BACKGROUND

Smartphones are increasingly ubiquitous, and apps related to medicines are widely used by clinicians and consumers. A survey of UK clinicians found the majority used apps in their clinical practice, including drug formularies, dose calculators, and drug preparation and administration, and found them very helpful.1 The accessibility and portability of mobile apps pose an opportunity for improving medication adherence, and there are several thousand such apps available to consumers, though there is concern about their quality and relevance.2

In 2011, a New York Times investigation revealed that a popular, free application (app), Epocrates, used by clinicians to look up information on drug dosing, interactions, and insurance coverage presented users with highly targeted advertisements from pharmaceutical companies.3 The World Health Organization (WHO) recognizes that pharmaceutical industry promotion is a public health concern due to its impacts on the cost, quality, and safety of healthcare and provides a code of conduct detailing ethical criteria for drug promotion.4 However, this document dates from 1988 and needs updating to account for promotional activities occurring through novel technologies such as mobile apps.5 Digital platforms, for example, allow for interactive direct-to-consumer advertising, soliciting information about the consumer while delivering promotional and other messaging that prompts the consumer to self-diagnose, request a particular medication, or fill a prescription.6 Such practices represent an insidious form of direct-to-consumer advertising and in some countries, may allow companies to skirt regulation.

User data collected from medicines-related mobile apps may be particularly valuable to commercial interests and thus, vulnerable to privacy and security risks.7 Researchers have focused on privacy and security risks stemming from the sharing and aggregation of user data among third parties8,9,10,11 or vulnerabilities of apps to malicious hacking.12, 13 We previously conducted a traffic analysis of data transmitted from 24 medicines-related apps to the network, finding the majority of apps shared user data with third parties and that this data could be further shared, aggregated, and potentially re-identified, within the wider mobile ecosystem.14 However, in our analysis, 50% of sampled apps transmitted user data to the developer or parent company, termed “first parties.” Among these 12 apps, 83% (10/12) transmitted unique identifiers such as Android ID; 58% (7/12) health-related data such as medication lists, symptoms, or conditions; and 17% (2/12) personally identifying information such as name or birthdate.14 Analyses of health app privacy policies suggest there is little transparency around user data collection and sharing.12, 15,16,17 Thus, the reasons that app developers collect user information and the way it is used, particularly for commercial purposes, are largely unknown. We aimed to investigate the nature of user data collection, analysis, and commercialization by developers of prominent medicines-related apps and the implications for app users.

METHODS

We conducted a content analysis of apps’ store descriptions, developers’ websites, privacy and editorial policies, and investor or advertiser prospectuses, where available. The methods are reported in accordance with the COREQ reporting guidelines.18

Sampling

Using a crawling program, we identified the top 100 paid and free apps in the Medical store category of the USA, UK, Canada, and Australia Google Play app stores on a weekly basis from October 17 to November 17, 2017, and hand-searched a systematic review of medicines-related apps,19 and the iMedical app library; our network of practicing pharmacists reviewed the list for omissions. Figure 1 displays the app screening process and reasons for exclusion. Apps were included if they:

  • Pertained to medicines management, adherence, or information

  • Were available to Australian consumers using the Android platform

  • Requested at least one “dangerous” permission, as defined by Google Play20

  • Required user input in their functionality

Figure 1
figure 1

Sampling flow diagram for prominent medicines-related apps.

Full size image

Data Collection and Analysis

Using an author-generated open-ended form in RedCap,21 two investigators independently extracted data related to the company characteristics, mission, main activities, data-sharing partnerships, and privacy practices verbatim. For each app, we extracted data from the app store description, and if available, the developer’s website, privacy policy, terms and conditions, and investor or advertiser prospectuses. Data were extracted between February 1, 2018, and July 15, 2018. Any discrepancies were resolved through consensus or consolidation, taking the more recent information as accurate.

All documents were imported into NVivo 12 (QSR International). QG performed open, inductive coding on all unstructured data related to app developers, developing two groups of codes: codes related to main activities and company mission, and codes related to user data collection, analysis, or commercialization. QG wrote descriptive memos providing an overview of each group of codes, guided by the questions: whether, how, and to what end do app developers employ user data? The authorship team reviewed these memos, discussing and revising the coding scheme until all codes and data were accounted for. This resulted in final coding scheme used to categorize the developers’ main activities, and another documenting developers’ promotional strategies, both in relation to user data. QG then re-coded the unstructured data using the final coding scheme and wrote memos including detailed qualitative findings with illustrative quotations. To provide context and to further demonstrate the nature and range of promotional strategies, QG calculated frequencies on privacy practices and the set of final codes. KC independently verified the frequencies. The authorship team again reviewed and finalized the coding scheme, which formed the basis for organizing our results and tables.

