Some apps don’t seem to be taking GDPR seriously – or maybe just don’t realize how much they’re leaving themselves exposed.
Although mobile apps aren’t necessarily more at risk of GDPR violations, they do have specific and nuanced tasks they must complete in order to comply, and many are noticeably behind.
Mobile apps that rely on advertising to monetize are particularly vulnerable. Developers integrate an average of 18 third-party software development kits into their apps, according to SDK management platform SafeDK, which means roughly 18 opportunities to improperly process data without consent.
“Apps have to ensure their third-party partners are also compliant – and they have to be prepared for any consequences of noncompliance on the part of their partners,” said Shamanth Rao, a user acquisition and growth marketing consultant and former exec at FreshPlanet and Zynga.
The problem is, most apps don’t seem to be prepared.
Each of the top 50 free iOS and Android apps in the App Store and Google Play contains multiple SDKs that appear to do some form of tracking and/or data collection, according to a July study from Evidon parent company Crownpeak.
Their presence doesn’t automatically translate into an issue, but the same study found that of 100 apps tested, 79 didn’t give users any type of consent notice or user-level controls over their preferences.
“Simply downloading an app doesn’t constitute unambiguous consent,” said Gabe Morazan, a senior product manager at Crownpeak.
What makes apps different?
Web-based publishers can comply with GDPR by removing the JavaScript tracking code from their websites without messing with the experience. In fact, scrubbing tracking scripts would probably improve the user experience by making it faster.
But tracking is often a core part of an app’s functionality, and getting rid of it could break features within a mediation, game or running app, for example.
“Without progress tracking, the app is practically useless,” Rao said. “Similarly, many mobile games have rewarded ads as an integral part of their game mechanics – and this would be significantly impaired in the absence of data collection.”
And getting consent to collect data, which is the legal basis used by most apps, is a challenge. App store discovery is tough and only getting tougher, and it’s a tricky balance between acquisition costs and giving users the opportunity to provide informed consent.
The quest for installs is so competitive that inserting any friction into the onboarding process could turn off users, said Eric Seufert, head of platform at San Francisco-based game developer N3twork.
“The funnel is so severe – there’s almost no organic discovery anymore – that it’s really difficult to introduce consent forms early on without experiencing some kind of loss of engagement, and that can wreak havoc on the acquisition economics,” Seufert said.
But managing third-party partner relationships presents one of the biggest quandaries for developers.
Apps share responsibility with their data processors for what data is collected, how it is stored and the handling of data subject requests, such as the right to be forgotten or data portability. Yet, some monetization partners are trying to sidestep their obligation, Seufert said.
“There’s a spider web of intermediaries out there that don’t want to take ownership of their responsibility,” he said.
There’s also a graveyard of unused SDKs within many apps that developers never bothered to delete and could be leaking data.
Before GDPR, many app publishers finally deleted this “legacy code” from their apps, said Ronnie Sternberg, chief business officer and co-founder of SafeDK.
Why so tardy to the compliance party?
Not every app is behind the eight ball on GDPR prep. N3twork dedicated much time and effort to compliance, including “many, many hours on the phone with our lawyers and a ton on lawyers’ fees,” Seufert said.
Others have taken a wait-and-see approach, however, especially smaller developers with fewer resources, said Crownpeak’s Morazan. Before taking action, some want to see what happens with ePrivacy or whether data protection authorities provide more specific GDPR-related guidance.
But even apps that are enthusiastic about compliance scrambled at the last minute. The IAB Tech Lab and IAB Europe didn’t release technical specs to support their transparency and consent framework for apps until about two weeks before the May 25 GDPR enforcement date.
“Publishers that were reliant on the in-app consent framework needed some time to adapt to it, to get the new version of their app into the app stores,” said Arndt Groth, president of mobile ad exchange Smaato. “They just had a slower start than publishers on the mobile web.”
Even so, many mobile app companies “have cut corners” and risked noncompliance, said Rao, and their gamble isn’t causing any blowback – yet.
For the moment, regulators, at least those in France, are focused on SDK providers rather than publishers. In July, the CNIL, France’s data protection authority, issued a public warning to Teemo and Fidzup, two mid-sized French startups for processing data without informed consent.
In its warning, the CNIL said it will pay special attention to companies that develop and use SDKs to collect data, as Teemo and Fidzup both do. But it didn’t say whether either company’s publisher clients would be investigated.
It’s practical for regulators to hit SDK providers first because of the immediate knock-on effect across all apps in which they’re integrated. But that doesn’t mean apps are off the hook.
“Publishers shouldn’t wait for regulators to come knocking on their door before they get compliant,” Morazan said. “Not to mention the fact that the GDPR empowers an app’s end users, their own customers, to report any violations they see to their local data protection authority.”
What should apps do to comply?
The first thing an app must do to comply with GDPR is run a data-mapping exercise to identify what personal data is collected, why it’s collected and the lawful basis for collection and processing, whether it’s legitimate interest or, more likely, consent.
The next step is to create a data minimization policy. Under GDPR, companies can only collect data for specific business purposes and can’t keep data longer than necessary.
App developers should also identify all SDK partners and the data being collected so they can work together to set up data access and erasure mechanisms. This is also a good opportunity to cut any third-party chaff from the supply chain.
Once all of that is settled, developers can create consent prompts. It’s not a bad idea to examine the approaches taken by some larger apps with their consent pop-ups.
There’s no one way to do it, but opt-in notices do need full transparency without going overboard.
“Be specific enough to be informative,” Seufert said. “If you drill down into so much detail that a regular human can’t understand it, you’ll overwhelm people and they’ll just click ‘next’ without even reading.”
