𝐴 𝐹𝑎𝑖𝑡 𝐴𝑐𝑐𝑜𝑚𝑝𝑙𝑖 An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps

Abstract

Third-party tracking allows companies to collect users’ behavioural data and track their activity across digital devices. This can put deep insights into users’ private lives into the hands of many strangers, and often happens without users’ awareness or explicit consent. EU and UK data protection law, however, requires consent, both 1) to access and store information on users’ devices and 2) to legitimate the pro- cessing of personal data as part of third-party tracking, as we analyse in this paper. This paper further investigates whether and to which extent consent is implemented in mobile apps. First, we analyse a representative sample of apps from the Google Play Store. We find that most apps engage in third-party tracking, but only 4% obtained consent before doing so, indicating potentially widespread violations of EU privacy law. Second, we examine the 13 most common third-party tracking libraries in detail. While most acknowledge that they rely on app developers to obtain consent on their behalf, they typically fail to put in place robust measures to ensure this: disclosure of consent requirements is limited; default consent implementations are lacking; and compliance guidance is difficult to find, hard to read, and poorly maintained