App firms, adtech industry in firing line over possible GDPR violations

According to a report called “Out of Control: How Consumers Are Exploited by the Online Advertising Industry,” released Tuesday by the Norwegian Consumer Council (NCC), app developers are sharing highly personal information with adtech firms as part of their business model, despite the risk of violating tough privacy rules, the prospect of being hit with hefty fines, and the possibility of losing consumer trust and damaging their brands. It has filed complaints under the GDPR against six of the worst offenders, including Twitter.

The NCC, a government-funded consumer rights champion, commissioned cyber-security company Mnemonic to perform a technical analysis of the data traffic from 10 popular mobile apps. It found—between them—they were transmitting user data to at least 135 different third parties involved in advertising and/or behavioral profiling.

Big Tech firms are also benefitting from the data, says the report. Google’s advertising service DoubleClick received data from eight of the apps, while Facebook received data from nine of them.

Because of the scope of the tests, the popularity of the apps, and the size of the third parties receiving the data, the NCC regards the findings as “representative of widespread practices in the adtech industry.”

“Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers, and even the fact you use a gay dating app. This is an insane violation of users’ EU privacy rights.”

Max Schrems, founder of European privacy non-profit NGO noyb

It wants adtech firms to make “comprehensive” changes in order to comply with European privacy regulation, as well as a greater willingness from EU data protection authorities to strongly enforce the GDPR.

“This massive commercial surveillance is systematically at odds with our fundamental rights and can be used to discriminate, manipulate, and exploit us,” says Finn Myrstad, director of digital services at the NCC. “The widespread tracking also has the potential to seriously degrade consumer trust in digital services.”

“The situation is completely out of control,” he adds. “In order to shift the significant power imbalance between consumers and third-party companies, the current practices of extensive tracking and profiling have to end.”

The apps in question are:

• Dating apps Grindr, Happn, Tinder, and OkCupid;
• Virtual pet app My Talking Tom 2;
• Make-up designs app Perfect365;
• Emoji and animation background app Wave Keyboard;
• Menstrual cycle predictor apps Clue and MyDays; and
• Muslim: Qibla Finder, an app that indicates the direction for Muslims to face to perform prayers.

The report found all of the apps shared user data with multiple third parties. This information included the IP address and GPS location of the user, personal attributes including gender and age, and various user activities. The report says such information can be used to track and target these users with ads, to profile them (and consumers like them) and to infer many highly sensitive attributes, including sexual orientation and religious beliefs. That data can also be sold on to other data collection companies that use such information for commercial purposes.

Make-up app Perfect365 shared user data with more than 70 third parties, including the advertising ID used on Android devices, IP addresses, and GPS locations, while menstrual cycle tracker app MyDays shared users’ GPS location with numerous third parties involved in behavioral advertising and profiling.

Dating app OkCupid shared highly personal data about sexuality, drug use, political views, and more with an analytics company called Braze.

Grindr, a dating app for the LGBTQ community, was found to have shared detailed user data with a large number of third parties involved in advertising and profiling. This data included IP address, advertising ID, GPS location, age, and gender. Twitter’s adtech subsidiary MoPub was used as a mediator for much of this data sharing, but it was also found to be passing personal data on to a number of other advertising third parties, including the major adtech companies AppNexus and OpenX. Many of these third parties reserve the right to share the data they collect with a very large number of partners.

“Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers, and even the fact you use a gay dating app. This is an insane violation of users’ EU privacy rights,” says Max Schrems, founder of the European privacy non-profit NGO noyb who worked on the complaints with the NCC.

The NCC complains that 20 months after the GDPR has come into effect, consumers are still pervasively tracked and profiled online and have no way of knowing which entities process their data or how to stop them. It also complains users usually need to give blanket approval to the app’s terms and conditions in order to use it. “There are very few actions consumers can take to limit or prevent the massive tracking and data sharing that is happening all across the internet,” said Myrstad. “Authorities must take active enforcement measures to protect consumers against the illegal exploitation of personal data.”

