Mobile apps that fail to uphold adequate data practices have been a recurring concern dating back at least to 2014 when whistleblower Edward Snowden revealed the popular gaming app Angry Birds and others like it engaged in the surreptitious collection and disclosure of personal information. A decade later, issues over leaky apps have come to a head in the wake of increased scrutiny over one long-used tool: the software development kit.
SDKs are bundles of code embedded within an app that allow the developer to provide specific functionality. Instead of developing code for an app function — such as login, authentication, analytics or crash reporting — from scratch, a developer can license a collection of software libraries, application programming interfaces, documentation, utilities and/or sample code offered by a prebuilt SDK.
In recent years, the U.S. Federal Trade Commission drew attention to SDKs and similar tracking technologies through its settlements with SDK providers InMobi, X-Mode Social and InMarket Media and apps GoodRx, Premom and, more recently, Monument and Cerebral. These settlements have begun to offer boundaries around the usage and provision of SDKs.
At the state level, the California attorney general's office has been keenly interested in SDKs and other tracking technologies for their part in the alleged unlawful sale or sharing of personal information. In addition, the plaintiffs' bar has sent demand letters and filed many class-action lawsuits alleging privacy violations involving the provision and usage of SDKs.
SDKs may feel to many like just another cog in the labyrinthine advertising technology machine. With regulators, litigators and major industry players turning their focus to SDKs, privacy professionals must shift their focus to ensuring the proper incorporation of these technologies.
The building blocks of app development
SDKs are typically developed — and often required — by developers and providers of hardware manufacturers, operating systems or other apps. The near-universal adoption of SDKs across the mobile app universe stems from their ease of use, low cost, reliability and stability. Of concern to regulators and privacy pros: Many SDKs facilitate data collection and third-party disclosure.
SDKs are just one of several services, features or products that serve as enforcement lightning rods. Other technologies, tracking pixels, cookies and fingerprinting to name a few, have also raised compliance concerns. SDKs have caused particular regulatory consternation due to their role in tracking location and other data that reveals sensitive characteristics.
For example, a user boots up a food delivery app on their phone and logs in through their Facebook account using Facebook's Login SDK. They see an embedded map of all local participating restaurants using Google's Map SDK. They place the order and pay using Stripe's payment processing SDK. The driver communicates with the customer via messages sent through a Twilio messaging SDK. And so on.
Each of these SDKs enables communication with the phone's operating system to retrieve information that helps it accomplish a task. In doing so, the SDK collects data, using it within the app but often also disclosing it to the SDK provider. Some of this data may constitute personal information under the law, and issues often arise when this personal information is processed.
What's the trouble?
In 2016's InMobi settlement and order, the FTC broke new ground in its long arc toward an increased technological focus. InMobi, a mobile advertising platform for app developers and advertisers, allegedly permitted developers to sell advertising space in their apps and allowed advertisers to target consumers on those apps based on location data collected through the InMobi SDK. When consumers denied an app, and thus the SDKs comprising it, access to their location data, InMobi allegedly continued to track user location by collecting network information and "sidestepping consumer choice." The crux of the FTC's allegations was that the representations in InMobi's app-development guide deceived consumers into believing it would not track their locations in this way.
The spotlight returned to SDKs several years later. In 2023's GoodRx, Premom and BetterHelp actions, the FTC focused on apps that used SDKs to collect sensitive health data and allegedly failed to properly inform consumers about the disclosure of such data through those SDKs or to implement controls on the third-party recipients. In two 2024 enforcement actions, X-Mode and InMarket, the FTC alleged the SDK providers unfairly or deceptively collected and used personal information obtained through its own app, as well as through apps that installed the respondent's SDK.
Class-action lawsuits, too, have plagued apps and SDK providers. For example, Greenley v. Kochava saw the California Invasion of Privacy Act's pen register theory applied when plaintiffs accused location data broker and SDK provider Kochava of using its SDK to surreptitiously collect user data, which was later sold to third parties. The plaintiffs survived dismissal after the judge broadly interpreted the term "pen register" to include software like online tracking technologies. Greenley's total impact remains to be seen but, so far, the decision has resulted in a litigation glut, with one firm filing over 120 lawsuits in recent months. Several other statutes, such as the Video Privacy Protection Act, have been used to target apps sharing data through SDKs.
Takeaways for privacy pros
Reverse engineering enforcement actions and successful litigation claims provide privacy pros with guidelines on using SDKs, and certain pain points become evident upon close examination. Privacy pros managing privacy compliance in the mobile app ecosystem should focus on realigning their consent practices, staying attuned to operating system and app store restrictions, and implementing supplier assessment programs.
A heightened consent
A common theme throughout enforcement and litigation is companies repeatedly failing to obtain informed consent from users an SDK collected information about. To mitigate processors and controllers pointing fingers about which one holds responsibility for obtaining consent, the FTC put forth an answer across its relevant enforcement actions: Both the SDK provider and the app incorporating it must ensure consent is valid.
In the current U.S. privacy landscape, opt-in consent is not required for many data practices. However, as the FTC decreed in a blog post, "Browsing and location data are sensitive. Full stop." Sensitive data, in turn, generally requires consumers to opt in or, under the California Consumer Privacy Act, an option to limit the use and disclosure of that sensitive personal information.
The FTC has trended toward a heightened interpretation of consent resembling that required by the EU General Data Protection Regulation. Failure to obtain this level of consent is where many app and SDK developers fall into regulatory enforcement traps.
