The UK’s Top Mobile Apps and the GDPR

Partner Post - Clearfaun Mobile Consultant and Android developer

Posted: June 13, 2018

Spencer Depas is a British new yorker who is currently building apps in Beijing. He is a freelance mobile consultant and developer. He is excited about the decisions behind making great apps. 

Before creating this article I did the best I could to apply the The General Data Protection Regulation (GDPR) to my products. I created granular consent, age consent, an option to delete all user data, a clear and explicit explanation of what data was being used, I removed libraries and changed features to adhere to GDPR. After creating this article my strategy has changed and I think yours might too. Below I take a look at the UK’s top downloaded apps in April 2018 and see how they handle GDPR.

*Information was gathered on May 31st, 2018.

 

No granular consent

One of the most important thing I found was that one app out of ten asked for granular consent. In my mobile apps, I have seen a drop in on-boarding and I am attributing it to the three extra dialogs explicitly stating what data is being collected and for what reason. All the top players are simply providing a button that says ‘Continue’, and in the area some text that says if you continue you agree to our privacy policy. Please see the consent forms for Instagram, Messenger, Wish, Snapchat and Whatsapp below.

Instagram app consent form

Facebook Messenger app consent form

Wish app consent form

An app consent form

WhatsApp consent screen

Apps are location independent

All apps seemed to have no different flow depending on location or IP address. I signed up for all apps using an EU IP address and a non-EU IP address.

Online counterparts

Some apps have online counterparts so the features we are seeking may be online only, like the exporting of data or deletion of data. I did not explore all online components.

No request for personalized ads

None of the apps asked for explicit consent for personalized ads.

Uk’s top 10 apps

Below you will find the UK’s top ten apps and how they dealt with GDPR. There are notes regarding each app. Click on the app icon for the apps Privacy policy. For all apps I created a new account.

Helix jump and GDPR

No privacy policy when you click on the Privacy policy on the play store it takes you to a webpage providing only an email.

Source: Helix jump app

Whatsapp and GDPR

  • ’Tap agree and Continue’ to accept the Whatsapp Terms of Service and Privacy Policy
  • You can delete your account within the app. In the privacy policy, it says, “When you delete your WhatsApp account, your undelivered messages are deleted from our servers as well as any of your other information we no longer need to operate and provide our Services”. This does not strictly say we delete all of your PII.
  • In the PP “If you live in a country in the European Region, you must be at least 16”
  • It says in the PP there is a way to port data. I can’t see any way to do this online or in-app.

Source: WhatsApp app

Pubg and GDPR

  • If you select North America for your country no consent screen is displayed. But If you choose anywhere in the EU a consent screen is displayed.
  • The app claims that after 7 days of deleting your account it will delete all your data. On the mobile version, I was unable to find a way to delete an account.
  • The privacy policy gives no clear instructions on exporting the data
  • You can use the app if you are under 16 If you get your parents permission otherwise the app will not let you. This could be relating to the app having violence.

Source: Pubg app

Harry Potter Hogwarts Mystery and GDPR

*Privacy policy in app-only

Source: Harry Potter Hogwarts Mystery

Home workout and GDPR

  • This is the only app that explicitly states it does not collect PPI(Personal Identifiable data)

Source: Home workout

Messenger and GDPR

  • In the on-boarding, it says, “By tapping continue, you accept our terms and agree that you have read our Data policy”
  • It asks you to change and exercise your GDPR rights by going on facebook.com. What is funny about this is if you do not have a facebook account you would have to make one. ”you have the right to access, rectify, port and delete your data…find out how to exercise your rights in the Facebook settings.”
  • The messenger app seems to have the same privacy policy as facebook.com
  • In the app it says you can export data on facebook.com settings

Source: Facebook Messenger app

Wish and GDPR

  • Privacy policy button is next to sign up button. In the PP “By using or accessing the Services, you acknowledge that we will collect, use, and share your information as described in this Privacy Policy
  • I downloaded Wish on two devices. The versions were slightly different including the privacy policy. One PP was updated April 5th, 2017 and the other was updated May 25th, 2018
  • The first time I installed the app I was presented with an age requesting dialog. I only saw this once. I tried to recreate it to test being above and below 16.
  • There is an option to delete the account. But it does not say it deletes the data. In the PP it says you can delete the data in settings but there is not a dedicated button.
  • In the privacy policy, it states you can export data but gives you no mention as to how.

Source: Wish app

Instagram and GDPR

  • By clicking next you agree to our data policy
  • ”We provide you with the ability to access, rectify, port and erase your data. Learn more in your … Instagram settings.” There is an option to export the data but it does not say that it will export all data. It says, “Get a copy of what you have shared on Instagram”.
  • You can delete your data but not in-app. To delete your data you must delete your account. ”Go to the Delete Your Account page. If you’re not logged into Instagram on the web, you’ll be asked to log in first. You can’t delete your account from within the Instagram app.”

Source: Instagram app

Spotify and GDPR

  • If you continue you agree to our terms and service data policy consent
  • I have found no way to do this. ”If you request, we will delete or anonymise your personal data “
  • “Declining the terms and conditions will exit the Spotify app”
  • The play store listing privacy policy takes you to a 404 error. I found the online version here.
  • In the app, there is an option to delete Cache and data. This could mean PII but I don’t think it does.
  • There is no mention of exporting data in the privacy policy but I did find an export data option online.
  • I found nothing on GDPR specific age requirements which is 16
  • Age limit of 13, Can use above 13. (GDPR requires users to be 16)
  • You can export data outside of the app

Source: Spotify app

Snapchat and GDPR

  • This is below the sign-up fields: “By tapping sign up & accept you accept, you acknowledge that you have read the privacy policy”. The signup button says “Sign up & Accept”
  • It implies in the privacy policy you can delete your data by deleting your account but it does not explicitly say that.
  • You can export data outside the app here

Source: Snapchat app

Top ten wrap up

One app asked for granular consent. No one asked for consent for personalized ads. None of the apps let you use the app if you denied consent. The consent to the terms and conditions seemed very passive and inexplicit. I hope this case study was helpful. If you have any questions please leave a comment bellow.

Stay in touch by subscribing to my newsletter here or follow me on twitter here.