Abstract
Third-party tracking allows companies to collect users' be-havioural data and track their activity across digital devices. This can put deep insights into users' private lives into the hands of strangers, and often happens without users' awareness or explicit consent. EU and UK data protection law, however, requires consent, both 1) to access and store information on users' devices and 2) to legitimate the processing of personal data as part of third-party tracking, as we analyse in this paper. This paper further investigates whether and to what extent consent is implemented in mobile apps. First, we analyse a representative sample of apps from the Google Play Store. We find that most apps engage in third-party tracking, but few obtained consent before doing so, indicating potentially widespread violations of EU and UK privacy law. Second, we examine the most common third-party tracking libraries in detail. While most acknowledge that they rely on app developers to obtain consent on their behalf, they typically fail to put in place robust measures to ensure this: disclosure of consent requirements is limited; default consent implementations are lacking; and compliance guidance is difficult to find, hard to read, and poorly maintained.
Original language | English |
---|---|
Title of host publication | Proceedings of the 17th Symposium on Usable Privacy and Security, SOUPS 2021 |
Publisher | USENIX Association |
Pages | 181-195 |
Number of pages | 15 |
ISBN (Electronic) | 9781939133250 |
Publication status | Published - 2021 |
Externally published | Yes |
Event | 17th Symposium on Usable Privacy and Security, SOUPS 2021 - Virtual, Online Duration: 8 Aug 2021 → 10 Aug 2021 https://www.usenix.org/conference/soups2021 |
Publication series
Series | Proceedings of the Symposium on Usable Privacy and Security, SOUPS |
---|
Symposium
Symposium | 17th Symposium on Usable Privacy and Security, SOUPS 2021 |
---|---|
Period | 8/08/21 → 10/08/21 |
Internet address |