Data privacy rights have advanced since the European Union’s General Data Protection Regulation (GDPR) rules took effect nearly a year ago in May 2018. GDPR outlines privacy protection and control for EU citizens and requires companies to notify users about their data collection practices and securely handle that personal data. The attention surrounding GDPR’s sweeping changes has intensified public awareness and attention about data privacy issues like never before.
Taking a cue from GDPR, Apple and Google last year began requiring mobile app developers to provide clearly written privacy policies for each app as part of the store approval process. The policies must specify what data is collected, if it is shared with third parties, and how users may request deletion of data. Mobile apps often collect personally identifiable data and other information, such as geolocation data and usage habits. Immediately after the new GDPR rules were enacted, many mobile app developers notified end users about new or updated GDPR-compliant policies. Establishing and maintaining accurate privacy policies for mobile apps can be challenging since it requires continuous coordination between development and legal as app capabilities change.
Users Have the Last Say
This time last year, the world learned that 87 million Facebook users’ personal data had been collected by a quiz app and then sold to Cambridge Analytica without the end users’ knowledge or approval. Influenced by the GDPR wave, the media and U.S. lawmakers alike scrutinized Facebook’s role in the scandal. Users grew increasingly alarmed after learning how much of their personal data had been collected, how unaware they were of the practices and how little was done to protect it. Losing trust is detrimental for mobile-driven organizationes such as Facebook, which Statista determined 95% of users access via smartphones. Mobile apps make it easy and convenient to access services; however, they also are just as easy to uninstall.
After the Cambridge Analytica incident, a grass roots #DeleteFacebook campaign went viral as users encouraged each other to discontinue the service. A Pew poll of 3,400 Facebook users discovered that 44 percent of 18- to 29-year-old users deleted the Facebook mobile app from their phone in the first half of 2018. By the July earnings call, Facebook reported weak revenue and disappointing global daily active user numbers. The resulting $1.2 billion stock plunge was one of the biggest in history — larger than the individual market caps of 92.8% of the S&P 500.
Facebook Stock Price February 2018 – March 2019
Although Facebook’s stock price rebounded after the Cambridge Analytica news last spring, it has not yet recovered from the loss of daily active users. Exacerbating the problem, additional privacy issues continue to pile up, keeping the #DeleteFacebook campaign going strong nearly a year later.
A GDPR Framework to Secure Private Data
GDPR provides a solid privacy framework for companies willing to take a proactive approach to their overall privacy strategy. For example, two articles of GDPR regulations highlight good security hygiene practices that benefit both companies and users — Article 25, data protection by design and default and Article 32, secure processing. This means ensuring personally identifiable data such as first name, last name, email address, user name, and geolocation data is not stored in local files and system logs or transmitted insecurely, such as via HTTP.
After hard lessons learned, Facebook recently announced it is moving to a more privacy-focused platform that includes end-to-end message encryption and data retention limits. These tactical measures aim to build back trust and win back users.
It’s not too late for all mobile app developers to start with a fundamentally improved privacy strategy that puts mobile users first. Based on our own analysis of the millions of mobile apps in the Apple iTunes and Google Play store, more than half leak personally identifiable information, geolocation or other privacy data. One of the best ways to maintain public trust is to not respond defensively to GDPR, but to view it as a guidebook for looking inward to take steps to safeguard user data and privacy.
