitive data from a user’s device without their meaningful awareness. The mechanism differs, but the outcome, your most private disclosures transmitted to parties you did not consciously authorize, is the same.
More than 89% of privacy policies reviewed in the 2024 GPEN Sweep were either excessively long (over 3,000 words) or written in deliberately confusing language. This constitutes a recognized dark pattern, technically disclosure, functionally opacity.
What to Actually Look For
Rather than reading every word of a privacy policy, focus on a few specific phrases: “third-party partners,” “analytics providers,” and “service improvement.” These are the standard euphemisms used when apps share or sell data. If a health app’s policy mentions sharing with any of these categories without specifying which companies or what data, treat it as a red flag. Searching “[app name] + data broker” or “[app name] + FTC” before installing takes less than two minutes and surfaces enforcement actions and investigative journalism that a privacy policy would never volunteer.
Dark Pattern #3: Permission Creep, One Ask at a Time
Permission creep works differently from the first two patterns. Rather than tricking you at the point of installation, it operates gradually, one innocuous-seeming request at a time, timed to moments when you’re engaged, comfortable, and least likely to say no. An app installs with minimal permissions. Three weeks later, just as a meditation session is about to start, a prompt appears: “Allow microphone access to improve your breathing guidance.” It seems reasonable in context. Most users tap “Allow” and continue their session.
Why the Timing Is Deliberate
App designers know that permission prompts get accepted at significantly higher rates when they appear mid-task rather than during setup. The same microphone permission that a user might scrutinize during onboarding gets granted reflexively when they’re relaxed and focused on a wellness goal. Contacts, precise location, and camera access follow the same pattern. Each request arrives wrapped in a feature benefit, and each grant expands the app’s data footprint in ways that compound over time.
Background location access is the most consequential of these permissions. Once granted, it allows an app to poll location data continuously, even when the app is closed. That data can reconstruct a user’s home address, workplace, daily commute, and medical appointments. For a mental health app, correlating location data with session timestamps creates a profile that could, in the wrong hands, reveal when someone visited a psychiatric clinic or a domestic violence shelter. This is not a hypothetical risk; it is the logical output of combining app categories that users treat as siloed but that data brokers aggregate across platforms.
The SDK Problem Nobody Talks About
Even apps with clean permission practices can leak data through third-party advertising SDKs embedded in their code. These SDKs often have their own data collection logic, independent of what the host app requests. Device identifiers have been documented as being transmitted to multiple ad networks within 200 milliseconds of app launch, before a user has interacted with any consent interface at all. A wellness app can technically pass a privacy audit while still transmitting your device’s advertising ID, combined with the app category (mental health, fertility, weight loss), to a dozen ad networks before you’ve tapped the first screen.
It’s worth being direct about a limitation here: even users who carefully manage permissions have no practical way to inspect which SDKs are embedded in an app or what data those SDKs transmit independently. Short of using network monitoring tools that require technical expertise, this layer of data collection is invisible to the average person. Regulatory pressure on SDK transparency is growing, but as of mid-2025, no US federal rule requires apps to disclose their embedded SDK partners by name to end users.
You can review and revoke app permissions at any time without uninstalling the app. On iPhone, go to Settings, scroll to the app name, and toggle off any permission that does not match the app’s core function. On Android, go to Settings, then Apps, then Permissions Manager for a cross-app view. Most users have never opened either screen.

Dark Pattern #4: Quizzes, Assessments, and the Health Score Hook
Many wellness apps open with a gamified health assessment, a stress test, a sleep quality quiz, a BMI calculator, a “personalized wellness score.” These feel like the product. They are actually the onramp to data collection. Privacy International found that the average weight loss app asks users at least 50 questions covering mental and physical health history before delivering a “personalized plan,” and that the data from those questions is routinely shared with analytics firms. The quiz format is psychologically effective precisely because it feels reciprocal: you share information, you receive a score or recommendation. The exchange feels fair. It is not.
The FTC has documented this tactic in broader consumer contexts, giveaways and personality quizzes that harvest email addresses, demographic details, and location data under the guise of entertainment. In wellness apps, the hook is more powerful because the promised output requires disclosing genuinely sensitive information: chronic conditions, medications, menstrual history, mental health diagnoses. Users fill out 50 questions before they’ve evaluated whether the app deserves that level of disclosure.
