Recent legislative hearings in the United States and Europe have focused on the means by which large third-party data collectors track individuals via websites. Regulators have paid comparatively little attention to the mobile application ecosystem, but current studies have demonstrated the means by which third parties collect data from mobile apps, and highlighted legal uncertainties around data controller status and user consent in this area.
Details of Data Collection in Android Apps
An October 2018 study by the University of Oxford surveyed 959,000 apps in the U.S. and UK Google app stores and concluded that 40 to 90 percent of all such apps were configured to share data with major third-party tracking companies, often regardless of whether the app user had an account or profile with those companies. A follow-on study in December 2018 analyzed the specific information transmitted to Facebook by a subset of the most commonly downloaded Android apps. The study found that upon startup, a number of the apps automatically transmitted an “app opened” signal to Facebook containing (1) the name of the app and (2) the user’s unique Google advertising ID. Such data has significant value; up to 95% of users may be identified by the presence of only four apps on their phones. For example, a user who installed Qibla Connect (a Muslim prayer app), Indeed (a job search app), My Talking Tom (a children’s app), and VKontakte Ltd. (a Russian social networking app) could be profiled for advertising purposes as a Muslim, Russian, job-seeking parent.
In some cases, the “app opened” signal was transmitted to Facebook prior to user consent, for two reasons. First, the relevant software development kit (SDK) was configured by default to automatically transmit tracking data, including the signal, unless disabled by the app developer. Second, pre-GDPR versions of the SDK did not have the option to disable the signal. A significant number of the apps tested still used outdated versions of the SDK, and many app custodians appeared unaware of the consent issue or the updated SDK.
Legal Division of Responsibility Between Controller and Processor
In jurisdictions that require informed consent for storing and accessing cookies or other information on an end user's device (such as but not limited to the European Union), you must ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook Business Tools to enable us to store and access cookies or other information on the end user's device.
But European data authorities have pushed back on similar practices in the website context. In 2018, the Belgian Court of First Instance upheld a decision of the Belgian Data Protection Authority that found Facebook jointly responsible with website providers for its online tracking pixels and cookies. Facebook argued that its terms of service with website providers required providers to obtain necessary user consents, particularly for website visitors who were non-users of Facebook, and that Facebook, as a separate entity, could not be considered the data controller. The Court disagreed, stating that “as Facebook determines both the objective and means of processing [personal data], it remains the party responsible for processing personal data via pixels and is thus jointly responsible with the owners of the third-party websites for meeting the legal obligations [under the Belgian Privacy Act].” A similar chain of judicial reasoning could apply to app tracking.
Similarly, in June of 2018, the European Court of Justice stated that the concept of a data controller “does not necessarily refer to a single entity and may concern several actors taking part in [data] processing.” In 2018, the Court also held that under the 1995/56 Directive (the EU data protection law preceding GDPR), a natural person who determines the purposes and means of data processing in conjunction with third parties may also be regarded as a data controller. Again, large data collectors, who control the means of data collection in the app ecosystem and dictate uses for such data, may be subject to similar reasoning.
Consistent with the above authority, the Article 29 Data Protection Working Party Opinion 1/2010 on the concepts of “controller” and “processor” prescribes a substantive and functional approach in assessing joint control, “focusing on whether the purposes and means [of data collection] are determined by more than one party.”
Finally, the Article 29 Data Protection Working Party Opinion 2/2013 on apps on smart devices states that “if the third party processes personal data for its own purposes, it may also be a joint data controller with the app developer,” while noting that as many different types of arrangements may exist between app developers and third parties, “the respective responsibility of each party will have to be established on a case-by-case basis having regard to the specific circumstances of the processing involved.”
Recommendations for App Providers
Following the recent spotlight on large collectors’ data gathering practices, regulators may turn their attention to data collection in mobile apps. Analogous precedents favor imposing joint liability and controller status on third-party collectors. But at present, there is little action on this front. In the face of this uncertainty, app providers should:
- Evaluate their responsibilities for user consent and data collection under the applicable terms of service. In most cases, the onus will be on the provider to obtain all necessary consents.
- Carefully evaluate what data is being sent to third-party data processors.
- Ascertain when that data is sent relative to when user consent is obtained.
- Ensure that consent accurately captures what data is being collected, consistent with data protection principles of transparency and fairness.
- Take appropriate technical measures to ensure data minimization and transparency by keeping analytics/advertising APIs up-to-date and evaluating their behavior as feasible.