Home Privacy One Year Into GDPR, Most Apps Still Harvest Data Without Permission

One Year Into GDPR, Most Apps Still Harvest Data Without Permission

SHARE:

While good-acting companies knock themselves out trying to comply with data protection and privacy laws, and regulators debate the minutiae of cookie consent policies, bad actors simply couldn’t care less.

The front door may be locked, but the basement windows are wide open.

Unauthorized data harvesting from mobile apps has continued nearly unabated in the year since Europe’s General Data Protection Regulation came into force last May.

In a recent test conducted for AdExchanger, mobile analytics company Kochava examined the behavior of the top 2,700 apps in the Google Play store in the United States compared with France, where GDPR applies.

Despite a small drop in the average number of network requests coming per app in France, which was to be expected, there was no discernible difference in the prevalence of data transmission between regions.

Sharing, not caring

Nearly 60% of apps sent advertising IDs to a remote endpoint at least once either directly or through a third-party SDK, regardless of where the users were located or whether they’d given consent.

Apps often presented users with a consent notice screen and then ignored the user’s choice, transmitting the data regardless of the user’s preference.

“The regulation exists, but is there a body in Belgium looking at the mobile ecosystem to try and determine which calls from a device are legitimate or not – hell no, that’s not happening,” said Grant Simmons, head of client analytics at Kochava.

But even if there was, this stuff is hard to catch by design, Simmons said. Around 30% of the data calls transmitted to and from devices are encrypted and when fraudsters enter the picture, they usually use transitory domains to obscure their actions, including data harvesting.

Reap and sow

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

To be fair, the GDPR was created to unify privacy laws for the collection and processing of personal data across EU member states, not to tackle ad fraud.

But the lucrative nature of ad fraud is a primary motivator behind shady data collection and non-permissioned data sharing.

And some of the worst GDPR violators are app developers that monetize by adding third-party code and SDKs to their apps without understanding the implications, said Asaf Greiner, CEO and founder of Protected Media, a provider of anti-fraud technology.

In some cases, developers harvest personally identifiable information from app users to share with advertisers, which advertisers might find useful but also represents a violation of GDPR.

If an app doesn’t care about draining a user’s battery or slurping up their data plan, “it’s safe to assume that data protection is low down on their list,” said Greiner, noting that most ad fraud is uncovered because of the bite it takes out of advertising budgets, while the privacy violation aspects “remain under the radar.”

Protected Media is regularly approached by companies offering to sell data or social graphs. Greiner always makes a point of asking the salesperson how the data they’re peddling was obtained and what’s in it. “Invariably, they can never answer me,” Greiner said, “which leaves me to believe that they’re very rarely asked where they get the data from.”

GDPR doesn’t touch the digital ad ecosystem’s “chain of custody issue,” Simmons said.

“Bad information is collected and syndicated at scale through ad networks,” he said. “It’s like data laundering – ad networks as willful clearing houses for nefarious publishers.”

An intractable problem

There’s no easy way to end illicit data sharing by apps because the ecosystem is so murky.

“Not a single regulator understands this, and there aren’t even laws [against ad fraud] yet for them to use to go after bad actors,” said independent ad fraud researcher Augustine Fou.

Then again, there’s no reason European regulators can’t at least use their new powers to shine a light on companies that aren’t making an effort to comply with GDPR, if not the unabashed criminal element.

“GDPR introduced a very clear accountability duty for businesses, and regulators can perform ad hoc audits when they like,” said Enza Iannopollo, a senior analyst covering security and risk at Forrester. “The barrier, in my opinion, is not GDPR, but a shortage of resources.”

Be that as it may, the industry only really has a shot at cutting down on bad acting apps with ulterior motives if there’s “a significant amount of collaboration” between regulatory watchdogs, the government and the app store providers themselves, said Gabe Morazan, director of product and digital governance at Evidon parent company Crownpeak.

Because even if good actors try to stay clean, fishy apps – and apps with fishy SDKs – will keep harvesting data and pumping it out into the mobile ecosystem if there’s a buck to be made.

Must Read

Scott Spencer’s New Startup Wants To Help Users Monetize Their Online Advertising Data

What happens when an ad tech developer partners with a cybersecurity expert to start a new company? You end up with a consumer product that is both a privacy software service and a programmatic advertising ID.

Former FTC commissioner Alvaro Bedoya speaks to AdExchanger Managing Editor Allison Schiff at Programmatic IO NY 2025.

Advertisers Probably Shouldn’t Target Teens At All, Cautions Former FTC Commissioner

Alvaro Bedoya shared his qualms with digital advertising’s more controversial targeting tactics and how kids use gen AI and social media.

Wall Street Turned Against Ad Tech – But May Learn To Love It Again

What can pureplay ad tech companies do to clean up their rep on the Street?

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

AppsFlyer and Roku’s New SRN Integration Will Shed Light On CTV Campaign Impact

Roku and AppsFlyer announced the launch of a new self-reporting network (SRN) integration between both companies, which will allow mobile app advertisers to more effectively measure their streaming video campaigns

Comic: Gamechanger (Google lost the DOJ's search antitrust case)

DOJ v. Google: How Judge Brinkema Seems To Be Thinking After Week One

Where the DOJ v. Google ad tech antitrust trial stands after one week’s worth of remedies arguments.

Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.