How Privado continuously audits app SDKs and ensures compliance

Consent compliance on mobile apps is often overlooked compared to websites, but that may change after the latest fine for violating the California Consumer Privacy Act (CCPA). 

On June 18, 2024, the California Attorney General announced a $500,000 settlement with Tilting Point Media for violating both the CCPA and COPPA (Children’s Online Privacy Protection Act). This settlement represents a major enforcement action for data privacy in the US; it is just the third CCPA fine since the law went into effect in 2020.  

The California Attorney General found that Tilting Point’s popular mobile app game “SpongeBob: Krusty Cook-Off” collected and shared children’s personal data without parental consent due to Tilting Point’s inadvertent misconfiguration of third-party software development kits (SDKs). 

As part of the settlement, Tilting Point must “implement and maintain an SDK governance framework to review the use and configuration of SDKs within its apps”.

Privado’s privacy code scanning solution offers the unique ability to continuously monitor and govern personal data flows from apps to third-party SDKs. 

With Privado, privacy teams can monitor consent, see each personal data element shared with which SDKs, and put in automated safeguards to prevent non-compliance. 

Just like websites, mobile apps and any other type of app for that matter (tablet, desktop, connected TV, console, etc.) must comply with data sharing restrictions from GDPR in the EU and CCPA/CPRA, COPPA, HIPAA, the FTC, and other state laws in the US. In summary, apps must obtain proper consent according to their applicable regulations before sharing personal data with third parties. 

In general, most privacy teams lack visibility and governance over personal data shared with third parties due to a reliance on manual processes. This is especially true for data shared from apps to third-party SDKs. 

If privacy teams are even notified about a new third-party SDK, they typically require the engineering or product team to complete a privacy questionnaire before the SDK can be approved. Because the implementation and functionality of SDKs is more complex than that of their pixel counterparts on web, it is more difficult to properly configure SDKs and manually assess their compliance.  

With Privado, privacy teams don’t have to rely on manual assessments. Before each app update, Privado can scan the app’s code to detect:

• Any new SDKs integrated with the app 
• Any new personal data elements shared with an SDK
• Any SDKs not honoring consent banners

This approach enables privacy teams to implement an SDK governance framework that programmatically prevents risks from non-compliant SDKs before they go live. 

Additionally, Privado leverages the same information from its code scans to automate the privacy reports required for Apple App Store and Google Play Store approval: Apple Privacy Manifest, Apple Privacy Nutrition Labels, and Google Data Safety Form. 

What are SDKs and why are they difficult to audit?

SDKs, or software development kits, are software packages developers commonly use to build features and implement third-party solutions within a mobile app. SDKs are also commonly used in apps for web, tablets, connected TV, etc. 

All SDKs should be audited for how they process personal data, but advertising third-party SDKs represent the biggest privacy risk. Marketing teams need to implement SDKs from partners like Meta and AppsFlyer to measure their marketing campaigns and build retargeting audiences. 

Once implemented, all advertising SDKs are designed to automatically collect each users’ device ID and advertising ID so they can attribute marketing campaigns to standard app events like installs, app opens, and in-app purchases. These SDKs are commonly configured to collect additional in-app event data and personal data. 

In addition to advertising SDKs, privacy teams should also closely monitor third-party SDKs for analytics, payments, and customer engagement (e.g., push notifications). 

SDKs by nature are more difficult for engineering teams to configure and for privacy teams to assess. SDKs are packages of proprietary code written by your third-party partner. SDKs must be implemented and configured by engineers; marketing teams don’t have the ability to modify SDK configurations in a user interface like they often can with pixels and tag managers for websites. 

To ensure privacy compliance, third-party SDKs typically need to be modified to prevent certain data from being shared from certain people (e.g., ages under 13) in certain situations, (e.g., consent opt-outs). 

Without a solution like Privado scanning how SDKs’ code is moving data, privacy teams must rely on engineers to make the necessary privacy compliant modifications to a software package their team did not write. As a result, engineers might misconfigure the SDK because they don’t understand the SDK or the privacy requirements. Even if engineers fill out a privacy assessment questionnaire as a check on their work, questionnaires may be completed inaccurately or only done prior to implementation, in the software design phase. 

Instead of relying on engineers to manually review the SDKs code or to accurately communicate privacy requirements to third parties when requesting their assistance, Privado can automatically scan the app’s code to definitively determine how SDKs are implemented and flag any non-compliant data flows.     