RESULTS

Table 1 describes app and developer characteristics for the 24 included apps. We thematically categorized apps into two groups based on developers’ main activities and company missions: apps primarily targeted at consumers and focused on medication adherence and apps primarily targeted at clinicians and focused on practice supports.

Table 1 Characteristics of Included Apps and Developers (n = 24)
Full size table

A total of 42% (10/24) primarily provided mobile services related to medication management such as mobile medication lists, pill reminders and identifiers, or prescription refills. The core theme among these apps’ promotional messages was the positive value placed on the ability to share collected data with the developer, across devices, with caregivers, or with trusted health professionals. One developer, Talking Medicines, encouraged users to share as much health information as possible: “The more information you provide for your profile, medicines and health conditions, the more MedSmart can help you take control of your medicines and your health.”

A total of 58% (14/24) primarily provided drug or medical information on a mobile platform, including clinician drug guides, symptom checkers, and prescribing support. The core theme among apps providing medicines-related information was that they were “evidence-based.” Developers promoted their apps as “trusted,” “objective,” “unbiased,” and “impartial” sources of drug information. A number of developers, including Lexicomp, UpToDate LLC, and Drugs.com, specifically emphasized their independence from pharmaceutical companies.

The Nature of User Data Collection and Sharing

A total of 92% (22/24) of the apps had a privacy policy; however, only 38% (9/24) were specific to the app, 46% (11/24) addressed the developer’s multiple apps or platforms, and 8% (2/24) applied to the company in general. Twenty-nine percent (7/24) of apps’ privacy policies mentioned compliance with privacy legislation (e.g., European Union General Data Protection Rules (GDPR)).

Developers described collecting information that users actively provided through registering, or using the app (including name, email address, clinical specialty, medication lists, or symptoms). Developers also collected user information automatically using third-party analytics services (e.g., Google Analytics), cookies, and “various tracking methods” (including date and time of use, IP address, location, or unique mobile device ID). Developers distinguished among personally identifying information, which could be used to identify and/or contact a specific user (e.g., name); “pseudonymous” information, which could be used to uniquely identify a user, but not by name (e.g., advertising identifiers); and anonymous user information reported in aggregate.

Commonly, developers (58%, 14/24) collected user data for the purpose of “analytics” in order to understand how the app was being used and to optimize and tailor content. Thirty-three percent (8/24) of developers explicitly stated that users’ identifying information would not be sold to third parties. However, analysis of developer websites, privacy policies, and investor and advertiser prospectuses identified a range of promotional strategies involving users’ data (Table 2). The majority of developers (71%, 17/24) reported employing at least one promotional strategy, designed for commercial purposes, which we categorized as follows: marketing the developer’s own products and services; advertising revenue; sponsorship revenue; commercializing customer “insights”; licensing the app; and exclusive “supply agreements” (Table 3).

Table 2 Range of Promotional Strategies Involving User Data
Full size table
Table 3 Illustrative Examples of Commercialization of User Data (n = 24)
Full size table

“For Our Own Marketing Purposes”

A total of 38% (9/24) of the apps’ privacy policies described collecting user data for the purposes of marketing the developer’s own products and services (Table 3). Privacy policies outlined users’ ability to “opt-out” (in the form of an unsubscribe notice) or stated that this type of marketing would only occur with the user’s consent (though this process was not always specified).

Revenue from Tailored Advertising

Developers reported 29% (7/24) of apps hosted advertisements and that this often allowed them to provide the app at no cost to users; only 25% (6/24) were labeled with “contains ads” in the Google Play store.22 In some cases, developers embedded an ad library into their application’s code and had no control over which ads appeared in their app (e.g., banner ads) or whether and how third parties tracked users and their data. Three of the sampled apps (Drugs.com Medication Guide, Epocrates Plus, Medscape) actively solicited advertisers such as pharmaceutical and other health-related companies and embedded these ads into their app and/or website content (e.g., native ads). In advertising prospectuses, developers emphasized the reach of their apps to the “global English-speaking community” (Drugs.com) and their accessibility to clinicians “in the moments of care” (Epocrates, Inc.).

Advertising could be “highly targeted” to the audience based on user characteristics. Epocrates, Inc.’s sponsored “DocAlert” messages, for example, contain branded clinical content and are targeted by “disease state, occupation, specialty, look-up history, formulary coverage, [and] geographies.” Epocrates, Inc. boasted a 3:1 return on advertising investment, alerting sponsors that they would be provided with physician-level data about the performance of their ad. User data were also used for “remarketing services” where app developers engaged third-party services (e.g., Google AdWords) to serve users targeted advertising on third-party websites after the user visited their app or associated website. Developers outlined a variety of ways that users could opt-out of tailored advertising; users would, however, continue to receive generic ads, but their information would not be used for the purpose of serving “interest-based ads.” Typically, this meant the user had to visit the individual websites of the advertising networks to opt-out or to modify settings on their device (e.g., turning off an app’s permission to access the user’s location).

