Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsApps Continue to Collect and Share User Data
The company URL Genius recently published research about the collection of personal information by apps. To put things into context, in April of 2021, iOS 14.5 commenced privacy by default among apps on iPhones and apple devices. Prior to tracking users, apps needed to get affirmative, “opt-in”, consent from users. More recently, iOS 15.2 introduced a new Record App Activity feature that shows which apps communicate with networks and the domains that they contact. For their research, URL Genius used the Record App Activity feature on 200 different apps to see the level of network activity of each app and what domains were being contacted.
For some apps, the domains contacted correspond to the producer of the app. More common though, the apps were contacting third party domains.
They found that approximately 80% of the domains contacted were third party domains. The average app contacted 15 domains, meaning that on average only 3 of the domains contacted were domains associated with the app producer and 12 were third party domains.
In terms of tracking users on apps, the worst offenders were magazine publishers. Their apps contacted 26 third party domains and 2 first party domains on average. For user tracking, the least offensive app producers were social media apps, which on average contacted 4 third party domains and 2 first party domains.
Five apps in particular, rose above the crowd for their network activity. iHeartRadio, Wall Street Journal, ESPN, Popeyes, and WattPad had the most network activity, with 56, 48, 42, 42, and 36 network contacts respectively. It is important to note that this was merely a sampling of 200 apps. There may be apps with greater network activity out there.
Few apps kept the network activity entirely in-house. DuckDuckGo, Google Play Books, Google Classroom, and Microsoft OneNote only engaged in first party network activity.
URL Genius attempted to keep all variables consistent for their research. Each app was downloaded and opened only once, used minimally and then closed. All of this app activity occurred while the iOS setting “Allow Apps to Request to Track” was detoggled. In other words, the apps shouldn’t have even been able to request tracking, much less should they have been tracking.
What is happening when an app makes contact with a domain? It isn’t always clear, but they could be capturing and sharing behavioral data or fingerprint data.
Not knowing what information is being sent to the domains by the apps complicates things. It is entirely possible that none of these apps were sharing personal information. A resourceful investigator based in California or Europe could conceivably experiment by requesting deletion of their data with various companies, then subsequently downloading, installing, and briefly using an app, then submitting an access request to the app producer as well as businesses behind some of the third party domains contacted. Exercising data privacy rights can help us all better understand the digital world we live in. Clarip helps consumers exercise their data privacy rights, by helping businesses comply with data privacy laws. We provide data subject request fulfillment, data mapping, website scanning, and vendor and consent management. Visit us at www.clarip.com, call us at 1-888-252-5653 to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Other Articles on this Topic:
Privacy by Design: Privacy throughout the engineering process
Privacy by Default: The practical application of simplified privacy
Privacy by Default: Streaming and Buried Privacy
Privacy by Design: User Identification Headphones
Holiday gifts are getting smarter, and your data is at risk
Dating apps & sensitive personal information of over 10 million users