Before completing any in-app health quiz or assessment, navigate to the app’s settings and check whether you can access the core feature without completing the questionnaire. Many apps allow partial use without full onboarding disclosure. If the quiz is mandatory before any access is granted, treat that as a signal that data collection, not personalization, is the primary purpose.
Dark Pattern #5: The Roach Motel, Easy In, Impossible Out
The roach motel pattern describes an asymmetry between how easy it is to opt in to data sharing and how difficult it is to opt out. Consent banners that disappear permanently after one “Accept All” tap reappear every session if a user selects “Manage Preferences”, training users to accept rather than navigate the friction. Opt-out flows bury the relevant toggle three menus deep, use double-negative language (“uncheck this box if you do not wish to opt out of data sharing”), or require contacting a support team by email with a response time measured in weeks.
Data Deletion Is Not What It Sounds Like
The data-retention problem in health apps is one of the least-covered angles in writing about dark patterns, and it may be the most consequential for long-term users. Deleting an account does not mean deleting your data. Most consumer wellness apps have no stated data-retention policy and no legal obligation under HIPAA (which does not apply to them) to purge records after account deletion. Your mental health intake answers, your cycle data, your chronic condition logs may remain on a server indefinitely, accessible to law enforcement via subpoena, or transferred wholesale to a new corporate owner if the app is acquired.
This is not a distant theoretical risk. Several popular health apps have been acquired by companies with different privacy practices than the original developer. Users who signed up under one privacy framework had no practical recourse when their data moved to a new owner with different data-sharing arrangements. The Office of the Privacy Commissioner of Canada’s 2024 joint resolution on privacy-related deceptive design patterns specifically calls out opaque data-retention practices as harmful and calls on organizations to audit and eliminate them.
Ireland’s Data Protection Commission fined TikTok €345 million in September 2023, partly for using dark patterns, including asymmetric consent interfaces, to push child users toward more privacy-invasive settings. That figure represents one enforcement action in one jurisdiction. Most dark pattern violations result in no penalty at all.
| Dark Pattern | How It Appears | Data Harvested | Legal Status (US) |
|---|---|---|---|
| Pre-Ticked Consent | Pre-checked boxes, bright “Accept” vs greyed “Reject” | Analytics sharing, ad targeting data | Legal in most states |
| Privacy Wall of Text | 3,000+ word policies, technical jargon, buried disclosures | All categories; disclosure technically present | Legal if disclosed |
| Permission Creep | Mid-session prompts for location, mic, contacts | Location, device ID, contact graph | Legal with user tap |
| Health Quiz Hook | Mandatory wellness assessment before app access | Health history, medications, mental health data | Legal; limited FTC scrutiny |
| Roach Motel | Multi-step opt-out, double-negative wording, reappearing banners | Continued data sharing after user attempts to stop | Legal; state laws vary |
The Legal Gap That Makes All of This Possible
Understanding why these patterns persist requires understanding one structural fact: HIPAA’s Privacy Rule does not apply to most consumer health and wellness apps. The law was written to govern “covered entities”, hospitals, insurers, healthcare providers, and their business associates. A meditation app, a period tracker, or a therapy platform that operates independently of a healthcare provider falls entirely outside that definition. The same data that would be tightly regulated in a clinical setting, mental health disclosures, reproductive health logs, chronic illness records, is legally fair game for commercial use when collected through a consumer app. This is the gap that makes app dark patterns data collection so lucrative, and so largely unpunished.
What Is Changing, and What Isn’t Yet
The FTC’s amended Health Breach Notification Rule, effective July 2024, extended coverage to fitness, fertility, and mental health apps not governed by HIPAA, requiring them to notify users of unauthorized data disclosures. The FTC has stated in its official reporting that dark pattern techniques may impact not just consumers’ wallets but also their privacy choices, a recognition that deceptive design is a consumer protection issue, not just a UI preference. Several states, including California, Colorado, and Connecticut, have enacted opt-in consent requirements for biometric and sensitive health data. The proposed Health Information Privacy Reform Act (HIPRA) would extend HIPAA-equivalent protections to consumer health apps, but it has not passed.
