Ronnie Sternberg is Co-founder & VP Business Development at SafeDK
With May 2018 getting closer, companies worldwide are giving extra focus to user privacy, as the EU’s General Data Protection Regulation (GDPR) is coming into effect.
The GDPR aims to return personal data control to European nationals and to simplify the regulatory environment for international businesses. Mobile app and web developers have already started gaining a preliminary understanding of what they need to change to comply with the new regulations.
But, if app companies thought they still have time to complete and enrol all relevant changes, they have been proven wrong: Google is already strengthening its user privacy requirements, and in less than 60 days the new User Privacy requirements within the Google Play Developer Policy restrictions will come into effect.
Your app, your responsibility
Starting February 2018, Google is tightening the security around unwanted and harmful mobile behaviour on Android. As part of their enforcement, Google will show a warning on apps or websites that collect private data without getting the user's consent.
In less than 60 days the new User Privacy requirements for Google Play developers will come into effect
Private user data refers to user phone numbers, emails, location, installed apps and more. Google distinguishes between apps that handle personal user data as part of the app’s functionality vs. apps that collect the data even though it’s unrelated to their offering.
These data collection requirements apply to all functions of the app, which aren’t limited to only the app itself, but also to the 3rd party SDKs that are integrated within it. SDKs (software development kits) are not really the app owner's code, yet the app owners are liable for them and their activity.
Therefore, if SDKs have been implemented within the mobile app and try to access personal data, the responsibility for the data collection and usage is still on the app publisher.
Do you know what data your SDKs are accessing?
Validating the compliance of every SDK that goes into the app becomes challenging. It becomes even more critical with the recent SafeDK study showing that 67% of apps have at least one SDK accessing private user data. Specifically, over 50% of apps have at least one SDK that accesses the user’s location and 40% have SDKs that access the list of installed apps on the user’s device.
Currently, many app publishers do not even know what information their SDKs are accessing, and now publishers have a very limited time to find a solution to help them comply with the new requirements.
So what should app publishers expect from Google in 60 days? Google says it plans to present warnings on user devices and on web pages that lead to these apps. Google’s app verification process comes into play here as they warn users when potentially harmful apps are being installed, or even block the installation of the breached apps.
As app publishers, the last thing you want to witness is Google warning your users on privacy issues in your app, or even worse – banning your app from the Play Store because of SDKs accessing private user data.
It is true that the GDPR will come into effect in May, but app publishers do not have that long – they need to need to make sure their apps comply with all regulations ASAP.