Estimated Time to Read: 10 minutes
In 2025, smartphones aren’t just tools; they’re lifelines. We rely on apps for our calendars, finances, communication, entertainment, and even transportation. But this reliance raises a critical question: are these apps safeguarding our personal data, or exploiting it?
The 2025 App Privacy Index, released by Tenscope, provides an exhaustive answer. By analyzing the top 100 free apps in the U.S., the report uncovers how much data these platforms collect, how they track users, and the manipulative design tactics they employ. The results highlight both the risks of today’s app economy and the possibilities of a more privacy-conscious future.
Key Findings from the 2025 App Privacy Index
Tenscope’s research paints a stark picture of the current digital landscape. Tracking is the norm, with 75 percent of the top 100 free apps collecting data specifically to follow users across other apps and websites, primarily for advertising purposes. Messenger stood out as the worst offender, scoring a perfect 100 out of 100. It collects more than twenty times the weighted data of some of the most private apps in the study, cementing its position as the most invasive app in America.
The study also revealed some surprises. Ride-sharing giant Lyft ranked third-worst, scoring 69 and collecting more data than Amazon and even Google Maps. This shows that data collection is not confined to social media companies but extends across industries, including transportation. Yet the report also offered some encouragement. Apps like ParentSquare, with a score of just 4, and Microsoft Edge, with a score of 11, demonstrate that privacy-friendly design is not only possible but practical. These platforms provide robust functionality while requesting minimal personal data.
As Tenscope’s Creative Director, Jovan Babovic put it, “Good design empowers users, but what we found is a landscape where design is often used to manipulate them. This report isn’t just a list; it’s a call for greater transparency and a guide for consumers to reclaim control of their digital identity.”
The Most Invasive Apps of 2025
The ten most invasive apps reveal which companies rely most heavily on data collection as part of their business model. Messenger leads the way with its perfect invasiveness score, followed closely by Pinterest, Lyft, Amazon Shopping, and DoorDash. Duolingo, Google Maps, WhatsApp Messenger, DoorDash Dasher, and Expedia round out the list. What unites these platforms is their dependence on hyper-personalized monetization strategies. From food delivery to language learning, the incentive is to normalize constant requests for location, contacts, and financial information under the guise of improved user experience.
The Most Private Apps of 2025
At the other end of the spectrum are apps that prove restraint in data collection is possible without compromising performance. TeaOnHer achieved a perfect privacy score of zero, with ParentSquare, Tea, PowerSchool Mobile, Sleeper, Bible Chat, ReelShort, DramaBox, Claim, and Microsoft Edge following closely behind. These companies have prioritized user trust by limiting data collection to what is strictly necessary, creating a fundamentally different approach to user experience.
As Babovic observed, “What this list proves is that data collection is a choice, not a necessity. These companies have prioritized user trust by designing their platforms to function effectively without harvesting unnecessary information.”
How Deceptive Design Manipulates Users
Beyond raw data collection, Tenscope emphasized the manipulative design patterns that apps use to obtain permissions. One common tactic is the “all or nothing” consent request, in which multiple unrelated permissions are bundled together, forcing users to either accept them all or lose functionality. Another is the just-in-time request, where permissions are asked for in the moment of use, such as granting microphone access when recording a video. This makes permanent access seem reasonable for a one-time action. Even after permissions are granted, many apps bury privacy controls under layers of confusing menus, creating a hidden maze of settings that discourages users from revoking access. These design choices illustrate how user interfaces can be weaponized to erode autonomy.
Texas Moves That Reflect the Index: HB 4 and the TDPSA
Because Texans make up a large share of app users, state policies have a significant influence on the privacy landscape. In 2023, the Legislature passed House Bill 4 (HB 4), the Texas Data Privacy and Security Act (TDPSA), which took effect in July 2024.
HB 4 regulates how businesses collect, use, and process personal data, applying to entities that do business in Texas, process or sell personal data, and are not classified as small businesses. It defines personal data broadly to include any information linked to an identifiable individual, while sensitive data includes race, religion, health status, biometric identifiers, precise geolocation, and information collected from children. Importantly, it also prohibits the use of “dark patterns”, manipulative interfaces that impair consumer choice, to obtain consent.
The Act gives Texans enforceable rights over their data. Residents can confirm whether a company is processing their information, correct inaccuracies, request deletion, obtain a portable copy of their data, and opt out of profiling, targeted advertising, or the sale of their personal information. Businesses must respond to requests within forty-five days, provide clear privacy notices, and secure consent before processing sensitive data.
Enforcement lies exclusively with the Texas Attorney General, who can issue civil investigative demands, impose fines of up to $7,500 per violation, and seek injunctions. There is no private right of action, meaning Texans depend on state enforcement rather than individual lawsuits.