Regulation is genuinely catching up. That is worth acknowledging. But enforcement consistently lags behind the pace at which new design tactics emerge, and the legal gap remains the primary structural condition that enables the patterns described throughout this article. Users who understand that gap are better positioned than those who assume regulatory protection exists where it does not.
| Regulatory Framework | Covers Consumer Health Apps? | Key Requirement | Effective Date |
|---|---|---|---|
| HIPAA Privacy Rule | No (non-covered entities excluded) | N/A for consumer apps | 1996/2003 |
| FTC Health Breach Notification Rule (amended) | Yes (fitness, fertility, mental health apps) | Notify users of unauthorized disclosures | July 2024 |
| GDPR (EU) | Yes (for EU users) | Opt-in consent; no pre-ticked boxes | May 2018 |
| CCPA/CPRA (California) | Partial (sensitive data categories) | Right to opt out of sale; disclosure required | 2020/2023 |
| HIPRA (proposed) | Yes (if enacted) | HIPAA-equivalent protections for consumer health apps | Not yet passed |
How AI Is Making Dark Patterns Harder to Spot
One angle that rarely appears in coverage of manipulative app design is that consent dark patterns are no longer the product of a designer’s educated guess. Many large apps and platforms now run thousands of simultaneous A/B tests to find the exact interface variation, button color, label wording, modal timing, scroll depth, that maximizes the percentage of users who opt into data sharing. The output of those tests is not a design decision; it is a machine-learning result systematically calibrated to the psychological pressure points of their specific user base.
This means the consent interface you see has been optimized against millions of user interactions to be maximally effective at obtaining your agreement. The grey “Decline” button and the blue “Accept” button are not a coincidence; they are the winning output of an experiment that tested dozens of color combinations. The moment the consent modal appears, immediately after a positive app experience, or just before a feature you want to use, was selected because it maximizes acceptance rates. Knowing this does not make the manipulation disappear, but it reframes what you’re dealing with: not a careless design choice, but a deliberately engineered outcome.
This connects directly to the broader social engineering tactics used across digital environments. The same psychological levers that hackers pull to manipulate people are built into mainstream app consent flows, except here they are deployed by companies with legal teams and product managers, not individual bad actors. The scale and legitimacy of the delivery mechanism should not obscure what the underlying technique actually is.

How to Audit Your Wellness Apps Right Now
Knowing the five patterns is useful. Checking your current apps against them is where it becomes actionable. Start with permissions. On iPhone, go to Settings, scroll to any health or wellness app, and review every permission it holds. Ask whether each one is strictly necessary for the app’s core function, not a feature you occasionally use, but what the app actually does. A hydration tracker does not need microphone access. If you use water tracking apps to meet daily hydration goals, for instance, review whether any of them hold location or contact permissions that have no obvious relevance to tracking water intake. Revoke anything that does not match core function.
The Cross-App Data Problem
One of the most underappreciated risks is cross-app data aggregation. A fertility tracking app that matches cycle data with location data from a maps app creates a health profile far more revealing than either source alone. Users think about their data in terms of individual apps. Data brokers and advertising platforms think across apps, matching device identifiers to assemble unified profiles. Limiting permissions on each app individually is necessary but not sufficient; limiting the total number of sensitive health apps you use, and regularly auditing which ones you actually need, reduces the cross-app surface area.
Building a Sustainable Privacy Habit
A recurring quarterly audit is more practical than trying to be vigilant in real time during every app onboarding. Set a calendar reminder every three months to check permissions, review which health apps you have active, and search recent news for any FTC actions or data breach reports involving those apps. For a structured approach to this kind of routine, the framework described in building a personal digital security routine applies directly, the same discipline that protects your accounts and devices also applies to the wellness apps where your most sensitive data lives.