Revenue from Sponsored Content

A total of 17% (4/24) of developers hosted sponsored content within their apps and websites (Drugs.com, Epocrates, Inc., MedAdvisor, WebMD). Developers distinguished between sponsored content (paid for by sponsors but controlled by the developer) and advertising (paid for and created by sponsors) in their editorial policies, but sometimes described advertising that blurred this boundary. For example, WebMD, the developer of Medscape, in their media kit, described the opportunity for “custom content development,” where advertisers could work with WebMD’s “DNA brand studio” to “tell [their] story through the creation of emotive content that is grounded in editorial insights and designed to influence action and drive emotional connections.” Developers identified sponsored content by appending labels such as “Funding from,” “Provided by,” or “From Our Sponsor.” Typically, this content linked to the sponsor’s website. In some cases, the source of the content on medicines information was ambiguous. Talking Medicines provided users “useful info about some key medicines,” which they described as “curated content taken from what people are saying on the web, popular conversations about medicines.”

The mobile platform also enabled sponsored content to take the form of targeted messaging based on user characteristics. In their Investor Prospectus, MedAdvisor promoted its app as allowing “pharmacists and pharmaceutical manufacturers to connect with their patients.” Pharmaceutical companies could sponsor targeted messaging on a subscription basis, aimed at boosting adherence rates (“adherence increases of up to 30%, translating to up to 30% more dispenses of those medications per annum, and reduced ‘drop-off’”) and “brand loyalty” as benefits of this subscription.

Commercializing Customer Insights

Two developers (Talking Medicines, GuildLink Pty Ltd) monetized their apps by selling reports of aggregated, de-identified users’ information or behaviors within the app. Talking Medicines, the developer of MedSmart Meds & Pill Reminder App, positioned itself as offering “unique patient insights from how medicines are used in the real world to healthcare stakeholders including pharmaceutical companies.” To users, the app was promoted as “designed to help you keep track of taking medicines” in the Google Play store description. However, the developer’s website is geared towards pharmaceutical companies as “customers”:

By understanding who is actually taking the medicines that are being developed and how they are being taken in the real world helps marketing teams to connect with their patients, listen to them and add value in their marketing communications and negotiations for listings.

They offered several types of commercial data reports to pharmaceutical companies, available as a subscription service, including “personal data” (what type of people are taking their medicines), where they sit within the competitive set, the combinations of over-the-counter and prescription medicines that people take, and “deeper dive analysis” to “uncover behavior and answer specific questions and challenges.” In contrast, some apps, such as Lexicomp, specifically stated that they “do not provide pharma companies with statistics reflecting end user usage habits.”

Licensing the App

Two apps (myPharmacyLink, MedAdvisor) specifically offered the ability for pharmacies to fully customize the app to the pharmacy’s branding to encourage “repeat business through easy script refill functions” (GuildLink Pty Ltd). MedAdvisor licenses its app to pharmacies, promoting itself as offering “compelling advantages to pharmacists, who benefit from increased revenue as patients are reminded to fill prescriptions or see their doctor for a new script.”

Exclusive “Supply” Agreements and Product Placement

In one case, MedAdvisor engaged in a form of sponsored product placement by entering into an exclusive 2-year “supply agreement” with GlaxoSmithKline, where GSK’s brand “Panadol Osteo” was granted exclusive access to be the only paracetamol-based product to engage with app users through sponsored targeted messaging.

DISCUSSION

In this sample of 24 medicines-related apps for the Android platform, developers commonly collected and employed app users’ data in a feedback loop to target users with promotional messages from developer and parent companies, third-party advertisers, and commercial sponsors, including the pharmaceutical industry. Developers employed user data for targeted marketing and tailoring of sponsored content, which calls into question the claims developers made about the trustworthiness, independence, and risk of bias of medicines information that is purportedly evidenced-based. Ultimately, these often insidious promotional practices create the risk for mistreatment, overtreatment, or overdiagnosis through promotion of new, costly, and branded products or services, particularly medicines, that are unnecessary or represent little benefit over existing treatments.5

