Inside the Amazon MHMDA Lawsuit: Why Regular App Audits Are Needed To Mitigate Privacy Risk

In a landmark case making headlines, Amazon is facing a class action lawsuit for allegedly harvesting sensitive user data through the Amazon Ads SDK embedded in thousands of mobile apps. This lawsuit is the first under Washington’s My Health My Data Act (MHMDA), which went into effect in March 2024. The charges against Amazon highlight serious concerns about unauthorized data collection and the urgent need for rigorous mobile app auditing. For privacy lawyers and managers, this case is a stark reminder of the risks associated with hidden SDK behaviors and the importance of continuous oversight, both internally and in anticipation of heightened regulatory scrutiny.

The Details of the Case

The lawsuit alleges that Amazon, via the Amazon Ads SDK, secretly collected detailed information from users' mobile devices without their consent. The key claims include:

• Unauthorized Data Collection: The SDK is accused of covertly gathering precise location data (latitude, longitude, speed, and direction), mobile identifiers (such as advertising IDs and device IDs), and even sensitive health data.
• Hidden Operations: Operating in the background, the SDK intercepts real-time communications and stores data without user awareness, bypassing clear consent mechanisms.
• Data Monetization: The collected data is processed in Amazon's data centers and then used to tailor targeted advertising or sold to third parties, generating substantial revenue at the expense of user privacy.

These practices have raised legal concerns and triggered questions about the transparency and governance of SDK integrations in mobile apps.

Mapping the Regulatory Statutes

The lawsuit alleges violations of several key statutes. Here is a concise map of each statute alongside its alleged violation:
‍

Continuous Mobile App Auditing: Challenges & Best Practices

The Challenge for Privacy Teams

For privacy lawyers and managers, ensuring compliance and protecting user data in mobile apps is complex due to several factors:

• Dependency on Engineering Teams: Auditing mobile apps on Android and iOS requires technical expertise that often depends on engineering teams, creating potential bottlenecks.
• Frequent App Updates: Mobile apps are updated frequently. Each update may introduce new SDKs or change data collection practices, making ongoing oversight a significant challenge.
• Implicit Data Flows: Some data flows occur implicitly, especially through third-party SDKs, and may not be clearly documented in the app's privacy policy.

Proactive Oversight from Regulators

Regulators are increasingly scrutinizing mobile app privacy practices. Notably, CNIL, the French data protection authority, is set to audit mobile apps for privacy compliance starting in April 2025. This proactive oversight reinforces the need for robust internal auditing processes. Privacy managers should prepare for these audits by implementing continuous auditing measures that ensure compliance with evolving privacy standards.

Best Practices for Continuous Auditing

• Audit on Every Update: Perform thorough audits with each app update to promptly identify and address changes in data collection practices.
• Map All SDK Features:
  
  • Identify Third-Party SDKs: List all SDKs integrated into your apps and understand their purposes.
  • Map Data Flows: Create visual maps of both explicit and implicit data flows to know where data is collected, stored, and shared externally
  • Monitor Consent: Ensure consent is always honored by testing each consent action and analyzing data flows against local privacy requirements
  • Map Permissions to Purposes: Ensure every app permission aligns with a clear purpose and that user consent is properly obtained.
• Automate Where Possible: Use advanced mobile app scanning tools to reduce dependency on engineering teams and maintain consistent, automated audits.

Introducing Privado’s App Auditor Solution

Privado’s App Auditor solution is designed to simplify continuous auditing and help privacy managers meet both internal and regulatory compliance standards. Here is what it offers:

• Continuous Auditing: Automatically scan your mobile apps on every update to detect hidden data flows and unauthorized SDK behaviors.
• SDK Identification: Quickly identify all third-party SDKs and understand their data collection purposes.
• Data Flow Mapping: Visualize both explicit and implicit data flows, ensuring you know where data is collected, stored, and transmitted.
• Consent Monitoring: Run checks for each applicable privacy law in location to test that all data flows are compliant for each consent action
• Permission Mapping: Align app permissions with their intended purposes to ensure that user consent is properly processed.
• Regulatory Readiness: With regulators like CNIL ramping up their audits starting in April 2025, Privado helps ensure your apps meet the latest privacy compliance standards.

By integrating Privado’s platform into your privacy compliance strategy, you can significantly reduce the risk of unauthorized data processing, build trust with your users, and eliminate manual compliance processes.

Key Takeaways

The Amazon MHMDA lawsuit is a wake-up call. With regulators like CNIL set to audit mobile apps for privacy compliance, proactive oversight is more critical than ever. Leverage comprehensive product privacy management platforms like Privado to map all third-party SDK features, continuously monitor data flows, and ensure that user consent is clear and properly processed.

Protect your organization and your users by making every update an opportunity to enhance privacy compliance and build trust. Let the lessons from the Amazon lawsuit serve as a reminder: continuous vigilance is the key to reducing legal risk in an increasingly privacy-centric world.