Spencer Depas is a British new yorker who is currently building apps in Beijing. He is a freelance mobile consultant and developer. He is excited about the decisions behind making great apps.
Before creating this article I did the best I could to apply the The General Data Protection Regulation (GDPR) to my products. I created granular consent, age consent, an option to delete all user data, a clear and explicit explanation of what data was being used, I removed libraries and changed features to adhere to GDPR. After creating this article my strategy has changed and I think yours might too. Below I take a look at the UK’s top downloaded apps in April 2018 and see how they handle GDPR.
*Information was gathered on May 31st, 2018.
No granular consent
Instagram app consent form
Facebook Messenger app consent form
Wish app consent form
An app consent form
WhatsApp consent screen
Apps are location independent
All apps seemed to have no different flow depending on location or IP address. I signed up for all apps using an EU IP address and a non-EU IP address.
Some apps have online counterparts so the features we are seeking may be online only, like the exporting of data or deletion of data. I did not explore all online components.
No request for personalized ads
None of the apps asked for explicit consent for personalized ads.
Uk’s top 10 apps
Helix jump and GDPR
Source: Helix jump app
Whatsapp and GDPR
- In the PP “If you live in a country in the European Region, you must be at least 16”
- It says in the PP there is a way to port data. I can’t see any way to do this online or in-app.
Source: WhatsApp app
Pubg and GDPR
- If you select North America for your country no consent screen is displayed. But If you choose anywhere in the EU a consent screen is displayed.
- The app claims that after 7 days of deleting your account it will delete all your data. On the mobile version, I was unable to find a way to delete an account.
- You can use the app if you are under 16 If you get your parents permission otherwise the app will not let you. This could be relating to the app having violence.
Source: Pubg app
Harry Potter Hogwarts Mystery and GDPR
Source: Harry Potter Hogwarts Mystery
Home workout and GDPR
- This is the only app that explicitly states it does not collect PPI(Personal Identifiable data)
Source: Home workout
Messenger and GDPR
- In the on-boarding, it says, “By tapping continue, you accept our terms and agree that you have read our Data policy”
- It asks you to change and exercise your GDPR rights by going on facebook.com. What is funny about this is if you do not have a facebook account you would have to make one. ”you have the right to access, rectify, port and delete your data…find out how to exercise your rights in the Facebook settings.”
- In the app it says you can export data on facebook.com settings
Source: Facebook Messenger app
Wish and GDPR
- The first time I installed the app I was presented with an age requesting dialog. I only saw this once. I tried to recreate it to test being above and below 16.
- There is an option to delete the account. But it does not say it deletes the data. In the PP it says you can delete the data in settings but there is not a dedicated button.
Source: Wish app
Instagram and GDPR
- By clicking next you agree to our data policy
- ”We provide you with the ability to access, rectify, port and erase your data. Learn more in your … Instagram settings.” There is an option to export the data but it does not say that it will export all data. It says, “Get a copy of what you have shared on Instagram”.
- You can delete your data but not in-app. To delete your data you must delete your account. ”Go to the Delete Your Account page. If you’re not logged into Instagram on the web, you’ll be asked to log in first. You can’t delete your account from within the Instagram app.”
Source: Instagram app
Spotify and GDPR
- If you continue you agree to our terms and service data policy consent
- I have found no way to do this. ”If you request, we will delete or anonymise your personal data “
- “Declining the terms and conditions will exit the Spotify app”
- In the app, there is an option to delete Cache and data. This could mean PII but I don’t think it does.
- I found nothing on GDPR specific age requirements which is 16
- Age limit of 13, Can use above 13. (GDPR requires users to be 16)
- You can export data outside of the app
Source: Spotify app
Snapchat and GDPR
- You can export data outside the app here
Source: Snapchat app
Top ten wrap up
One app asked for granular consent. No one asked for consent for personalized ads. None of the apps let you use the app if you denied consent. The consent to the terms and conditions seemed very passive and inexplicit. I hope this case study was helpful. If you have any questions please leave a comment bellow.