Your phone has roughly 80 apps on it. You probably use about 20 of them regularly, and you’ve forgotten what half the others even do. But they haven’t forgotten about you. Right now, while you scroll, stream, and check the forecast before leaving the house, those apps are doing something in the background that has nothing to do with the service they promised to provide. They’re collecting data, sometimes a little, sometimes a remarkable amount, and passing it along in ways most people never think to ask about.
This isn’t a paranoid fringe concern anymore. Researchers, regulators, and privacy analysts have spent years mapping exactly which apps are doing what, and the picture that has emerged in 2025 and 2026 is a lot clearer and more specific than the vague warnings of years past. The names at the top of the list won’t surprise you. But the breadth of what they collect, and the apps collecting data you’d never suspect, probably will.
Here is the complete list of apps found to be collecting sensitive user data, along with what each one takes, and what you can do about it.
Facebook, Instagram, Facebook Messenger, and WhatsApp (Meta)
Sensitive personal information, as defined by the California Consumer Privacy Act (CCPA), can be collected and processed by Meta’s products (with the exception of WhatsApp). That includes health information and sexual orientation data, categories that most people would consider among the most private they have.
According to Incogni’s 2025 Social Media Privacy Ranking, which evaluated 15 major social platforms across six privacy categories, Meta’s platforms rank as the most privacy-invasive of all the platforms surveyed, alongside TikTok.
The scale of the operation is what makes it distinctive. A study by Consumer Reports, drawing on data from 709 volunteers who shared their Facebook archives, found that a total of 186,892 companies had sent data about them to the social network. On average, each participant had their data sent to Facebook by 2,230 separate companies. Most of that data arrives through the Meta Pixel, a piece of tracking code embedded on thousands of third-party websites, which reports your activity back to Meta even when you’re not on Facebook or Instagram directly.
Google updated its own privacy policy in April 2026, but Meta’s practices are worth flagging for a specific reason: when comparing Meta’s data collection to TikTok’s, research from Internet Safety Labs found that Facebook collects significantly more personally connected data than TikTok on iOS, including health information, based on a comparison of Apple Privacy Labels.
Facebook has also received more privacy fines than any other platform in the study: once in the United States, four times under the EU’s General Data Protection Regulation (GDPR), and five additional times in other countries.
What you can do: Go into Facebook and Instagram’s settings and limit ad personalization. On iOS, use App Tracking Transparency (in Settings > Privacy & Security > Tracking) and deny tracking requests. Regularly check which third-party apps are linked to your Facebook account and remove any you no longer use.
TikTok
TikTok collects a wide range of data types, but two categories stand out as particularly significant. First, biometric data. TikTok’s privacy policy states that it may collect biometric identifiers and biometric information as defined by US laws, including faceprints and voiceprints, from user content. Where required by law, the company says it will seek permission before doing so.
Second, precise location. TikTok’s updated 2026 privacy policy now explicitly acknowledges that it may collect precise location data from users who enable device-level location services. Earlier policy language had emphasized approximate location derived from IP addresses or SIM data, and TikTok previously said it did not rely on GPS-level tracking for US users. The revised policy removes that distinction.
A third category has attracted particular scrutiny in 2026. TikTok’s policy now clearly states it may collect and process sensitive personal information including citizenship or immigration status. Civil liberties advocates note that immigration status is not just another demographic attribute, it is among the most legally and socially sensitive forms of personal data in the US, carrying heightened risks of discrimination and potential misuse by government or private actors.
Incogni’s 2025 research confirmed that TikTok is among the platforms that can collect and process sensitive personal information as defined by the CCPA. And unlike most other platforms, TikTok does not make its data deletion timeline readily available to users, meaning that when you delete your account, it’s not clear how long your data is actually retained.
The scale of TikTok’s reach extends beyond the main app. As of 2026, Internet Safety Labs found that TikTok and its related entities have 66 mobile apps available on app stores worldwide, up from 47 in 2025, spanning Android TV, Amazon, LG, and Samsung TV platforms. Their research also found that nearly 48,000 other mobile apps share data with TikTok through TikTok’s published Software Development Kits (SDKs).
What you can do: Go to your phone’s settings and ensure precise location is turned off for TikTok. If you use TikTok’s built-in AI tools such as filters or auto-captions, be aware that your interactions with those tools are being collected, including content you record and then choose not to post.
Google (Search, YouTube, Chrome, Maps, Gmail, and More)
Google’s privacy situation is structurally different from social media platforms because its reach operates across so many separate surfaces at once. The main privacy control in a Google account, called Web & App Activity, governs the bulk of what Google collects, including search history, Chrome browsing if synced, Maps queries, and Play Store activity.
Google updated its privacy policy in April 2026, with changes affecting how it describes data collection and sharing around advertising and analytics services. Notably, the update changed language about Incognito mode from “may still share” to “still share,” removing the qualifier that suggested sharing was conditional, and confirming that private browsing does not stop third-party sites from sharing your data with Google.
Google’s involvement in the real-time bidding (RTB) advertising system adds another dimension. RTB is the process by which ad space is auctioned in real time every time you load a page or open an app. Each time you see a targeted ad, your personal information is exposed to thousands of advertisers and data brokers through this process , and as explained in this overview of how your spending habits are tracked and sold, the data trail extends well beyond any single platform. A key vulnerability is that while only one advertiser wins the auction, all participants receive the data, meaning anyone posing as an ad buyer can access a stream of sensitive data about billions of users.
