The release of the Norwegian Consumer Council’s latest report ‘Out of Control’ has unearthed the extent to which ten widely used apps are sharing the personal data of their users with third parties, without meaningful consent. This information is being used to build profiles of consumers that can be used for targeted advertising, and may lead to discrimination and manipulation.
Altogether, the ten apps were observed transmitting user data to at least 135 different third parties involved in advertising and/or behavioural profiling.
The Android Advertising ID, which allows companies to track consumers across different services, was transferred to at least 70 different third parties involved in advertising and/or profiling. This identifier was often transmitted in combination with other personal data such as GPS location and IP address. This extensive collection, combination and use of persistent identifiers enables tracking across apps and devices, and the creation of comprehensive profiles on individual consumers.
All of the apps shared user data with multiple third parties, and all except one shared data beyond the device’s Advertising ID. This information included the IP address and GPS location of the user, personal attributes including gender and age, and various user activities. Such information can be used to track and target these users with ads, to profile them, and consumers like them, and to infer many highly sensitive infer attributes including sexual orientation and religious beliefs.
The dating app Grindr shared detailed user data with a large number of third parties that are involved in advertising and profiling. This data included IP address, Advertising ID, GPS location, age, and gender.
Twitter’s adtech subsidiary MoPub was used as a mediator for much of this data sharing, and was observed passing personal data to a number of other advertising third parties including the major adtech companies AppNexus and OpenX. Many of these third parties reserve the right to share the data they collect with a very large number of partners.
The makeup app Perfect365 shared user data with more than 70 third parties. This data included the Advertising ID, IP address, and GPS location. Many of the third parties that were receiving this data are in the business of collecting, using and selling location data for various commercial purposes.
The period tracker app MyDays shared the user’s GPS location with numerous third parties involved in behavioural advertising and profiling.
The dating app OkCupid shared highly personal data about sexuality, drug use, political views, and more with the analytics company Braze.
Google’s advertising service DoubleClick was receiving data from eight of the apps, while Facebook was receiving data from nine apps.
20 months after the GDPR has come into effect, consumers are still pervasively tracked and profiled online and have no way of knowing which entities process their data and how to stop them. The adtech industry is operating with out of control data sharing and processing, despite that should limit most, if not all, of the practices identified throughout this report.