Yesterday was Data Privacy Day — or Data Protection Day in Europe — which is meant to raise awareness and promote privacy and data protection best practices internationally. In the past year, government enforcement agencies across the globe have increasingly expanded their attention to mobile apps and data privacy.

In the US, the Federal Trade Commission (FTC) is monitoring the privacy practices of mobile apps with a special focus on health apps. This includes examining user consent for personal data practices (e.g., advertising, marketing and analytics), third-party user-tracking of pixels and types of data shared. In the EU, activist group None of Your Business (known as NOYB) recently filed a series of complaints against mobile apps for sharing users’ personal data with third parties without user consent. 

Below we discuss: 

• Compliance trends highlighted by these two actions
• What your brand needs to know in setting up mobile apps 

US FTC Decision Against Premom App

In the US, the FTC has focused more and more on mobile app enforcement, especially those that are used for health purposes or that collect sensitive information like geolocation. 

According to the FTC, Premom, an app that helps women track fertility to become pregnant, shared personal health information with third-party SDKs without end-user knowledge or consent, including sharing personal health information for advertising purposes, and inadequately securing data when transferring it to third-party SDKs based in China. Premom agreed to pay a $100,000 fine and another $100,000 in restitution and carry out numerous remediations. 

Even more recently, the FTC completed its enforcement agreement against X-Mode Social for its SDK used to collect precise geo-location information from users of apps on which it was installed. The FTC highlighted concerns about the ability to precisely pinpoint a user’s location on the map and tie it to sensitive locations (e.g. healthcare facilities, places of worship, welfare organizations). The FTC also focused its enforcement on X-Mode’s disregard for user requests to opt out of ad personalization, as it continued to share users’ Mobile Advertiser ID (a unique mobile devices identifier) with marketers. 

These decisions give urgency to the following compliance issues for apps in the US: 

1) Are IDs deemed personal data?

If IDs collected allow third-party tech providers (e.g. SDKs) to track consumers or their behaviors across unrelated apps or websites, or if IDs allow the business to target consumers with advertising on third-party advertising platforms, then such data are personal data. A higher risk is associated with non-resettable IDs since they are hardcoded in the device or network.

2) What rights do third-party SDKs have to the data? 

Where agreements with third-party SDKs allow them to leverage users’ data for their own business purposes and share that information with advertisers and media partners, such sharing should be carried out with users’ consent.

3) Do Custom App Event titles include personal data? 

In some enforcement actions, the FTC pointed out that descriptive event titles used to track users’ actions within apps, which were then later shared with third-party SDKs, were unconsented disclosures. Where the mobile app’s privacy policy or consent notice did not clearly disclose such sharing, users could not be fully informed about how their data was used or to whom it was shared. 

4) Are security measures adequate? 

Custom app events should be encrypted or labeled generally to prevent transferring users’ health information to third-party SDKs located outside the US. Best practice is to do this regardless of where the information is transferred.

5) Does user consent include sharing data with third-party SDKs?

Apps should strive for clear simple disclosure to end users showing what data is collected, and to whom it is shared along with specific purposes for doing so.

The EU Ramps Up Focus On Mobile Apps

Mobile app enforcement is also a key issue in the past year in the EU. In September 2023, NOYB filed complaints against EU-based mobile apps alleging illegal access and sharing of users’ personal data with third parties without users’ consent. The mobile apps did not have a consent mechanism for user confirmation prior to the activation of third-party SDKs.

In France, the CNIL (France Data Protection Authority) announced that one of its key priorities for 2023 was mobile app and data privacy compliance. In the coming months, the CNIL will release its recommendations for the mobile application ecosystem. Important takeaways from the CNIL draft recommendations for mobile apps include: 

Define collection parameters

• Understand what kind of data is necessary to collect (e.g., personal data, sensitive data) and for what purpose. 
• Document data to be collected. 
• Collect personal data only with the consent of the end users. 

Apply data privacy-by-design and privacy-by-default

• Limit data sent to servers to what is strictly necessary to fulfill the required purpose. 
• Default SDK configurations should follow these principles and avoid collecting device, network (IP address, surrounding network equipment) and individual identifiers if not required for use.
• Separate functionalities of the SDK so customers can choose only needed ones. 
• Choose the least intrusive permissions level possible or provide configuration options.

