In this day and age of massive data collection, data security and privacy are top of mind for many enterprises and consumers. The concern centers around the collection and use of Personally identifiable information (PII) / sensitive personal information (SPI).
Enterprises that ship mobile apps need to be careful which third-party libraries and SDKs are included during the development stage. The issue is that many tools are available for free, but end up harvesting user data in order to monetize it through targeted advertising. The vast majority of the time this is against the legal policy of the enterprise, as well as the end user license agreement (EULA) between the company’s software and its end users.Developers often have no idea this is happening behind the scenes for two reasons:
- SDKs are black boxes, so the harvesting of the data is hidden from the developer; and,
- to download the SDK, the developer signs up and agrees unknowingly to terms and conditions (click-through agreements) permitting the practice.
The realization that developer freeware is exposing your customer data causes alarm. To prevent this from happening, digital leads should audit which service providers are in use, especially those that do not require payment or a subscription fee. Any third-party code or SDKs that did not receive sign off from legal should be removed immediately. Your legal professionals should review the terms and conditions.
EU & COPPA
This practice is even more problematic for global enterprises, as well as enterprises that may have end users under the age of 13.
The Data Protection Directive outlines movement of personal data within the European Union. The replacement for Safe Harbor, EU-US Privacy Shield, still under legal scrutiny, outlines the transfer of that data to the US. Free tools will often try to get around the EU restrictions by requiring the developer to prompt the end-user for permission to release their personal information. In practice, this almost never happens for the reasons mentioned before: developers do not read the terms and product managers aren’t aware of the requirement. This puts enterprises out of compliance with data privacy laws in the EU.
Finally, companies that collect data from minors must comply with the Children’s Online Privacy Protection Rule (COPPA). Companies that harvest user information behind the scenes are not COPPA compliant. Parental consent must be given, along with many other requirements, in order to collect PII/SPI from minors.
While it can seem daunting to keep up with the latest regulations regarding data security and privacy, enterprises can deploy a proper vetting process to get ahead of any issues with their apps. It is recommended that you review the third-party tools embedded in your apps, make sure your team is educated on the legal requirements, and ensure you’re in compliance with local regulations.