<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=134132097137679&amp;ev=PageView&amp;noscript=1">

Pixalate’s H1 2024 Legal Investigation Report on Apple App Store Identifies How the App Store & App Developers Are Likely Violating GDPR Articles 5, 12, 13 & 24

Aug 22, 2024 10:45:00 AM

Pixalate’s research reveals that over 380,000 users within the United Kingdom, France and other European countries face ongoing privacy risks when using Apple devices, as their personal data is transmitted in the open programmatic advertising bid stream by 1,300+ Apple App Store-hosted and targeted advertising-enabled mobile apps – these apps are likely failing to inform users of their privacy rights and what essentially happens to their personal data once processed, triggering potential violations of GDPR Articles 5,12 and 13. Pixalate’s research further investigates and shares insights on Apple App Store appearing to enable these likely non-compliant apps to conduct targeted advertising by sharing EU & UK-based users’ IDFAs/IDFVs with them.

LONDON, August 22, 2024Pixalate, the global market-leading ad fraud protection, privacy, and compliance analytics platform, today released the H1 2024 GDPR Violation Risks Report: Apple App Store. The report provides a detailed legal analysis on data privacy violation risks arising under the European Union (‘EU’) and United Kingdom’s (‘UK’) General Data Protection Regulation (‘GDPR’), specifically under Articles 5, 12, 13, 24 and Rec. 75 in connection with the Apple App Store and app developers that have published mobile apps on Apple’s App Store. 

The report also evaluates potential GDPR violation risks for Apple as a “Data Controller,” as defined under GDPR Article 4(7) – Apple appears to share users’ device identifiers (Identifier for Advertisers, Identifier for Vendors, a.k.a IDFAs/IDFVs) with 1,384 Apple App Store-hosted mobile apps that do not have detected privacy policies yet appear to process users’ personal data by sharing their IDFAs/IDFVs in the ad bid stream.

To compile this research, Pixalate’s data science team analysed over 32,000 Apple App Store-hosted mobile apps that were downloadable from their App Store in the EU and UK during H1 2024, met the territorial scope of GDPR, and had open programmatic ad impressions targeted towards EU and/or UK-based users, as measured by Pixalate.

Pixalate’s H1 2024 Apple App Store GDPR Violation Risk Report – Key Findings: 

  • 380,000+ EU and UK-based users’ personal data was shared in the ad bid stream by targeted advertising-enabled apps that did not have detected privacy policies during H1 2024.
  • 1,384 Apple App Store-hosted apps: 
    • did not have a detected privacy policy during H1 2024, and 
    • shared EU and UK-based users’ personal data in the open programmatic advertising bid stream.
  • Personal data shared in the open programmatic ad bid stream included location data, IP address, and device identifiers (IDFVs/IDFAs), as measured by Pixalate:
    • 842 (61%) targeted advertising-enabled apps shared EU and UK-based users’ IDFAs/IDFVs in the open programmatic ad bid stream in H1 2024.
    • 330 (24%) targeted advertising-enabled apps shared all three forms of personal data in the open programmatic ad bid stream during H1 2024.

By sharing users’ IDFAs/IDFVs with apps without detected privacy policies, Apple is likely failing to meet its Data Controller obligations to ensure that users’ device identifiers are handled with integrity and confidentiality, as per GDPR Article 5(f).

“Pixalate has undertaken this investigation to produce data insights and legal analyses concerning actual practices of app developers, websites and reputable app-hosting platforms to help users ascertain whether their personal data is actually processed with user privacy at the forefront,” said Yusra Kayani, Pixalate’s EMEA Director of Data Protection and Privacy. “It is a concerning realisation that the identified apps without detected privacy policies exist and operate within the Apple App Store ecosystem, yet Apple appears to lay dormant in taking action to identify and remove such apps that are likely violating GDPR provisions alongside Apple’s own developer licence agreements and App Store guidelines.”

Top 10 EU+UK Registered App Store-Hosted Apps Without Detected Privacy Policies Sharing Personal Data in the Ad Bid Stream

Rank Title Developer Developer Country Est. No of EU+UK Users Impacted (H1 2024)
1 LALIGA Fantasy 23-24 Liga Nacional de Futbol Profesional SPAIN 79K (20%)
2 Paint the Flag Mobsmile Yazilim Hizmetleri Limited Sirketi UNITED KINGDOM 14K (4%)
3 My Monster Pet: Train & Fight traxnet ou ESTONIA 4K (1%)
4 Führerschein ClickClickDrive ClickClickDrive GmbH GERMANY 4K (0.96%)
5 Dingbats - Between the lines Romain Lebouc FRANCE 2K (0.53%)
6 Handy Craft Voodoo FRANCE 2K (0.51%)
7 Freecell - move all cards to the top Brilliant Labs Limited UNITED KINGDOM 1K (0.34%)
8 Crush the Monsters:Cannon Game HEROCRAFT LTD UNITED KINGDOM 1K (0.3%)
9 Closer – Actu et exclus People Reworld Media Magazines FRANCE 1K (0.29%)
10 Tipping Point Blast! Coin Game Two Way Media Ltd UNITED KINGDOM 1K (0.29%)

 

Access the full H1 2024 GDPR Violation Risks Report – Apple App Store here. You will also receive the list of 1,384 App Store-hosted apps without detected privacy policies that are sharing EU and UK-based users’ personal data in the ad bid stream during H1 2024, as measured by Pixalate.

GDPR Violation Risks Report: Apple App Store

About Pixalate

Pixalate is the market-leading fraud protection, privacy, and compliance analytics platform for Connected TV (CTV) and Mobile Advertising. We work 24/7 to guard your reputation and grow your media value. Pixalate offers the only system of coordinated solutions across display, app, video, and CTV for better detection and elimination of ad fraud. Pixalate is an MRC-accredited service for the detection and filtration of sophisticated invalid traffic (SIVT) across desktop and mobile web, mobile in-app, and CTV advertising. www.pixalate.com

Disclaimer

The content of this press release, and the associated report – including all content set forth herein – reflects Pixalate’s opinions with respect to subject matter that Pixalate believes may be useful to the digital media industry, inclusive of advertisers, advertising technology companies, developers of mobile applications, professional advisors, non-governmental entities, and regulators. Pixalate is sharing this report’s data–and opinions relating thereto–not to impugn the standing or reputation of any entity, person, or app, but, instead, to report opinions and suggest trends pertaining certain apps available for download via the Apple App Store during the H1 2024 time period studied. Any data shared herein is grounded in Pixalate’s proprietary technology and compliance analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that: opinions (i.e., they are neither facts nor guarantees). Pixalate's opinions regarding possible applicability of, legal obligations under, and compliance with the GDPR are for informational purposes only, and are not offered as legal advice. Nothing in this report: (i) is intended to constitute professional and/or legal advice; (ii) actually constitutes professional and/or legal advice; or (ii) sets forth a comprehensive or complete statement of the matters discussed or the law relating thereto.

Search Blog

Follow Pixalate

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.