Manage consent & rights

• Review vendor contracts with app publishers, developers or SDK providers for adequate data protection terms in line with GDPR requirements.
• Use as few additional identifiers as possible for processing consent from users. 
• Provide options to block processing or access to data on the device until valid consent is obtained. 

Follow security best practices and recommendations

• Align standard security measures with industry best practices and applicable data protection laws. 

What Data Privacy Measures Brands Need to Take Now

Given the global focus on app privacy issues, brands should take the following steps to ensure regulatory compliance:

1. Understand what SDKs are in your mobile app, and what data SDKs are collecting and for what purpose. 
2. Honor user requests for use of personal data. Include a method for opt-out requests (including a Do Not Sell or Share My Personal Data link, browser-based or other technical settings) for California compliance. For EU, obtain consent prior to SDK activation. 
3. Put in place clear privacy policies that describe how your mobile app uses data, including data use of third-party SDKs. SDK providers should provide you clear information on what data is collected and the associated purposes, to make this easier.
4. Make sure sharing of data with third-party SDKs fits within the parameters of your customer relationships and clear consent is obtained.
5. Review data sharing practices with advertisers, and get clear consent for such sharing from the user. 
6. Embed clear consent practices in the tech stack, including rights to opt out or be forgotten at any time.
7. Review your SDK vendor’s security standards regularly. 

Between enforcement penalties and risk to reputation and customer trust, it should be exceedingly clear that businesses can no longer afford to let data privacy conversations come at the end of technology sales cycles or as an afterthought to development and implementation. All stakeholders need to be aware of data privacy, compliance and security to better align product vision, customer use cases and competitive advantage that can be gleaned by data collected and protected in the right ways.

Airship is committed to meeting the standards that our customers have come to expect from us, including protecting the privacy of personal data provided to us and applying the privacy-by -design and data-protection-by-default principles across our product enhancement, development and operations.That means not just providing amazing products that scale to sending billions of messages each day, but also ensuring that the Airship platforms support your compliance needs.

The post What Brands Should Know About Recent Privacy Enforcement Trends for Mobile Apps appeared first on Airship.

As regulation increases the complexity of data privacy, companies must continually reconsider how their business models incorporate personal information from customers. Data privacy policy doesn’t have to be at odds with customer experience. Here are five ways a practical approach to data privacy can improve customer experience in a mobile-first world. 

1. Be practical about the data you gather 
The key here is to be thoughtful about what data you collect and whether you actually need it. Collecting unnecessary data, or not having a handle on where that data is going, can put you and your customers at risk. Consider how you will use the data, how long you will keep it, and how it will flow through your business or any vendors and partners you work with. 

2. Be transparent and optimize the way you ask for data
When gathering any personal information about your customers, it’s important to be transparent about what you’re collecting and how you will use it. Communicate with clarity! Long-form privacy notices with confusing legal language create unnecessary barriers between brands and customers. They are  also a growing area of regulatory scrutiny. Your customers should be able to quickly and easily access details about the data you’re collecting and the benefit you’re offering so they can make well-informed decisions about opting in or out.  

3. Mind, don’t mine customers 
Customer data forms the basis of any marketing strategy, but mining consumer information—as opposed to considering customer needs—is going out of style. As third-party data fades away, first- and zero-party data come to the fore. Brands must create digital relationships with their customers, and mobile apps are an ideal way to establish a reciprocal value exchange. Developing direct digital relationships with your customers can provide them with the personalized experiences they expect.

4. Understand how your vendors use data 
It’s important that companies know who they’re sharing their customers’ personal information with—and how those vendors will use it and protect it. Any downstream incidents are shared responsibilities in the eyes of the public and regulators. Carefully review what data is being shared, why and how it is transferred, and security access and data retention measures in place to keep it safe. 

5. Collaborate across teams on data privacy 
Data privacy is no longer just an IT or legal concern. Every department in an organization should be involved in developing a comprehensive strategy around protecting customer data from misuse or theft. That means that everyone, from executives down, must collaborate  to ensure maximum security across all points where customer information is stored or shared throughout your organization and tech stack.   

Data Privacy Day serves as an important reminder for businesses everywhere that protecting customers’ personal information must always be a top priority. By utilizing these five tips, brands can not only mitigate risk, but grow advantage by enabling a trusted and mutually beneficial exchange with customers every day of the year.

The post Five Ways to Make Data Privacy Count for Your Brand appeared first on Airship.