Apps targeted primarily at clinicians attracted advertising from pharmaceutical and other medically related companies, much like a medical journal. Although doctors frequently rely on pharmaceutical advertising to learn about new products, analyses of advertising in medical journals suggest that key information, particularly in relation to safety, is often missing and that misleading claims are prevalent.23, 24 Digital advertising, however, allows for an unprecedented level of targeting to the individual clinician across platforms and in the context of apps, accompanies a user in the moment of care, making it highly tailored and ubiquitous in contrast to traditional print advertisements. In our analysis, developers boasted of the return on investment that this form of “interest-based” advertising offered, suggesting that it is also effective in promoting prescriptions. Medical journal advertising declined from $744 million in 1997 to $119 million in 201614; mobile apps may offer a new and largely unregulated avenue for targeting clinicians. Thus, guidance pertaining to drug promotion requires updating to account for these new advertising tactics and also a broader range of ethical values, such as privacy.5

Apps designed to promote medication management and adherence encouraged and enabled users to share their medicines-related data; however, developers also used this information for commercial purposes—albeit typically in aggregated and de-identified forms—and informed consumers only in the “fine print.” A longitudinal survey of 4000 USA consumers found that only 11% of respondents were willing to share their health data with tech companies like Google or Facebook, and 20% with pharmaceutical companies.25 Unfortunately, health-related data, or data that can be used to make inferences about one’s health, are shared routinely and often without users’ informed or express consent.14, 17, 26

Developers in our sample commercialized app user data in the form of selling or licensing reports of user behavior within the app. This is another example of what has been termed the “digital patient experience economy,” where patients’ online accounts are collected through digital platforms specifically for the purpose of commercializing this data in form of targeted advertising or on-selling the data to third parties.27 Other content analyses of health-related apps have similarly found that the commercial interests underpinning the content or platform lack transparency.28

Limitations

This is a cross-sectional content analysis and developers may have updated their privacy policies or business practices. Our sample is restricted to apps for the Android platform; it is not known how the privacy practices of medicines-related apps on the iOS platform compare. Our purposive, criterion sampling strategy was designed to sample prominent medicines-related apps that were likely to share data; thus, while information-rich, the strategy emphasized similarities rather than variability. Our findings are therefore not generalizable to medicines-related or health apps in general, and other purposive sampling strategies may have detected a greater diversity of promotional strategies. Many privacy policies were not specific to the app; thus, it is not known to what degree inferences about data collection or commercialization practices apply to use of the app, linked websites, or both.

Implications for Practice and Policy

Our findings suggest that medicines-related apps may be a novel means to promote medicines that has largely escaped academic and policy scrutiny. Parker and colleagues5 proposed that the WHO update and expand the ethical criteria for drug promotion, suggesting that criteria be grounded in principles of public health ethics including, but not limited to, maximizing benefit, minimizing harm, promoting autonomy, and communicating honestly. We suggest implications for practicing clinicians and policymakers, drawing on relevant principles of public health ethics in regard to use of medicines-related apps:

  • Maximizing benefit: Clinicians should seek out developers who are independent of medically related industry, which includes apps that are free of advertising and industry sponsorship.5 Ideally, content should be independent, peer-reviewed, authors and contributors credited, and free from conflicts of interest.

  • Minimizing harm: Clinicians should select apps with content available offline that request minimal permissions related to user data, permit users to control what data is shared when, and with whom (e.g., turning off location tracking), or, at minimum, offer full transparency about privacy practices.14 Clinicians should educate themselves on drivers of and conditions that are prone to mistreatment, overdiagnosis, and overtreatment,29, 30 and be prepared to discuss and potentially counter promotional adherence messages targeted at patients.31

  • Promoting autonomy: Regulators should prohibit direct-to-consumer advertising and product placement (i.e., “exclusive” supply agreements) within apps to allow individuals to make and act on their personal choices in relation to their health.5

  • Communicating honestly: Regulators should require, at minimum, full transparency about the nature of user data collection and use. Clinicians should also consider raising issues related to sponsorship, advertising, and privacy practices when discussing app use with patients as part of the process of informed consent.

Unfortunately, this analysis also highlights that identifying and selecting apps that meet these ethical criteria require some due diligence, and we recommend that clinicians research apps prior to use, including reading privacy and editorial policies.

CONCLUSIONS

Though there is growing concern about third-party access to app users’ data, app developers also routinely employ users’ data for commercial purposes. Promotional strategies can be highly targeted on the basis of user characteristics and may create a heightened risk for mistreatment, overtreatment, or overdiagnosis associated with drug promotion in general. Many promotional strategies lack transparency or rely on implied rather than informed consent through download and use of the app. Sponsored content, targeted messaging, or product placement in the context of apps providing medicines information calls into question whether these apps are truly evidence-based and independent. Clinicians and consumers should seek out medicines-related apps from developers that do not commercialize user data.