The FTC's latest definition of consent, referred to as affirmative express consent, varies slightly from the GDPR's definition but reflects similar principles:
"any freely given, specific, informed and unambiguous indication of an individual consumer's wishes demonstrating agreement by the individual, such as by affirmative action, following Clear and Conspicuous Disclosure to the individual of: (1) the categories of information that will be collected; (2) the purpose(s) for which the information is being collected, used, or disclosed; (3) the hyperlink to a document that describes the types of entities to whom the Covered Information is disclosed; and (4) the hyperlink to a simple, easily-located means by which the consumer can withdraw consent and that Clearly and Conspicuously describes any limitations on the consumer's ability to withdraw consent. The Clear and Conspicuous Disclosure must be separate from any "privacy policy," "terms of service," "terms of use," or other similar document."
The closer the FTC shifts toward GDPR principles, the better privacy pros may analyze transatlantic parallels. To best meet these relatively rigorous consent requirements — and assuage regulatory scrutiny in doing so — companies may rely on existing guidelines and resources. In recent years the principle of consent has been dissected in different contexts, most notably market power, and pressures have begun to align on calling for a holistic reassessment of consent.
Improper disclosure has been a principal issue raised in FTC complaints. In X-Mode and Premom, the failure to inform consumers their location data would be provided to third parties — government contractors for national security purposes and companies based in China, respectively — invalidated consent.
In InMarket, GoodRx and BetterHelp, consent was invalidated by a failure to provide notice that certain personal data, namely location data, would be used for targeted advertising, among other things. App and SDK businesses would be keen to reassess their privacy notices to ensure their disclosures contain the appropriate level of detail.
Likewise, in the Greenley case, the CIPA prohibited the installation or use of a pen register without judicial approval, pending certain exceptions. One such exception permits the use of pen registers or trap-and-trace devices, terms that for now include SDKs and certain other web tracking technologies, when user consent has been obtained. While the court did not venture into consent analysis, analogous federal law and precedent have permitted such an exception. Thus, consent may provide a defense in litigation as well.
Honoring system-level restrictions
The app-user relationship crucially relies on the app's operating system. A user may express privacy preferences through device settings or other privacy-enhancing apps that they expect to be conveyed in interactions in all apps on their device. As such, apps and SDK providers must honor these settings and specifications as if they came directly from the user to the app. Circumvention of those preferences will be treated as unreasonable disregard of consumer choice.
This requirement has been emphasized since the FTC alleged InMobi ignored mobile operating system privacy settings consumers used to opt out of, limit or decline targeted advertising. Even if a consumer denied an app permission to track location data, InMobi wrongfully determined a consumer's location based on connected or nearby Wi-Fi networks anyway.
Apps and SDK providers must likewise abide by app store policy. For example, an SDK incorporated in the Premom app openly collected Wi-Fi MAC addresses in contravention of express restrictions imposed by Apple and Google on developers' access to that information. In recent cases, the FTC expressly stated disregarding the operating system-level opt out on Android phones could constitute a deceptive act or practice.
App stores frequently alter privacy requirements for developers, so close reading and monitoring of platform policies remain a prerequisite for any app.
Notably, in 2021, Apple introduced App Tracking Transparency, requiring apps that collect and share personal data to present users with opt-in consent choices before collection. Later that year, Google followed suit by rolling out its Advertising ID program, "a unique, user-resettable, and user-deletable ID for advertising" that enables users to opt out of sharing the persistent identifier used to serve personalized ads to their device.
Companies have instead relied on other methods of identifying users, such as device fingerprinting, to create their own attribution methods. Many such practices are expressly prohibited by app store terms of use but have remained pervasive, resulting in Apple and Google seeking ways to mandate greater transparency from developers.
For example, in 2023, Apple introduced privacy manifests, a privacy control for SDK developers to communicate data collection and disclosure practices. Apple similarly offers its own system APIs, some of which require developers to attest their reason for gaining access to data.
Beyond rules set by the two main device and app store providers, states have begun to mandate that online services recognize universal opt-out mechanisms such as Global Privacy Control.
UOOMs are technical specifications that signal a user's default opt-out preference to any online service they visit. While for the most part websites have adapted to recognizing UOOMs where required, currently most mobile apps are not technically capable of doing so. Despite the California attorney general's 2023 investigative sweep intent on addressing this gap, the app ecosystem has largely not adapted.
Implement a supplier assessment program
In both X-Mode and InMarket, the FTC prescribed "supplier assessment programs" for SDK providers to implement. The SAPs provide guidance for SDK providers looking to ensure consumers have provided consent for the collection and use of location data obtained through apps incorporating that provider's technology. For apps, verifying that an SDK provider maintains a comprehensive supplier assessment program and complying with them can ensure data collection and processing remain above board.
A supplier assessment program operates as an extension of an SDK provider's existing privacy program, geared toward ensuring consumers who use an app incorporating its SDK have provided consent for the collection and use of location data through that SDK. The program should consist of the following features:
- Written documentation of suppliers' consent-management policies and processes.
- Regular assessment of data sharing agreements and apps' privacy policies designed to confirm consumers provide affirmative express consent.
- Controls on sharing or disclosing data when consumers have not provided consent.
SDKs complicate mobile app privacy management and require greater attention paid to consent management and the technical processes that enable app usage. By adhering to existing guidance derived from enforcement, litigation and industry policy — and by following future developments in the area — privacy pros should avoid the kinds of pitfalls that have befallen many SDK providers and users.