On the same day as the report was released, the NCC filed three formal complaints with the Norwegian Data Protection Authority for breaches of GDPR against Grindr and five adtech companies—Twitter’s MoPub; AT&T’s AppNexus; OpenX; AdColony; and Smaato.

Grindr, which is the only company to be named in all three complaints, said in a statement: “user privacy and data security is, and always will be, a high priority,” adding that it has recently revised its privacy policies and is in the process of enhancing its consent management processes to give users more control over how their personal data is used.

“We welcome the opportunity to be a small part in a larger conversation about how we can collectively evolve the practices of mobile publishers and continue to provide users with access to an option of a free platform,” it said.

Twitter, as well as most of the other firms named in the reports and the GDPR complaints, said it is reviewing its processes and privacy policies and controls in light of the report and has disabled Grindr’s MoPub account.

Experts are not surprised adtech firms may be breaking the law, especially as the nature of tech start-ups is to “move fast and break things.”

Adam Penman, an employment lawyer in the London office at international law firm McGuireWoods, says “it appears that app firms react to complaints which hit them hard commercially, while maintaining a low-level quasi compliance infrastructure which does not restrain capitalizing on marketing opportunities. Being fundamentally reactive [to complaints] simply pays more dividends than being proactive about compliance.”

“Big Tech will always be reactive to regulation. They have financial incentives to behave that way,” says Chad McDonald, vice president of customer experience at Arxan, a technology company that specializes in app security. “The companies in question have their entire business model built around sharing very personal data. They have a very strong financial incentive to push the boundaries as far as they can, as fast as possible, until legislators or the public push back. Unfortunately, the pushback often comes after the horse has bolted.”

Many believe regulators should have a more proactive role in engaging with the sector and publicizing what is best practice.

“While moves are being made to provide constructive guidance so companies know what to do, there are still gaping holes as to how they should approach data privacy and the tools and processes that they should use,” says Adrian Barrett, founder and CEO of data security technology firm Exonar. “There is the promise of a ‘kite-mark’ for companies that can demonstrate compliance with GDPR which cannot happen soon enough,” he adds.

Penman says instead of fines and other “sticks” to encourage compliance, supervisory bodies should design “carrots” to ensure compliance generates commercial advantages, for example by issuing recognized “seals of approval” for certain apps or online services so users and consumers feel safe and secure in using that product.

“The fear of corporate fines does not appear to be working, despite their potentially high value,” says Penman. “But compromising the trust between a consumer and the product/company they are using will hit tech companies’ longer-term commercial interests.”

More generally, however, experts believe enforcement needs to be more rigorous and there should be better coordination between EU data supervisors about how they should stamp out and punish illegal and unfair practices.

Camilla Winlo, director of consultancy DQM GRC, a data protection and privacy consultancy, believes that if tech firms do not “clean the house,” new sanctions are likely to come into force. “Many countries have laws that allow individuals in management positions to be fined or imprisoned for privacy failings. The EU has decided not to go that far, but I wouldn’t be at all surprised if that changes in the future. Globally, the trend does seem to be towards individual accountability,” she says.

Aaminah Khan, a barrister specializing in data and information law at St. John’s Buildings, says if enforcement is going to be an effective deterrent, companies need to believe the threat of a fine that equates to 4 percent of global turnover will be used.

She also believes “the relative lack of scrutiny and enforcement by regulators to date in respect of compliance issues in areas such as tracking in the adtech industry has resulted in some companies viewing a loose approach to GDPR compliance as a commercial risk worth taking.”

Khan says while fines have their place, there are also a range of tools regulators have at their disposal under the GDPR that can be used in conjunction with fines. These include issuing assessment notices, where the regulator can assess whether processing is compliant, and enforcement notices, where the regulator can order a company to take steps to remedy any failure to comply. “These are potentially wide-ranging powers which could rectify compliance issues, if used appropriately,” she says.

She says for the GDPR to be truly effective, “data regulators need to take a joined up, coordinated approach to regulation across Europe,” given these services are being used by individuals throughout various jurisdictions.

“While this is how GDPR was envisioned to work, we are yet to see much evidence of this joint approach in action,” says Khan.