On Android devices, the Developer Options menu includes a “Permission Manager” view that shows, across all installed apps, which apps hold which permissions. Most Android users have never seen this screen. For a guide to Android’s less-visible privacy controls, the hidden Android developer options worth enabling include several that help surface data access behavior that is otherwise invisible.
| Permission Type | Legitimate Use in Health Apps | Red Flag Use | Risk Level |
|---|---|---|---|
| Precise Location | Navigation, clinic finder | Meditation, journaling, calorie counter apps | High |
| Microphone | Voice journaling, audio-guided therapy | Any app without audio features | High |
| Contacts | Accountability partner features | Any app without social/sharing features | Medium |
| Camera | Food photo logging, skin condition tracking | Any app without visual input features | Medium |
| Background App Refresh | Real-time health monitoring (wearable sync) | Any app that doesn’t need continuous data | Medium-High |
Deleting a health app does not delete your data from the app company’s servers. Before uninstalling, submit a data deletion request through the app’s settings or via email to the privacy contact listed in the policy. Screenshot or save any confirmation you receive. Without a documented deletion request, your health disclosures may remain stored indefinitely, and be transferred to a new owner if the company is acquired.
| Action | Time Required | Privacy Benefit | Difficulty |
|---|---|---|---|
| Review all app permissions | 15–20 minutes | Immediate reduction in data exposure | Low |
| Search “[app] + FTC” before installing | 2 minutes per app | Surfaces enforcement history before you share data | Low |
| Submit data deletion requests | 10 minutes per app | Removes stored data from servers (if honored) | Low-Medium |
| Disable ad tracking (iOS/Android) | 5 minutes | Reduces cross-app ID matching by advertisers | Low |
| Quarterly permission audit | 30 minutes every 3 months | Catches permission creep before it compounds | Low |
Real-World Example: A Mental Health App’s Data Trail
Consider an illustrative example: a user downloads a mental health journaling app in January after seeing it recommended in an online wellness forum. During onboarding, they pass through a pre-checked consent screen authorizing sharing with “analytics and wellness improvement partners”, they don’t notice it because they’re moving quickly toward the journaling feature. They complete a 48-question intake assessment covering anxiety levels, sleep quality, relationship stress, and medication history. The assessment takes about 12 minutes. By the time they write their first journal entry, the app has already transmitted device identifiers and app category metadata to three advertising SDKs.
Over the following six weeks, the user grants microphone access when prompted during a guided breathing exercise, and background location access when the app offers to “log where you feel most calm.” Neither request seems unreasonable in context. By week six, the app holds: mental health intake data (48 questions), location history reconstructing home, work, and gym addresses, microphone access, and device identifiers linked to their social media and retail accounts through a data broker’s cross-app matching system.
In April, the user decides to stop using the app and deletes it from their phone. Their data, the 48-question health assessment, six weeks of location history, journal entries, remains on the company’s servers. The privacy policy contains no stated retention period. Nine months later, the company is acquired. The new owner’s privacy terms permit broader commercial data use than the original policy allowed. The user receives a brief email notifying them of the acquisition; there is no mention of what happens to their mental health data.
The contrast with a clinical setting is stark. Had the same person discussed their anxiety and medication history with a licensed therapist, HIPAA would have governed every aspect of that data’s storage, sharing, and retention. Because they used a consumer app, none of those protections applied. The app dark patterns data collection in this scenario was technically legal at every step, a point that should inform how skeptically users approach health app onboarding, even for apps with strong reputations.
Your Action Plan
-
Audit every health app’s permissions this week
Open your phone’s settings and review permissions for every wellness, fitness, mental health, and nutrition app you have installed. Revoke any permission that does not match the app’s core function. Microphone access in a calorie counter, precise location in a meditation app, and contacts in a sleep tracker are all red flags. This one step takes under 20 minutes and produces an immediate, measurable reduction in your data exposure.
-
Search before you download
Before installing any new health app, spend two minutes searching “[app name] + FTC,” “[app name] + data broker,” and “[app name] + privacy settlement.” This surfaces enforcement actions, investigative reporting, and known data-sharing practices that the app’s own description will never mention. If a mental health or fertility app has faced FTC scrutiny, that information is public and findable in under two minutes.
