Does Your App Use Third-Party Services? They Could End Up Costing You Millions
This article is written by Erik Episcopo from Termly. Make sure to check out their awesome policy generators, legal templates and tools!
If you have an app or are currently in the process of developing one, then you know how useful third-party services can be when it comes to delivering a high-quality product. But, do you know how your third-party partners operate and what information they can access from your users?
Disney didn’t, and now they are facing a lawsuit that could cost them millions.
While third-party services are nothing new for mobile apps and are in most cases a necessary component for optimizing their functionality, the class action lawsuit facing Disney should be a reminder to app developers that their third-party vendors could also be putting them at risk.
Disney is currently being sued for violating COPPA, a privacy protection law that sets strict requirements for businesses that collect personal information from children 13 and younger. Allegedly, 42 of Disney’s apps contain embedded third party software that tracks, collects, and discloses user information without parental consent.
Considering that the maximum fine for violating COPPA is just over $40,000 per user and that Disney’s apps have millions of users – the majority being children – Mickey Mouse could be facing tens of millions of dollars in penalties.
How do you protect your app and ensure your user’s privacy? Let’s find out in this article.
- Are You Responsible For Third-Party Software In Your Apps?
- What Does This Mean For Your App?
- 4 Tips To Managing Third-Party Risks
- Further Reading
Yes. In 2013, the FTC amended COPPA to cover the data collection practices of third-party services. Therefore, regardless if you are aware of how they use data or not, your app is still liable for any data third parties track or collect.
On the FTC’s COPPA FAQ page, they state:
“As the operator of a child-directed app, you must conduct an inquiry into the information collection practices of every third party that can collect information via your app. You need to determine each third party’s information collection practices so that you can make an informed decision as to whether its presence on your app will require you to give parents notice and obtain their consent prior to their collection of personal information from children.”
Disney is not the only company to have been caught in violation of COPPA. Several companies have suffered the consequences:
- In December 2014, the Chinese company, BabyBus, was suspended by Google from Google Play because a third-party plugin was collecting geolocation data from its users.
- In June 2016, InMobi, a mobile advertising company, was fined over $900,000 because the FTC alleged that the software development kit that it offered to app developers collected geolocation data without the consent of developers or users.
- In September 2016, New York’s attorney general fined Hasbro and Viacom because one of their third-party advertisers was tracking users’ persistent identifiers.
Get complementary access to my course, Zero to App Store, and learn how you can build a real-time chat app with Firebase and Swift!
The first thing you should do is ask yourself the following:
1. Does my app embed third-party software?
These days it’s almost impossible to build a complete app without integrating some external services. Some common reasons you might need to use a third-party service:
- For advertising, like AdMob and DoubleClick. Despite Do-Not-Track (DNT) and Apple’s IDFA, ad networks still gather a great deal of information on user behavior.
- For payment processing, like Stripe or PayPal. Payment processors often need personal information, for instance to combat fraud, and collect payment information.
- For analytics, like with Google Analytics, Kissmetrics or Firebase. The sole purpose of analytics is to collect user behavior, but you still have a responsibility to make sure this happens in a legal manner.
- For crash reporting, like with Crashlytics. It may look innocent, but crash reporting tools track many different data points about user devices and usage.
Third-party software doesn’t need to be embedded directly in your app, it can also serve an auxilary role. For instance, sending emails with Sendgrid, storing user data with a Parse back-end, or posting to social media with a plugin.
2. Do any of the third parties that I work with — affiliates, vendors, partners, contractors — track or collect my users’ personal information?
Under COPPA, the following are considered personal information:
- Personal information like name, date of birth, physical address, phone numbers, geolocation and email address
- User data like photos, audio files, hobbies, interests and screennames
- Persistent identifiers, like cookies that follow you around and identify you during subsequent user sessions
3. Am I completely in the dark when it comes to my third-party partners’ data collection methods?
If the answer to any of the above questions is ‘Yes’, then you might already be in violation of COPPA and other Internet privacy laws. However, you are not alone; nearly every app uses them and 70% of smartphone apps report personal data to third parties.
Deciding which third-party service providers to work with is an underratedly crucial business decision. Many online businesses still overlook the due diligence that is required.
A study done by the Ponemon Institute found that “60 percent of respondents said their companies still do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information.”
Don’t put yourself in the same position that Disney is in. Instead, mitigate your risk and follow the tips below before engaging with any external services.
2. Contact The Third Party Directly
In this case, call or email the third party to request the nitty-gritty details. Some companies even send a due diligence questionnaire before working with third parties to help ensure they meet all of COPPA’s strict requirements.
Inquire as to whether they are aware of COPPA and if they comply with all the guidelines.
3. Outline Privacy Responsibilities In The Contract
Before signing an agreement with a third-party service, the treatment of user data should be clearly specified.
Stipulating that the third party meet all compliance requirements according to state and federal laws as well as industry standards in your contract will help serve as an assurance of how the party treats personal information.
Including these details in the contract will also help protect your app when the third party is found to have been irresponsible with their collection of user information and will serve as evidence that they violated the contract.
Note: As an app developer you’re likely using a number of “free” tools or product tiers, like Firebase, Heroku and Google Analytics. Because it’s a free tool, you might think you don’t have a “contract” with them, but you definitely have an agreement. This article applies to those “free” agreements, too!
4. Periodically Audit The Operations Of Third Parties
Protecting yourself from third-party risks doesn’t stop after the contract has been signed.
In order to fully comply with COPPA, the FTC also states that:
“You must use reasonable means, such as periodic monitoring, to confirm that any service providers or third parties with which you share children’s personal information maintain the confidentiality and security of that information.”
Schedule regular audits of your third-party services. Those that you feel are higher risk should be done quarterly, while those that are seen as being less risky can be done biannually or annually.
If doing the monitoring on your own seems like too much of a hassle, you can consider hiring an auditing firm, employing a COPPA compliance service, or using a third-party tracker like Lumen.
It’s easy to overlook the minute details when launching and running an app-based business, but the operation of a third-party service provider is simply not one that you can afford to ignore.
Follow the tips in this article and help protect your business from third-party risks. Got questions? Leave a comment!
Want to learn more? Check out these resources:
- The Children’s Online Privacy Protection Act (COPPA): How to Comply and Avoid Legal Penalties
- How to Choose the Right Tech Stack for Your App
- Avoid These Common iOS App Dev Mistakes
Enjoyed this article? Please share it!
Most Popular Content
- How To Develop iOS Apps On A Windows PC
- How To: Build A Real-Time Chat App With Firebase And Swift
- How To: Random Numbers in Swift
- Creating A Simple iOS Game With Swift In Xcode (Part 1)
- Grand Central Dispatch: Multi-Threading With Swift
- Is A MacBook Pro Good Enough For iOS Development?
- How To: Map, Reduce and Filter in Swift