Security News > 2020 > January > Apps are sharing more of your data with ad industry than you may think
All of the tested apps share user data with multiple third parties, and all but one share data beyond the device advertising ID, including a user's IP address and GPS position; personal attributes such as gender and age; and app activities such as GUI events.
Though not all of the data transmissions Mnemonic analyzed included excessive personal data such as GPS location, put all of the data together, and you can create detailed pictures of individuals.
How are these data-sharing processes legal? Under the EU's General Data Protection Regulation, organizations are required to ensure that only personal data that are necessary for each specific purpose of the processing are processed, and that personal data must only be processed for specified, explicit, and legitimate purposes.
Data subjects are not informed of how their personal data is shared and used in a clear and understandable way, and there are no granular choices regarding use of data that is not necessary for the functionality of the consumer-facing services.
The industry may well defend its practices on the basis of "Legitimate interests," but the NCC argues that app users "Cannot have a reasonable expectation for the amount of data sharing and the variety of purposes their personal data is used for in these cases."