-
Slow down at every consent screen
During onboarding for any new app, scroll the entire consent screen before tapping “Continue.” Look specifically for pre-checked boxes below the visible fold, greyed-out or small-text “Reject” options, and any reference to sharing with “analytics partners,” “third-party services,” or “service improvement.” If the only clearly visible option is “Accept All,” navigate to “Manage Preferences” before proceeding.
-
Disable cross-app ad tracking on your device
On iPhone, go to Settings, Privacy and Security, then Tracking, and turn off “Allow Apps to Request to Track.” On Android, navigate to Settings, Privacy, then Ads, and opt out of personalized advertising. These steps do not eliminate data collection, but they sever the device-identifier link that allows advertisers to match your activity across unrelated apps. It takes five minutes and meaningfully reduces cross-app profiling.
-
Submit data deletion requests before uninstalling
Before deleting any health app, submit a formal data deletion request through the app’s in-app settings or via the privacy contact email listed in the policy. Save a screenshot or email confirmation. Without a documented request, your health disclosures remain on the company’s servers with no automatic deletion timeline and no legal obligation (outside specific state laws) to purge them.
-
Limit how much you disclose in health quizzes
When a wellness app presents a mandatory health assessment before granting access, provide only what is genuinely necessary for the feature you want. Many “required” fields accept minimal responses. Avoid disclosing specific medications, mental health diagnoses, or reproductive details unless you have verified the app’s data practices and have a specific reason to trust them. The “personalized plan” offered in exchange is rarely meaningfully better with more specific health data.
-
Set a quarterly permission and news audit
Add a calendar reminder every three months to re-review app permissions (new permissions can be granted by mistake during updates), check for FTC enforcement news involving your apps, and assess whether apps you rarely use warrant keeping. Permission creep accumulates silently; a scheduled audit catches it before it compounds over months or years.
-
Know your state’s specific rights
California (CCPA/CPRA), Colorado, Connecticut, Virginia, and a growing list of states have enacted consumer data rights that extend beyond federal law, including the right to know what data is collected, the right to delete, and opt-in requirements for sensitive health data. If you live in one of these states, you can submit formal data access requests to health app companies and legally require a response. Check the FTC’s report on dark patterns for current guidance on exercising these rights. Individual circumstances vary, and for complex situations involving sensitive health data, consulting a privacy attorney familiar with your state’s laws is worth considering.
Frequently Asked Questions
Do dark patterns only appear in shady or obscure apps?
No. The 2024 FTC/ICPEN review found that nearly 76% of 642 examined subscription websites and mobile apps used at least one dark pattern. These included well-known, widely used platforms. The BetterHelp and Cerebral enforcement actions involved apps with millions of users and significant mainstream visibility. Dark patterns are standard industry practice across the spectrum of app quality and reputation, not a feature of low-quality or marginal products.
Is health app data actually worth money to advertisers?
Yes, and the price premium is specifically tied to the medical specificity of the data. A user profile that includes a mental health diagnosis, fertility status, and medication history is far more valuable for targeted advertising than generic demographic data. Advertisers can use health signals to target insurance products, pharmaceutical advertising, and lifestyle products with precision that other data categories cannot match. The FTC’s 2024 investigation confirmed that wellness platforms were selling this data to advertising networks and data brokers as a routine revenue stream.
Does HIPAA protect my data in health apps?
For most consumer health and wellness apps, HIPAA does not apply. The law covers “covered entities”, licensed healthcare providers, insurers, and their business associates. A meditation app, a period tracker, a nutrition logger, or a therapy platform that operates independently of a licensed healthcare provider is not a covered entity. Your most sensitive health disclosures in those apps receive no HIPAA protection. The FTC’s amended Health Breach Notification Rule (effective July 2024) adds some coverage, but it requires notification of breaches, not the broad privacy protections that HIPAA provides in clinical settings.
Can I trust an app that says it doesn’t sell my data?
That phrase requires scrutiny. Many apps technically do not “sell” data in the traditional sense, but they share it with advertising partners, analytics platforms, and data brokers through arrangements structured as service agreements rather than sales. Under California’s CCPA, “selling” has a broad legal definition that includes some of these arrangements, but under most other frameworks the technical distinction allows significant data transfers to happen behind a truthful-sounding claim. When evaluating this, look for apps that name their specific third-party data recipients, not just promise a general policy of not selling.
