In our introductory post, If You Think Data is the Wild West, You’re Doing it Wrong, we emphasized the important role a compliance program plays in a successful company’s data strategy. This is particularly true for banks and investment firms, many of which have increased their use of “alternative” data sets (also simply called alt data) to provide unique and timely insights into investment opportunities. To meet demand for alt data, a robust “alt data industry” has sprung up over the past decade that leverages “non-traditional” data sources to generate these unique and timely insights, which are used by financial firms to become more informed and make better investment decisions. Some alt data strategies that have been popularized are using satellite imagery to track how full parking lots are at retailers or cars produced/sold by an auto manufacturer, or using transaction data to predict the performance of popular consumer-facing services.
The reality is that mere reliance on quarterly reports and other public statements to inform investment decisions is outdated and has rapidly been replaced with complex models that rely on myriad alt data sources in conjunction with traditional ones.
However, these alt data sources must be compliant with strict securities and privacy laws, regulations, and rules to which financial firms are required to adhere. Critically, financial firms are prohibited from using material, nonpublic information (“MNPI” or simply “insider information”) to inform investment decisions. The reason is simple. Trading public company stock or other securities using MNPI violates securities law and the civil and criminal penalties for doing so can be severe. The SEC has specific rules governing the use of service providers, such as alt data providers, that specifically require financial firms to “review each service provider’s overall compliance program for compliance with the federal securities laws and should ensure that service providers are complying with the firm’s specific policies and procedures.”
At Sensor Tower, we understand that providing alt data to financial firms requires an extra level of scrutiny and have outlined below some core items related to data sources and data methodology that financial firms should consider asking their data vendors that are unique to the mobile app space when performing the required diligence.
Mobile data vendors generally receive data from two different sources: first-party data sources and third-party data sources. As the name implies, a first-party data source reflects information that the data vendor itself collects and processes and a third-party data source reflects information that the data vendor receives from a third party. The process for vetting a first-party data source versus a third-party data source can vary.
With a first-party data source, since the data vendor is doing the collection themselves, a compliance program should consider the verification of the following:
What data is collected and whether the data includes any sensitive information, such as personal, financial, health-related, confidential, or other information.
Whether the collected data includes confidential information including, for example, potential MNPI and, if so, the nature and purpose for the collection of that confidential information, and specifically that no confidential information is ever provided via the data vendor’s services; and
Whether the collected data includes other types of sensitive information and, if so, that the data vendor is in compliance with applicable laws in the collection of that information.
Further, the manner in which the first-party data is being collected should also be evaluated. For example, if the data vendor is scraping information from other sites, a compliance program firm should consider asking specific questions regarding their scraping policy to ensure compliance with accepted practices and applicable law. On the other hand, if the data vendor owns and operates its own app-based user panel, the apps comprising the user panel and the data vendor’s data protection practices for the panel should be vetted.
The functionality of the apps comprising the panel is important because, presumably, they are being offered via one of the major app stores, such as Google Play or Apple App Store. The functionality of the apps, and the data collected by those apps, should be compliant with the developer guidelines and other applicable terms of those stores.
Evaluating whether the personal data being collected is related to the functionality that the app provides is also important, as it helps to ensure that the basis for the collection of personal information is compliant with the data minimization tenants of privacy laws, such as Article 5 of GDPR, which provides that the personal data that is collected is limited to what is necessary for processing. Use of de-identification techniques in this regard by the data vendor is also important because it protects both the user (by making it more difficult to identify the user) and data vendor (by reducing the risk of storing personal information), and allows the data vendor further flexibility in how it uses the collected data, as outlined in Article 6(4)(e) of GDPR, for example.
At Sensor Tower, we strive to uphold the highest standards for all mobile analytics companies and are committed to safeguarding the privacy of our panel users to the fullest extent as we provide answers to business critical questions. In our next post, we will provide more detail about Sensor Tower’s own user panel and what makes it such a safe and valuable resource.
Based on the data sources that are used by the vendor, a compliance program should consider evaluating the manner in which the data from these sources is being used to provide mobile app insights. This includes data preparation, the characteristics of the data science models being used, and the controls that have been implemented by the data vendor to ensure the integrity of the data sources and the insights being provided from those data sources.
Key questions may include:
The manner in which PII is anonymized and aggregated to ensure that no third-party PII is included in the insights provided by the data vendor.
What data science models are used, how they work, and whether they are statistical and aggregate in nature.
Of the data provided, what constitutes insights generated by data models and what data provided is mirrored from the vendor’s data sources.
That no third-party confidential information or MNPI is provided by the vendor in any way, including in the form of insights or other information.
That the vendor strictly controls access to and monitors both the data sources and generated insights to ensure that neither is tampered with, thereby ensuring that no third-party confidential information, MNPI, PII or other relevant information can be provided.
The information received from the data vendor in response to the above questions, along with other important questions often asked regarding the data vendor’s data practices and security measures including business continuity and disaster recovery, can be used to verify that the representations being made by the data vendor are true. This is especially salient in a post App Annie (now Data.ai) world, in which data.ai was found by the SEC to have induced customers by intentionally misrepresenting its data practices and use of confidential information.
Sensor Tower has always been committed to providing compliant products for all sectors including the alt data space and is readily available at any time to address any questions from customers and prospective customers alike. Please just reach out to your account manager or email us at firstname.lastname@example.org.
Like Sensor Tower, many data vendors in the alt data space have long focused on compliance to ensure their products can be safely relied upon by a wide variety of customers including financial firms, and we believe that, given the heightened regulatory standards, providing data to the alt data space makes mobile app data vendors better partners to the broader customer ecosystem in general. Put simply, for the reasons noted above, financial customers often provide the most scrutiny of both a company's practices and of the quality and usefulness of the data provided. We appreciate discerning buyers that push us to be better every day, and the financial industry is full of them.
Through our work in the alt data space, we have also had the opportunity to partner with and work alongside many amazing providers. From other digital insights companies to the broader ecosystem, we enjoy being part of the data mix for this market and getting to socialize with and learn from these amazing, high quality, and serious companies. While a few misguided data vendors have made serious errors leading to sensational headlines, it is our experience that the vast majority of the space is made up of earnest, focused providers and buyers. These folks know that we don’t live in the Wild West—and every day they demand excellence.