Open in app

Sign in

Write

Sign in

The UK’s top mobile apps and the GDPR

Spencer Zeke Depas
7 min readJun 6, 2018

Before creating this article I did the best I could to apply The General Data Protection Regulation (GDPR) to my products. I created granular consent, age consent, an option to delete all user data, a clear and explicit explanation of what data was being used, I removed libraries and changed features to adhere to GDPR. After creating this article my strategy has changed and I think yours might too. Below I take a look at the UK’s top downloaded apps in April 2018 and see how they handle GDPR.

*Information was gathered on May 31st, 2018.

No granular consent

One of the most important thing I found was that one app out of ten asked for granular consent. In my mobile apps, I have seen a drop in on-boarding and I am attributing it to the three extra dialogs explicitly stating what data is being collected and for what reason. All the top players are simply providing a button that says ‘Continue’, and in the area some text that says if you continue you agree to our privacy policy. Please see the consent forms for Instagram, Messenger, Wish, Snapchat and Whatsapp below.

Apps are location independent

All apps seemed to have no different flow depending on location or IP address. I signed up for all apps using an EU IP address and a non-EU IP address.

Online counterparts

Some apps have online counterparts so the features we are seeking may be online only, like the exporting of data or deletion of data. I did not explore all online components.

No request for personalized ads

None of the apps asked for explicit consent for personalized ads.

Uk’s top 10 apps

Below you will find the UK’s top ten apps and how they dealt with GDPR. There are notes regarding each app. Click on the app icon for the apps Privacy policy. For all apps I created a new account.

Helix jump and GDPR

No privacy policy when you click on the Privacy policy on the play store it takes you to a webpage providing only an email.

Whatsapp and GDPR

  • ’Tap agree and Continue’ to accept the Whatsapp Terms of Service and Privacy Policy
  • You can delete your account within the app. In the privacy policy, it says, “When you delete your WhatsApp account, your undelivered messages are deleted from our servers as well as any of your other information we no longer need to operate and provide our Services”. This does not strictly say we delete all of your PII.
  • In the PP “If you live in a country in the European Region, you must be at least 16”
  • It says in the PP there is a way to port data. I can’t see any way to do this online or in-app.

Pubg and GDPR

  • If you select North America for your country no consent screen is displayed. But If you choose anywhere in the EU a consent screen is displayed.
  • The app claims that after 7 days of deleting your account it will delete all your data. On the mobile version, I was unable to find a way to delete an account.
  • The privacy policy gives no clear instructions on exporting the data
  • You can use the app if you are under 16 If you get your parents permission otherwise the app will not let you. This could be relating to the app having violence.

Harry Potter Hogwarts Mystery and GDPR

*Privacy policy in app-only

Home workout and GDPR

  • This is the only app that explicitly states it does not collect PPI(Personal Identifiable data)

Messenger and GDPR

  • In the on-boarding, it says, “By tapping continue, you accept our terms and agree that you have read our Data policy”
  • It asks you to change and exercise your GDPR rights by going on facebook.com. What is funny about this is if you do not have a facebook account you would have to make one. ”you have the right to access, rectify, port and delete your data…find out how to exercise your rights in the Facebook settings.”
  • The messenger app seems to have the same privacy policy as facebook.com
  • In the app it says you can export data on facebook.com settings

Wish and GDPR

  • Privacy policy button is next to sign up button. In the PP “By using or accessing the Services, you acknowledge that we will collect, use, and share your information as described in this Privacy Policy
  • I downloaded Wish on two devices. The versions were slightly different including the privacy policy. One PP was updated April 5th, 2017 and the other was updated May 25th, 2018
  • The first time I installed the app I was presented with an age requesting dialog. I only saw this once. I tried to recreate it to test being above and below 16.
  • There is an option to delete the account. But it does not say it deletes the data. In the PP it says you can delete the data in settings but there is not a dedicated button.
  • In the privacy policy, it states you can export data but gives you no mention as to how.

Instagram and GDPR

  • By clicking next you agree to our data policy
  • ”We provide you with the ability to access, rectify, port and erase your data. Learn more in your … Instagram settings.” There is an option to export the data but it does not say that it will export all data. It says, “Get a copy of what you have shared on Instagram”.
  • You can delete your data but not in-app. To delete your data you must delete your account. ”Go to the Delete Your Account page. If you’re not logged into Instagram on the web, you’ll be asked to log in first. You can’t delete your account from within the Instagram app.”

Spotify and GDPR

  • If you continue you agree to our terms and service data policy consent
  • I have found no way to do this. ”If you request, we will delete or anonymise your personal data “
  • “Declining the terms and conditions will exit the Spotify app”
  • The play store listing privacy policy takes you to a 404 error. I found the online version here.
  • In the app, there is an option to delete Cache and data. This could mean PII but I don’t think it does.
  • There is no mention of exporting data in the privacy policy but I did find an export data option online.
  • I found nothing on GDPR specific age requirements which is 16
  • Age limit of 13, Can use above 13. (GDPR requires users to be 16)
  • You can export data outside of the app

Snapchat and GDPR

  • This is below the sign-up fields: “By tapping sign up & accept you accept, you acknowledge that you have read the privacy policy”. The signup button says “Sign up & Accept”
  • It implies in the privacy policy you can delete your data by deleting your account but it does not explicitly say that.
  • You can export data outside the app here

Top ten wrap up

One app asked for granular consent. No one asked for consent for personalized ads. None of the apps let you use the app if you denied consent. The consent to the terms and conditions seemed very passive and inexplicit. I hope this case study was helpful. If you have any questions please leave a comment bellow.

~If you liked the article, click the 💚 below so more people can see it! Also, you can follow me on Medium or on My Blog, so you get updates regarding my future articles!~

Gdpr
Mobile App Development
Android App Development
Android Apps
App Development

--

--

Spencer Zeke Depas

Written by Spencer Zeke Depas

57 Followers

Freelance mobile app developer & mobile app designer @ clearfaun.com App indie dev. Loves coffee, food and mobile apps.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams