Work apps share employee data with advertisers, study

Incogni has published research on how widely used workplace apps collect and share employee data. The study examined a group of popular work tools used on personal devices.

The apps reviewed collect an average of 19 data points per user, the report found, with several also sharing personal information with third parties for advertising or marketing. Incogni said the spread of Bring Your Own Device policies has increased the amount of personal information exposed through tools employers often require staff to install.

Among the apps studied, Gmail collected the most personally identifiable information, with 26 distinct data types listed, including approximate location, app interactions and user IDs.

Notion shared the most personal data with third parties, according to the research. The information included names, email addresses, user IDs, device IDs and app interactions.

Zoom Workplace and Microsoft Teams were the only apps in the study that collected precise location data. The report described this as one of the most sensitive categories of personal information gathered by workplace apps.

Workday stood out for a different reason. It was the only app in the review that did not allow users to request deletion of their data, despite collecting user IDs and location data.

Todoist was the only app in the sample not linked to a reported data breach, the study found. As part of the research, Incogni also reviewed publicly reported breaches and security incidents connected with each app or its parent company.

Communication tools and email platforms tended to collect the most information, while productivity apps were more likely to share data with third parties. Incogni said this pattern suggests data practices vary across workplace software categories rather than following a uniform approach across the sector.

The scope of the issue is broad. According to Incogni, the leading workplace apps covered by the report have been downloaded more than 12.5 billion times in total on Google Play.

Data handling

The findings highlight the privacy trade-off created when work software is installed on personal devices. While consumer apps have faced years of scrutiny over data collection, workplace tools may receive less attention even when they gather substantial amounts of user information.

Incogni drew a distinction between social media services and workplace software, noting that the latter are often mandatory in practice. That means employees may have limited ability to avoid an app's data collection if it is required for communication, collaboration or administration at work.

The study focused on what data apps say they collect, whether they share that data with third parties and the purposes listed for its use. Rather than limiting the analysis to one type of service, it looked across email, communication, productivity and human resources software.

Some of the categories named in the report go beyond basic account details. Workplace apps can access contact details, financial information and location data, widening the potential privacy impact when personal and professional use overlap on the same device.

Darius Belejevas, Head of Incogni, said the findings show work apps should not be viewed separately from the wider commercial data market. "People tend to think of workplace apps as safe tools, but they don't exist in isolation."

"A lot of them are part of much larger data ecosystems. Once information is collected, especially if it's shared with third parties, it can travel much further than users expect."