Does Your App Use Third-Party Services? They Could End Up Costing You Millions

Written by Erik Episcopo on August 23 2017 in App Business

Does Your App Use Third-Party Services? They Could End Up Costing You Millions

This article is written by Erik Episcopo from Termly. Make sure to check out their awesome policy generators, legal templates and tools!

If you have an app or are currently in the process of developing one, then you know how useful third-party services can be when it comes to delivering a high-quality product. But, do you know how your third-party partners operate and what information they can access from your users?

Disney didn’t, and now they are facing a lawsuit that could cost them millions.

While third-party services are nothing new for mobile apps and are in most cases a necessary component for optimizing their functionality, the class action lawsuit facing Disney should be a reminder to app developers that their third-party vendors could also be putting them at risk.

Disney is currently being sued for violating COPPA, a privacy protection law that sets strict requirements for businesses that collect personal information from children 13 and younger. Allegedly, 42 of Disney’s apps contain embedded third party software that tracks, collects, and discloses user information without parental consent.

Considering that the maximum fine for violating COPPA is just over $40,000 per user and that Disney’s apps have millions of users – the majority being children – Mickey Mouse could be facing tens of millions of dollars in penalties.

How do you protect your app and ensure your user’s privacy? Let’s find out in this article.

  1. Are You Responsible For Third-Party Software In Your Apps?
  2. What Does This Mean For Your App?
  3. 4 Tips To Managing Third-Party Risks
  4. Further Reading

Are You Responsible For Third-Party Software In Your Apps?

Yes. In 2013, the FTC amended COPPA to cover the data collection practices of third-party services. Therefore, regardless if you are aware of how they use data or not, your app is still liable for any data third parties track or collect.

On the FTC’s COPPA FAQ page, they state:

“As the operator of a child-directed app, you must conduct an inquiry into the information collection practices of every third party that can collect information via your app. You need to determine each third party’s information collection practices so that you can make an informed decision as to whether its presence on your app will require you to give parents notice and obtain their consent prior to their collection of personal information from children.”

Disney is not the only company to have been caught in violation of COPPA. Several companies have suffered the consequences:

Learn how to build iOS apps

Get started with iOS 12 and Swift 5

Sign up for our iOS development course Zero to App Store and learn how to build professional iOS 12 apps with Swift 5 and Xcode 10.

What Does This Mean For Your App?

The first thing you should do is ask yourself the following:

1. Does my app embed third-party software?

These days it’s almost impossible to build a complete app without integrating some external services. Some common reasons you might need to use a third-party service:

  • For advertising, like AdMob and DoubleClick. Despite Do-Not-Track (DNT) and Apple’s IDFA, ad networks still gather a great deal of information on user behavior.
  • For payment processing, like Stripe or PayPal. Payment processors often need personal information, for instance to combat fraud, and collect payment information.
  • For analytics, like with Google Analytics, Kissmetrics or Firebase. The sole purpose of analytics is to collect user behavior, but you still have a responsibility to make sure this happens in a legal manner.
  • For crash reporting, like with Crashlytics. It may look innocent, but crash reporting tools track many different data points about user devices and usage.

Third-party software doesn’t need to be embedded directly in your app, it can also serve an auxilary role. For instance, sending emails with Sendgrid, storing user data with a Parse back-end, or posting to social media with a plugin.

2. Do any of the third parties that I work with — affiliates, vendors, partners, contractors — track or collect my users’ personal information?

Under COPPA, the following are considered personal information:

  • Personal information like name, date of birth, physical address, phone numbers, geolocation and email address
  • User data like photos, audio files, hobbies, interests and screennames
  • Persistent identifiers, like cookies that follow you around and identify you during subsequent user sessions

3. Am I completely in the dark when it comes to my third-party partners’ data collection methods?

If the answer to any of the above questions is ‘Yes’, then you might already be in violation of COPPA and other Internet privacy laws. However, you are not alone; nearly every app uses them and 70% of smartphone apps report personal data to third parties.

Learn how to code your own iOS apps by mastering Swift 5 and Xcode 10 » Find out how

4 Tips To Manage Third-Party Risks

Deciding which third-party service providers to work with is an underratedly crucial business decision. Many online businesses still overlook the due diligence that is required.

A study done by the Ponemon Institute found that “60 percent of respondents said their companies still do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information.”

Don’t put yourself in the same position that Disney is in. Instead, mitigate your risk and follow the tips below before engaging with any external services.

1. Read The Privacy Policy

Before you engage in any type of partnership with a third-party service you should always review their privacy policies. A privacy policy is a legal document that websites and apps must have if they collect personal information from users. This document will outline all the kinds of information a website gathers and the methods it uses to track and collect that information.

When reviewing a privacy policy, make sure you have a complete understanding of how the third party treats data they receive from your app. Make sure you know if they store that data, integrate it with other services, or even sell it.

However, if their privacy policy is not clear, or you still have questions about their data collection practices, then you should…

2. Contact The Third Party Directly

In some cases, reading a privacy policy simply might not be enough to fully comprehend how a third-party operates, especially if it’s written with an abundance of legalese.

In this case, call or email the third party to request the nitty-gritty details. Some companies even send a due diligence questionnaire before working with third parties to help ensure they meet all of COPPA’s strict requirements.

Inquire as to whether they are aware of COPPA and if they comply with all the guidelines.

3. Outline Privacy Responsibilities In The Contract

Before signing an agreement with a third-party service, the treatment of user data should be clearly specified.

Stipulating that the third party meet all compliance requirements according to state and federal laws as well as industry standards in your contract will help serve as an assurance of how the party treats personal information.

Including these details in the contract will also help protect your app when the third party is found to have been irresponsible with their collection of user information and will serve as evidence that they violated the contract.

Note: As an app developer you’re likely using a number of “free” tools or product tiers, like Firebase, Heroku and Google Analytics. Because it’s a free tool, you might think you don’t have a “contract” with them, but you definitely have an agreement. This article applies to those “free” agreements, too!

4. Periodically Audit The Operations Of Third Parties

Protecting yourself from third-party risks doesn’t stop after the contract has been signed.

In order to fully comply with COPPA, the FTC also states that:

“You must use reasonable means, such as periodic monitoring, to confirm that any service providers or third parties with which you share children’s personal information maintain the confidentiality and security of that information.”

Schedule regular audits of your third-party services. Those that you feel are higher risk should be done quarterly, while those that are seen as being less risky can be done biannually or annually.

If doing the monitoring on your own seems like too much of a hassle, you can consider hiring an auditing firm, employing a COPPA compliance service, or using a third-party tracker like Lumen.

Further Reading

It’s easy to overlook the minute details when launching and running an app-based business, but the operation of a third-party service provider is simply not one that you can afford to ignore.

Follow the tips in this article and help protect your business from third-party risks. Got questions? Leave a comment!

Want to learn more? Check out these resources:

Enjoyed this article? Please share it!

Erik Episcopo

Erik Episcopo

Erik Episcopo is a product manager and small business expert at, a company that helps other websites and apps create compliant legal policies. Erik works with a team of lawyers and online legal specialists to ensure that online business owners create policies that are up to date with all state, federal, and international laws.