How Privado ensures consent compliance for mobile apps 

Automates SDK audits

To ensure data shared from apps is consent compliant, each app (iOS and Android) should undergo an SDK audit with the following outputs: 

• List of all third-party SDKs integrated with the mobile app
• Data flows showing all personal data elements going to which SDKs 
• Tests for each SDK showing that data sharing honors users’ consent  

A list of the third-party SDKs for each app would be fairly easy to gather by simply asking any developer that works on the app to do a quick query. However, maintaining an up-to-date SDK list over time is still a challenge.

Conversely, the other two outputs would be very difficult to gather without privacy code scanning. 

If developers are asked to document data flows to SDKs and test consent compliance, they either have to manually review the code of each SDK implementation and/or ask the third-party vendor for help. This manual process wastes hours of valuable engineering time and is prone to errors. 

Once data flows are documented, privacy teams then need to manually evaluate them against their privacy policies to flag violations such as sensitive health data sharing. 

With Privado, privacy teams can fully automate SDK audits and prevent any privacy risks from slipping through the cracks. 

By scanning each mobile app’s entire codebase in a matter of hours, Privado will automatically identify all third-party SDKs, map all data flows, test consent compliance, and identify violations against your privacy policies.

In the process, Privado will automatically categorize all data elements shared, tagging those that are sensitive for your organization such as health, financial, and location data. 

To identify privacy violations, privacy teams can leverage out-of-the-box policy workflows for key regulations such as GDPR, CPRA/CCPA, etc. as well as create custom workflows tailored for their privacy requirements.    

To see the SDK audit capabilities in action, the following three Privado screenshots show a list of third-party SDKs, data elements and flows, and a privacy violation identified from a scan on an open-source mobile app.  

List of third-party app SDKs

Personal data elements and flows to SDKs

Privacy risk example

Implements programmatic SDK governance framework

In addition to a comprehensive SDK audit, an SDK governance framework is needed to ensure all new SDKs or changes to existing SDKs are compliant. As part of the most recent CCPA fine, the California Attorney General ordered that Tilting Point must “implement and maintain an SDK governance framework to review the use and configuration of SDKs within its apps”. 

Before any third-party SDK implementation begins, privacy teams should include questions regarding data sharing to SDKs in their third-party risk assessments and privacy impact assessments (PIAs) done in the software development design phase, i.e., Privacy by Design assessments. 

Even with such a process in place, it’s possible for new SDKs to circumvent these assessments. Many third-party SDKs, including advertising SDKs, can be implemented and tested for free, without any contract in place. Marketing teams especially like to move fast and test out vendors. They might make SDK implementation requests to the engineering team not knowing the privacy assessment requirements or thinking they don’t apply when testing out a vendor. 

Changes to existing SDKs would be even more likely to circumvent these privacy assessments because they wouldn’t involve a new vendor and may not be part of the traditional software design and development process. 

Privado can implement a programmatic SDK governance framework that both ensures the proper assessments are done prior to SDK implementation and that SDKs are implemented according to your compliance requirements. 

In addition to integrating with your source code management tool to run full SDK audits, Privado also integrates with CI/CD (Continuous Integration / Continuous Deployment) tools that manage the code review and code release process, i.e., launching app updates. By integrating with your CI/CD, Privado can run automated privacy checks each time new code is submitted for review and before each release. 

Therefore, when a developer submits code with a new SDK, Privado can automatically request that the required third-party risk assessment or PIA is submitted before the SDK is approved for release. 

If a privacy violation is detected in the new SDK or in a change to an existing SDK, Privado can immediately provide remediation guidance to the developer and alert the privacy team. 

With Privado in place, developers will be enabled to prevent risks before they start, and privacy teams will have real-time visibility and governance over data flows to third-party SDKs. 

Key takeaways

• Increased privacy regulation and enforcement is putting new pressure on privacy teams to ensure both websites and mobile apps do not share personal data without proper consent. On June 18, 2024, The California Attorney General fined Tilting Point Media $500,000 for violating both CCPA and COPPA by sharing personal data without proper consent from their mobile app due to misconfiguration of third-party SDKs. 
• The manual assessments privacy teams use to monitor personal data shared from mobile apps to third-party SDKs have shown to be inadequate. Manual assessments do not provide sufficient data visibility or ensure third-party SDK are configured in a privacy compliant manner.
• With Privado, privacy teams don’t have to rely on manual assessments. Privado can fully automate SDK audits and eliminate privacy risks. By scanning the code running mobile apps, Privado automatically detects all third-party SDKs, identifies all personal data elements going to which SDKs, tests for each SDK for consent compliance, and flags any violations against applicable regulations and internal privacy policies.
• To prevent future risks, Privado can implement a programmatic SDK governance framework that both ensures the proper assessments are done prior to SDK implementation and that SDKs are implemented according to your compliance requirements. 

Learn more about our unique approach to preventing non-compliant data sharing that we call digital tracking governance here