Usercentrics used Apptopia’s “SDK Intelligence Insights” tool to analyze 250 apps, where SDK stands for Software Development Kit – a utility for developers. Apptopia aims to enable users to view download, sales and usage numbers as well as mentioned SDK data from mobile apps. To do this, it reads the third-party trackers installed in the app. In particular, the Ads, Analytics, and Referral SDKs collect data such as IP address, IDFA, device location, and other user data. These SDKs start collecting data as soon as an app is launched, but by law require user consent to do so.
Only apps that have third party trackers installed for the purpose of analytics, referral, monetization and/or marketing have been screened. In addition, applications must have at least 50,000 daily active users in the European Union. Each application was downloaded to devices within the European Union as part of testing to verify the installation of a Consent Management Platform (CMP) to allow users to opt out of embedded tracking technologies and thus maintain the privacy of personal information. If a CMP approval banner can be seen in the application, it also depends on whether it complies with legal standards.
It shows that nine out of ten apps examined can collect personal data from users without their consent. This is a clear violation of the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Data protection is best for food offerings: 84 percent of apps in this category don’t meet GDPR requirements for financial apps (second place) 86 percent. Gambling offers are the last pesky. 100 percent of the apps in this category do not comply with the requirements of the General Data Protection Regulation (GDPR). However, there are many questionable apps in the entire Cosmos app, so the result may not necessarily come as a surprise and could also be related to the choice of apps that were checked.
“The results of this report clearly show what is probably the biggest ‘elephant in the room’ in the app industry: most apps are still far from properly implementing the GDPR and e-Privacy Directive. And this is despite the fact that users are spending a significant portion of their time in applications, which is where most PII data is stored [Persönlich identifizierbare Informationen] Valerio Sodrio, Global Director of Application Solutions at Usercentrics, explains what was collected — in most cases still without explicit consent.