A class-action settlement against Google over its RTB system was reached in September 2025 and received final court approval in March 2026. The settlement requires Google to create a new privacy control allowing users to limit the information shared about them in RTB auctions. History has shown that opt-out controls rarely drive widespread adoption, users must actively turn them on.
Additionally, Google’s Gemini AI collects what you say to it (prompts and spoken requests), what you share with it including files and photos, and transcripts and recordings of Gemini Live interactions. Chats reviewed by human reviewers, along with related data like your language, device type, location, and feedback, are not deleted when you delete your activity and are instead retained for up to three years.
What you can do: Visit myaccount.google.com and review your activity controls. Turn off “Include voice and audio activity” under Web & App Activity if you use Google Assistant or Gemini. Set data auto-delete to three months rather than the default 18-month retention. Once Google’s RTB Control rolls out (required within 30 days of the March 2026 ruling), enable it in your account settings.
Discord, Twitch, LinkedIn, Snapchat, and YouTube
Sensitive personal information, as defined by the CCPA, can also be collected and processed by Discord, Twitch, LinkedIn, Snapchat, and YouTube. These platforms vary significantly in their risk profiles, but they share the capacity to handle data that goes well beyond usernames and email addresses.
LinkedIn stands out as the only platform in Incogni’s 2025 analysis that indicates it could collect users’ race or ethnicity data. Meta’s products and LinkedIn may also collect data on sexual orientation and health information.
Meta’s platforms, YouTube, Snapchat, Pinterest, X, and LinkedIn all indicate in their privacy policies that user data may be used to generate or improve AI models. This means that what you post, like, comment on, or search for on these platforms may contribute to the training datasets that power AI tools, sometimes without a clear opt-out mechanism.
Across Europe, data protection bodies have fined TikTok four times, Facebook four times, and WhatsApp, Instagram, and YouTube twice each. In the US, the Federal Trade Commission has brought privacy-related charges against Facebook, YouTube, TikTok, Snapchat, and X.
Of all 15 platforms Incogni examined, Discord ranked as the least privacy-invasive, in large part because it does not use user data to train AI models. That’s worth knowing if you’re looking for a messaging platform with a lower data footprint among the mainstream options.
What you can do: Check each platform’s privacy settings and look for AI data training opt-outs, where available. On Snapchat, Pinterest, X, and LinkedIn, opt-out controls do exist. On YouTube, review your Google account’s AI training preferences under myaccount.google.com.
The Weather Channel, AccuWeather, WeatherBug, and MyRadar
Weather apps are one of the most reliable examples of a category where the stated function and the actual business model have very little to do with each other. Every one of these apps needs your location to tell you the forecast. Not every one of them uses that location only for that purpose.
As noted in a Lifehacker analysis from September 2025, AccuWeather and Weather Channel were found sharing private user data with third parties, even when users had expressly opted out of tracking.
MyRadar, one of the most popular weather apps available, has been open about selling data to third-party companies including Arity, a mobility data and analytics company and subsidiary of Allstate Insurance, which tracks traffic patterns and geolocation by implementing its own software development kit in third-party apps.
The broader concern is that location data, once it leaves a weather app, doesn’t stay in the weather business. On January 14, 2025, the FTC orders against Gravy Analytics and Mobilewalla for collecting and selling consumers’ precise geolocation data without consent, including data harvested from popular apps. The FTC’s action against Mobilewalla was described as the first enforcement to focus specifically on the collection and use of consumer data through real-time bidding ad exchanges, where apps pass consumers’ personal data to advertisers during the auction process, including to advertisers who do not win the bid.
What you can do: Switch to your phone’s built-in weather app (Apple Weather on iOS, or Google Weather on Android) rather than a third-party weather application. If you use any of the apps listed above, go to your phone settings and set location access to “While Using App” or “Never.” Check your app permissions periodically.
Read More: How Social Media Is Reshaping Family Relationships
What to Do Now
The apps collecting your personal data aren’t doing anything most of them haven’t technically disclosed. The issue isn’t secrecy so much as friction, privacy policies are long, permissions prompts are vague, and the default settings on most platforms favor collection over protection.
Stopping it entirely isn’t realistic for most people, but meaningfully reducing it is. On an iPhone, you can see which apps are using which permissions by going into Settings, then tapping Privacy & Security, where you’ll find a list of permissions and the apps that have accessed them. On Android, go to Settings, tap Security and Privacy, then tap Permissions Used In Last 24 Hours. Go through that list and ask, for each app, whether the access it has makes sense for what it actually does. A game that has access to your precise location and microphone is not using that access to run better.
To opt out of ad tracking on Android, open the Settings app, tap on Google, then All Services, then select Ads, and tap Delete Advertising ID. While there, return to the Google Services page, tap Usage & Diagnostics, and toggle that setting off to prevent Google from tracking your app usage.
For weather apps specifically, the easiest fix is to delete third-party ones entirely and use your phone’s default. For social media, the most meaningful settings changes are disabling cross-app tracking, limiting location access to “While Using App,” and opting out of data use for AI training wherever that option exists.
The larger point is this: every app on your phone was built with a business model in mind. For free apps, you are frequently part of that model. Understanding which apps collect the most sensitive data, and what they do with it, is the first practical step toward deciding which ones are worth keeping.
A.I. Disclaimer: This article was created with AI assistance and edited by a human for accuracy and clarity.