HB 4 represents a serious step toward curbing the kinds of deceptive practices that Tenscope highlighted. It forces transparency where apps have long thrived on opacity. But it also shows the limits of state law, particularly when data moves across state or national boundaries.
SB 2420: When Privacy Efforts Risk Liberty
The Legislature did not stop with HB 4. In 2025, lawmakers passed Senate Bill 2420 (SB 2420), the App Store Accountability Act, which takes effect on January 1, 2026. At first glance, the law seems like a natural extension of HB 4, focusing specifically on minors and digital marketplaces. It requires app stores to verify ages, categorize users, obtain parental consent before minors download apps or make in-app purchases, and enforce parental controls.
Yet despite its privacy framing, Texas Policy Research opposed SB 2420. The measure represents an expansion of state authority that undermines liberty, innovation, and parental autonomy. By mandating a uniform system of parental consent for every download or purchase, the law substitutes government control for family discretion. Instead of equipping parents with tools and education, it forces them into an inflexible, transactional process that risks undermining the very engagement it seeks to encourage.
From an economic perspective, the law imposes compliance costs that large companies can absorb but that smaller developers and startups may not survive. By prescribing how platforms must structure accounts, manage consent, and monitor transactions, the bill intrudes into free enterprise and risks chilling innovation in Texas’s tech economy. Worse, it misdiagnoses the problem: targeting app stores broadly instead of addressing predatory platforms and harmful content directly.
While child protection is a shared goal, SB 2420 reflects a top-down regulatory model that is inconsistent with Texas’s tradition of limited government. It expands state power into family life and private enterprise, creating uniform mandates where market-based solutions and parental judgment should prevail.
The Missing Piece: Texas and the Right to Be Forgotten
While Texas has taken steps to expand consumer privacy through HB 4 and passed additional measures like SB 2420, it has not gone as far as Europe in adopting the “right to be forgotten.” This concept was formalized under the General Data Protection Regulation (GDPR), a comprehensive privacy law enacted by the European Union in 2018. The GDPR sets strict rules for how businesses collect, store, and process personal data, and it grants individuals broad rights, including the ability to request deletion of information that is outdated, irrelevant, or no longer necessary.
In Europe, this has been hailed as a way for people to regain control of their digital footprint. In the United States, however, such a policy collides with constitutional and cultural realities. The First Amendment strongly protects free speech and the public’s right to access information, making it difficult to reconcile with sweeping erasure requirements. If broadly applied, a right to be forgotten could put platforms in the position of censoring lawful information or rewriting the historical record.
The 2025 App Privacy Index underscores why these debates matter. Texans now have the ability under HB 4 to request deletion of their data from businesses, but once that information is published or indexed, there is no mechanism to force its removal from the wider internet. That leaves individuals more exposed to reputational harm and persistent tracking, even as it avoids the free speech conflicts that a European-style erasure mandate would create.
Rather than pursuing a right to be forgotten, the challenge for Texas will likely be finding a balance between empowering individuals with stronger privacy rights at the point of data collection while preserving free expression and access to information in the public domain.
Why the 2025 App Privacy Index Matters
The App Privacy Index goes beyond naming and shaming apps. It demonstrates that surveillance is the structural reality of the app economy, not an exception. It shows that privacy-first design is feasible, as proven by apps that function effectively without harvesting unnecessary information. And it underscores the importance of informed choice, both for consumers who can demand accountability and for lawmakers who must balance privacy with liberty.
For Texans, these lessons are especially relevant. HB 4 provides meaningful rights and protections, but SB 2420 shows the risks of privacy legislation that sacrifices liberty and innovation for rigid mandates. The absence of a right to be forgotten highlights how far the state still has to go in empowering individuals to reclaim their digital identity without undermining free speech.
Conclusion: Reclaiming Digital Autonomy
The 2025 App Privacy Index is a wake-up call. For users, it is a reminder to scrutinize permissions, explore privacy settings, and choose apps that respect personal data. For policymakers, it is a challenge to confront deceptive design without overstepping into parental authority or stifling innovation.
Surveillance-based platforms like Messenger continue to dominate the market, but the existence of privacy-conscious apps proves that a different model is possible. Texas’s HB 4 shows that progress is being made, while SB 2420 reveals the dangers of going too far in the wrong direction. And the ongoing debate about the right to be forgotten underscores the ultimate question: not just how data is collected, but whether people can ever truly reclaim it once it is out in the world.
The bottom line is clear: privacy is possible, but only if we demand it, and only if we protect freedom in the process.
Texas Policy Research relies on the support of generous donors across Texas.
If you found this information helpful, please consider supporting our efforts! Thank you!
