Today’s post on data privacy is the third in a series of four posts covering how the bright future of the data market is being guaranteed by the deep investment by data vendors and customers alike in compliance. If you missed our first two posts, you can find them here:
If you haven’t heard of the General Data Protection Regulation (otherwise known as GDPR) by now, then hopefully you were just enjoying life in some remote, off-grid location relaxing in natural hot-springs and being pampered with local delicacies.
GDPR turned much of the tech industry, which had gained a reputation for using personal data liberally, on its head by enhancing individuals' control and rights over their personal data. While prior laws and regulations existed governing the use of personal data, they did little to stem the widespread sale and use of personal data by tech companies in nearly every sector. GDPR, which was adopted on April 14, 2016, and became enforceable on May 25, 2018, has far reaching effects and carries with it stiff penalties for non-compliance. See “What do Google, British Airways, H&M and Marriott all have in common? Well, they all received fines in excess of €10,000,000 for GDPR violations relating to personal data.”
GDPR became the model for the privacy laws of many other countries including the UK, Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and so forth. Several states in the US have also passed their own privacy laws modeled at least in part on GDPR, such as California’s Consumer Privacy Act (CCPA) and follow-on act, California Privacy Rights Act of 2020.
The main tenets of most privacy laws are fairness and transparency. To be fair, a data provider must not process data in a way that is unduly detrimental, unexpected, or misleading to the individuals from which data is collected. To be transparent, a data provider must be open and honest about its data practices, and sufficiently inform individuals about those practices. Additionally, under GDPR and other similar laws, there has to be a valid legal basis under which data is collected (more about that can be read about here).
To comply with these privacy laws, data providers have had to re-evaluate their data sources to ensure that the data they receive from these sources is compliant with the above tenets and other requirements of these laws. As outlined in our prior post, this applies not only to the personal data that a data vendor may collect itself, but also to data it receives from other data providers (third-party data sources).
While some data vendors maintain for one reason or another that panels inherently track users without their consent or are not secure, these allegations are frankly nonsensical. There is nothing inherently bad, insecure, inaccurate, or non-compliant about first or third-party data sources. What matters is that your data vendor is willing to ensure that any user data they are using in their products is compliant with applicable data privacy laws and regulations regardless of whether they are gathering it themselves or receiving it from a third-party supplier. If the supplier is purchasing user data from other data suppliers, then data broker compliance should also be evaluated, and so forth.
Depending on the product, Sensor Tower may use first and third party data sources. Regardless, in keeping with best practices for mobile privacy, before we implement a new data source (whether first or third party), we evaluate whether the data is needed and if the result can be accomplished without the collection of personal data. If so, we opt for an privacy-centric approach that avoids personal data. If not, we minimize the personal data that is collected and de-identify information when possible to reduce risk.
For example, Sensor Tower manages a series of panel-based apps that power some of our intelligence products. Our active panel-based digital wellbeing apps, StayFree and ActionDash (which were acquired by Sensor Tower in 2020), are best in class and are available on Android. Our content blocking apps, Mobile Data Usage, Luna, and Adblock Mobile, were developed by Sensor Tower and are available either on Android or iOS.
These panel apps fully inform individual users about our data collection practices and their rights in that data during onboarding. Even more, users of ActionDash and StayFree are able to utilize all digital wellbeing features within the app for free even if they opt out of data collection, and our ad blocker apps only route ad and analytics-related data through our servers using a privacy-focused method we specifically developed called Split Tunneling, which ensures only ad-related domains are proxied, as illustrated in the below figure.
Users can also easily disable the certificate that is used, with the limitation that the blocking will not work with ad networks that encrypt ad traffic.Using these approaches, we only handle ad and analytics data, which comprises less than 10% of the total data being sent and received by a device. Even more importantly, because we only handle ad or analytics data, we shield ourselves from handling or processing requests that could include sensitive data, like health or financial data.
The usage and ad data that is received through our panel is de-identified at the point of collection. Under our privacy-by-design approach, IP addresses are not persisted so the only identifiers that can be associated with the installations of our panel apps are the installation identifiers (IDs) generated upon installation. These are stored locally on the users device and we are unable to identify users using them unless the users expressly provide us with additional information, like when they contact us for customer support. If a user uninstalls the panel app, then the ID is rendered useless and any data associated with it is fully anonymized. If they reinstall the app, a new randomly generated ID is created for the reinstalled instance of the app and is only applicable so long as the app is not uninstalled, and so forth.
All panel data is anonymized and aggregated data, and then input into our statistical, aggregate models to generate the insights we provide on sensortower.com, such as our Ad and Usage Intelligence products.
Protecting user privacy has always been a main tenant of Sensor Tower. Well before GDPR and other recent privacy legislation, the Sensor Tower team thoughtfully built our panel apps with a privacy-driven approach. We've worked hard to take extra precaution and minimize potential privacy risks when developing our panel apps, and will continue to provide innovative tools that respect the privacy of users around the world.