What Brands Should Know About Recent Privacy Enforcement Trends for Mobile Apps

By Andra Robinson, VP Legal and Associate General Counsel at Airship & Shapla Begum, EMEA Commercial Counsel at Airship 

Yesterday was Data Privacy Day — or Data Protection Day in Europe — which is meant to raise awareness and promote privacy and data protection best practices internationally. In the past year, government enforcement agencies across the globe have increasingly expanded their attention to mobile apps and data privacy.

In the US, the Federal Trade Commission (FTC) is monitoring the privacy practices of mobile apps with a special focus on health apps. This includes examining user consent for personal data practices (e.g., advertising, marketing and analytics), third-party user-tracking of pixels and types of data shared. In the EU, activist group None of Your Business (known as NOYB) recently filed a series of complaints against mobile apps for sharing users’ personal data with third parties without user consent. 

Below we discuss: 

• Compliance trends highlighted by these two actions
• What your brand needs to know in setting up mobile apps 

US FTC Decision Against Premom App

In the US, the FTC has focused more and more on mobile app enforcement, especially those that are used for health purposes or that collect sensitive information like geolocation. 

According to the FTC, Premom, an app that helps women track fertility to become pregnant, shared personal health information with third-party SDKs without end-user knowledge or consent, including sharing personal health information for advertising purposes, and inadequately securing data when transferring it to third-party SDKs based in China. Premom agreed to pay a $100,000 fine and another $100,000 in restitution and carry out numerous remediations. 

Even more recently, the FTC completed its enforcement agreement against X-Mode Social for its SDK used to collect precise geo-location information from users of apps on which it was installed. The FTC highlighted concerns about the ability to precisely pinpoint a user’s location on the map and tie it to sensitive locations (e.g. healthcare facilities, places of worship, welfare organizations). The FTC also focused its enforcement on X-Mode’s disregard for user requests to opt out of ad personalization, as it continued to share users’ Mobile Advertiser ID (a unique mobile devices identifier) with marketers. 

These decisions give urgency to the following compliance issues for apps in the US: 

1) Are IDs deemed personal data?

If IDs collected allow third-party tech providers (e.g. SDKs) to track consumers or their behaviors across unrelated apps or websites, or if IDs allow the business to target consumers with advertising on third-party advertising platforms, then such data are personal data. A higher risk is associated with non-resettable IDs since they are hardcoded in the device or network.

2) What rights do third-party SDKs have to the data? 

Where agreements with third-party SDKs allow them to leverage users’ data for their own business purposes and share that information with advertisers and media partners, such sharing should be carried out with users’ consent.

3) Do Custom App Event titles include personal data? 

In some enforcement actions, the FTC pointed out that descriptive event titles used to track users’ actions within apps, which were then later shared with third-party SDKs, were unconsented disclosures. Where the mobile app’s privacy policy or consent notice did not clearly disclose such sharing, users could not be fully informed about how their data was used or to whom it was shared. 

4) Are security measures adequate? 

Custom app events should be encrypted or labeled generally to prevent transferring users’ health information to third-party SDKs located outside the US. Best practice is to do this regardless of where the information is transferred.

5) Does user consent include sharing data with third-party SDKs?

Apps should strive for clear simple disclosure to end users showing what data is collected, and to whom it is shared along with specific purposes for doing so.

The EU Ramps Up Focus On Mobile Apps

Mobile app enforcement is also a key issue in the past year in the EU. In September 2023, NOYB filed complaints against EU-based mobile apps alleging illegal access and sharing of users’ personal data with third parties without users’ consent. The mobile apps did not have a consent mechanism for user confirmation prior to the activation of third-party SDKs.

In France, the CNIL (France Data Protection Authority) announced that one of its key priorities for 2023 was mobile app and data privacy compliance. In the coming months, the CNIL will release its recommendations for the mobile application ecosystem. Important takeaways from the CNIL draft recommendations for mobile apps include: 

Define collection parameters

• Understand what kind of data is necessary to collect (e.g., personal data, sensitive data) and for what purpose. 
• Document data to be collected. 
• Collect personal data only with the consent of the end users. 

Apply data privacy-by-design and privacy-by-default

• Limit data sent to servers to what is strictly necessary to fulfill the required purpose. 
• Default SDK configurations should follow these principles and avoid collecting device, network (IP address, surrounding network equipment) and individual identifiers if not required for use.
• Separate functionalities of the SDK so customers can choose only needed ones. 
• Choose the least intrusive permissions level possible or provide configuration options.

Manage consent & rights

• Review vendor contracts with app publishers, developers or SDK providers for adequate data protection terms in line with GDPR requirements.
• Use as few additional identifiers as possible for processing consent from users. 
• Provide options to block processing or access to data on the device until valid consent is obtained. 

Follow security best practices and recommendations

• Align standard security measures with industry best practices and applicable data protection laws. 

What Data Privacy Measures Brands Need to Take Now

Given the global focus on app privacy issues, brands should take the following steps to ensure regulatory compliance:

1. Understand what SDKs are in your mobile app, and what data SDKs are collecting and for what purpose. 
2. Honor user requests for use of personal data. Include a method for opt-out requests (including a Do Not Sell or Share My Personal Data link, browser-based or other technical settings) for California compliance. For EU, obtain consent prior to SDK activation. 
3. Put in place clear privacy policies that describe how your mobile app uses data, including data use of third-party SDKs. SDK providers should provide you clear information on what data is collected and the associated purposes, to make this easier.
4. Make sure sharing of data with third-party SDKs fits within the parameters of your customer relationships and clear consent is obtained.
5. Review data sharing practices with advertisers, and get clear consent for such sharing from the user. 
6. Embed clear consent practices in the tech stack, including rights to opt out or be forgotten at any time.
7. Review your SDK vendor’s security standards regularly. 

Between enforcement penalties and risk to reputation and customer trust, it should be exceedingly clear that businesses can no longer afford to let data privacy conversations come at the end of technology sales cycles or as an afterthought to development and implementation. All stakeholders need to be aware of data privacy, compliance and security to better align product vision, customer use cases and competitive advantage that can be gleaned by data collected and protected in the right ways.

Airship is committed to meeting the standards that our customers have come to expect from us, including protecting the privacy of personal data provided to us and applying the privacy-by -design and data-protection-by-default principles across our product enhancement, development and operations.That means not just providing amazing products that scale to sending billions of messages each day, but also ensuring that the Airship platforms support your compliance needs.