“GDPR compliance is hard”, but is it? – 20 hours to overcome privacy issues in mobile apps

Tracking – the large-scale surveillance and monetisation of individuals’ digital activities – is a serious privacy concern in digital technology. Most of the current discussion focuses on cookies in desktop browsers, yet this is only the tip of the iceberg. First, people now spend significantly more time on their mobile devices than on desktop computers.

Second, cookies are but the tangible manifestation of a tracking ecosystem that raises many legal issues. As detailed in a recent complaint against IAB TechLab, programmatic advertising using real-time bidding, for instance, is said to breach many of the general principles laid down in Article 5 GDPR, including data minimisation, purpose limitation and security. Attempts to make the system compliant with the GDPR have thus far been deemed insufficient, and have even proved ineffective. A key reason why past compliance efforts have failed is the high number of third parties involved in data collection, combined with the absence of any mechanism to ensure and verify that users’ privacy preferences are respected by all the actors involved in the data processing chain. These concerns have unfortunately not been fixed in the latest iteration of the IAB Tech Lab’s framework, the Global Privacy Platform (GPP), launched in September 2022.

Lastly, third party tracking happens on mobile devices too, and is baked into many of the apps individuals use on a daily basis. We have already documented the widespread absence of consent mechanisms to third party tracking in mobile apps, despite consent being the most appropriate lawful ground for justifying such processing (Article 6(1)a GDPR). According to our research, less than 10% of apps on the Google Play Store implement any form of user consent, while 70% share data with tracking companies right when they are first launched. Follow-up research even suggests that, among the apps that do require consent, a significant portion breaches at least one of the conditions of its validity. We also found that few tracking companies implement consent by default in their libraries, or even mention the need for app developers relying on these libraries to secure the ‘freely given’, ‘specific’, ‘informed’ and ‘unambiguous’ consent of users before engaging in tracking activities. Besides, such companies often fail to provide or maintain appropriate documentation to assist developers in their compliance exercise.

Overall, these points highlight that the current approach to tracking and advertising is in breach of many of the principles listed in Article 5 GDPR. More worryingly though, the functioning of these technologies appears to often be incompatible with these principles. Not only because the amount of personal data collected commonly outweighs what is objectively necessary (Article 5(1)b), but also because the underlying business model usually involves the spreading of that information to a large number of third party companies (Article 5(1)b and f). The industry’s lack of willingness to change their established data practices paves the way for an easy, often made argument – if not an excuse – for trackers and developers: ‘GDPR compliance is hard’. But is it really? In order to provide a documented answer to that question and gauge what it would take for a motivated app developer to ensure a basic level of compliance, we decided to develop a technical prototype designed to secure consent as a strict precondition for third party tracking.

Existing consent ‘solutions’ – and an experimental alternative

We first reviewed the top Consent Management Platforms (CMPs) for mobile. We identified 18 solutions through Google Search. The vast majority relied on IAB Europe’s Transparency and Consent Framework (TCF), including the solutions proposed by Google and OneTrust. None, however, offered an automatic configuration for app developers without relying on the IAB framework, an important aspect for app developers who usually lack the necessary legal knowledge to ensure and demonstrate compliance with the provisions of the GDPR as required by Data Protection by Design (Article 25(1) GDPR). In short, most CMPs do not adequately support app compliance, and some even mislead app developers.

Against this backdrop, we explored an experimental, alternative approach for Android app developers (which we call ‘Auto-app-consent’). Our tool only requires a few code changes and takes a ‘radical’ approach: as long as a user has not consented, no personal data is shared with any third party. This effectively bypasses the need to trust that these third parties will indeed comply with users’ privacy preferences, something that is complex to both ensure and verify. The development of this tool took us about 20 hours of programming. From a technical side, the tool automatically detects the top 20 tracking toolkits according to Exodus Privacy, and implements a consent flow by making modifications to the toolkit when loaded at run-time (‘hooks’). We have shared our code freely on GitHub.

No silver bullet – but a case in point

As hinted above, our experimental patch is radical in that it restricts any form of tracking before the user has actually expressed their consent. As a result, and while the alternatives currently offered on the market tend to be on the lower end of the compliance spectrum, ‘Auto-app-consent’ might go a bit too far. If it enforces, through code, the decision of the end user (not) to be subject to third party tracking, it does not yet provide all the necessary details for that decision to be considered ‘informed’. That information should ideally come from the tracking companies themselves, and allow the data subjects to understand the scope and consequences of the processing at stake – a requirement that, as recently emphasised by the Belgian Data Protection Authority, might prove particularly complex ‘due to the large number of third parties that will potentially receive and process the personal data of the users’ (para 472).

As long as it remains impossible to verify that the third parties involved in tracking activities actually comply with the requirements of the GDPR, the complete blocking of data flows in the absence of consent seems to be the most prudent option. With ‘Auto-app-consent’, we wanted to demonstrate that tipping the scale in favour of data subjects by providing stronger control over their personal data is indeed possible – and also that there is a way, if not a will. Meanwhile, most third party tracking activities still fail to comply with basic legal requirements, such as lawfulness, transparency and security. Individuals are aware of the issues and tend to reject disproportionate tracking when given a meaningful choice.

The way forward – stronger enforcement, technical guidance and a more honest narrative

‘Auto-app-consent’ was designed as an experimental patch rather than a long term solution. This, in our opinion, should come from tracking companies themselves under the threat of administrative remedies. Yet, the enforcement path is full of pitfalls. Allocating responsibilities in such a complex, multi-stakeholder environment requires a careful analysis, the outcome of which will eventually be influenced by the Court of Justice of the European Union. The cooperation and consistency mechanism, while paramount to ensure a harmonised approach across the European Union, is time-consuming. Divergences in national procedural laws add an extra layer of complexity to the handling of cross-border cases. This, in turn, exacerbates the bottleneck role played by the Irish Data Protection Commission in GDPR enforcement. Most regulators are also short on financial resources, while data subjects often face difficulties when filing and following-up on complaints. Solving complex cases like third party tracking first requires fixing the EU’s enforcement ecosystem so that it sets serious incentives for compliance. We believe it might be time for the European Commission to step in and adopt a binding framework that establishes the exact functions of an efficient one-stop-shop system.

From a technical perspective, alternatives to current tracking practices could include the decentralisation of the underlying processing activities, or the establishment of trustworthy data intermediaries. These could, for example, be based on the user device itself, thereby storing personal data locally while retaining full control over it. Existing approaches, like Apple’s SKAdNetwork or Google’s Federated Learning of Cohorts (FLoC), underline, however, the risks that privacy improvements might reinforce existing market imbalances. These would need to be anticipated and mitigated. As emphasised in our previous research, more actionable, technical guidance for app developers would also greatly improve the status quo, alongside GDPR-compliant technical defaults (like minimal data collection and zero-configuration consent implementations).

With this piece – conceived of as a thought-provoking experiment rather than a full-fledged alternative –, we hope to have stressed the need for a more honest, solution-oriented engagement and narrative around GDPR compliance. While the GDPR has garnered unprecedented attention on privacy and data protection issues, its founding principles have been around for decades in international (Council of Europe's Convention 108), EU (Directive 95/46) and national law. Sanctions are on the way, as enforcement is getting up to speed. Yet, a proactive approach from the sector could be the most constructive and rights-preserving option.