How does permission creep differ from a normal app update?
App updates can legitimately introduce new features that require new permissions, and apps are required to prompt for new permissions when they add functionality. Permission creep is distinct in that it involves requests for permissions unrelated to the app’s core purpose, timed to moments of high engagement rather than tied to a specific new feature. The clearest indicator is a mismatch: if a calorie-tracking app prompts for microphone access and the explanation is vague (“to improve your experience”), that is creep. If a voice journaling app prompts for microphone access when adding a voice recording feature, that is a legitimate update.
What can I actually do if I think an app misused my health data?
You can file a complaint with the FTC at reportfraud.ftc.gov, and if you are in California or another state with consumer data rights legislation, you can submit a formal data access and deletion request to the company and file a complaint with your state Attorney General if the company does not respond. If the app is used by EU residents, a complaint to the relevant national Data Protection Authority is possible. Individual remedies are limited under current law, but complaints do feed into regulatory investigations, the BetterHelp and Cerebral actions both resulted partly from user complaints.
Are consent dark patterns illegal?
Under GDPR in the EU, several specific patterns, pre-ticked consent boxes, asymmetric button designs, buried opt-outs, are explicitly illegal for processing personal data. The European Data Protection Board’s Guidelines 3/2022 formalized this. In the United States, the legal picture is more fragmented: the FTC can take action under its unfair or deceptive practices authority, and several states have enacted specific restrictions, but there is no single federal law that explicitly prohibits most consent dark patterns. This is why enforcement is inconsistent and why the practices remain widespread despite regulatory attention.
How do I know if an app is using AI-optimized consent flows?
You generally cannot tell from the interface alone. What you can do is treat any consent screen as potentially optimized against your resistance, because for any large-scale app, it likely has been. Useful signals include consent modals that appear at suspiciously well-timed moments (just after a positive interaction, just before a desired feature), significant visual asymmetry between “Accept” and “Decline” options, and consent language that is technically accurate but structured to obscure the full scope of what you’re agreeing to. Treating every consent screen with deliberate slowness is the only practical countermeasure.
Do iOS apps have better privacy practices than Android apps?
Apple’s App Tracking Transparency (ATT) framework, introduced with iOS 14.5, requires apps to explicitly request permission before tracking users across apps and websites using device identifiers. This meaningfully reduced one vector of cross-app data sharing on iOS. Android has introduced similar opt-out mechanisms, though implementation is less uniform across manufacturers. Neither platform eliminates dark patterns at the consent UI level or prevents data sharing through first-party app analytics. iOS’s ATT is a genuine structural improvement, but it addresses one specific tracking mechanism while leaving others intact.
Is it worth paying for a health app to get better privacy?
Paid apps with no advertising model have one less incentive to maximize data collection for ad targeting, which is a genuine structural difference. However, paying for an app does not guarantee better privacy practices. Several paid health and therapy apps have faced FTC enforcement actions. The more reliable signal is the app’s specific privacy policy, its named data recipients, whether it offers a clear and functional “reject all” path, and whether it has faced regulatory scrutiny. Price alone is not a reliable privacy indicator, though a free app with no apparent revenue model beyond advertising should prompt additional scrutiny.
Sources
- Federal Trade Commission / ICPEN, Results of Review: Use of Dark Patterns Affecting Subscription Services and Privacy (2024)
- Federal Trade Commission, Bringing Dark Patterns to Light (2022 Report)
- European Data Protection Board, Guidelines 3/2022 on Dark Patterns in Social Media Platforms
- Office of the Privacy Commissioner of Canada, Joint Resolution on Privacy-Related Deceptive Design Patterns (2024)
- Global Privacy Enforcement Network, 2024 GPEN Sweep: Deceptive Design Patterns
- Irish Data Protection Commission, DPC Announces €345 Million Fine of TikTok (2023)
- RS Law Office, Harry Brignull on Dark Patterns (2018 interview)
- Deceptive.design (formerly darkpatterns.org), Dark Pattern Reference Library
- Federal Trade Commission, Health Breach Notification Rule (Amended, effective July 2024)






