London, Aug. 22, 2024 (GLOBE NEWSWIRE) -- Pixalate, the global market-leading ad fraud protection, privacy, and compliance analytics platform, today released the H1 2024 GDPR Violation Risks Report: Apple App Store. The report provides a detailed legal analysis on data privacy violation risks arising under the European Union (‘EU’) and United Kingdom’s (‘UK’) General Data Protection Regulation (‘GDPR’), specifically under Articles 5, 12, 13, 24 and Rec. 75 in connection with the Apple App Store and app developers that have published mobile apps on Apple’s App Store.
The report also evaluates potential GDPR violation risks for Apple as a “Data Controller,” as defined under GDPR Article 4(7) – Apple appears to share users’ device identifiers (Identifier for Advertisers, Identifier for Vendors, a.k.a IDFAs/IDFVs) with 1,384 Apple App Store-hosted mobile apps that do not have detected privacy policies yet appear to process users’ personal data by sharing their IDFAs/IDFVs in the ad bid stream.
To compile this research, Pixalate’s data science team analysed over 32,000 Apple App Store-hosted mobile apps that were downloadable from their App Store in the EU and UK during H1 2024, met the territorial scope of GDPR, and had open programmatic ad impressions targeted towards EU and/or UK-based users, as measured by Pixalate.
Pixalate’s H1 2024 Apple App Store GDPR Violation Risk Report – Key Findings:
- 380,000+ EU and UK-based users’ personal data was shared in the ad bid stream by targeted advertising-enabled apps that did not have detected privacy policies during H1 2024.
- 1,384 Apple App Store-hosted apps:
- did not have a detected privacy policy during H1 2024, and
- shared EU and UK-based users’ personal data in the open programmatic advertising bid stream.
- Personal data shared in the open programmatic ad bid stream included location data, IP address, and device identifiers (IDFVs/IDFAs), as measured by Pixalate:
- 842 (61%) targeted advertising-enabled apps shared EU and UK-based users’ IDFAs/IDFVs in the open programmatic ad bid stream in H1 2024.
- 330 (24%) targeted advertising-enabled apps shared all three forms of personal data in the open programmatic ad bid stream during H1 2024.
By sharing users’ IDFAs/IDFVs with apps without detected privacy policies, Apple is likely failing to meet its Data Controller obligations to ensure that users’ device identifiers are handled with integrity and confidentiality, as per GDPR Article 5(f).
“Pixalate has undertaken this investigation to produce data insights and legal analyses concerning actual practices of app developers, websites and reputable app-hosting platforms to help users ascertain whether their personal data is actually processed with user privacy at the forefront,” said Yusra Kayani, Pixalate’s EMEA Director of Data Protection and Privacy. “It is a concerning realisation that the identified apps without detected privacy policies exist and operate within the Apple App Store ecosystem, yet Apple appears to lay dormant in taking action to identify and remove such apps that are likely violating GDPR provisions alongside Apple’s own developer licence agreements and App Store guidelines.”
Top 10 EU+UK Registered App Store-Hosted Apps Without Detected Privacy Policies Sharing Personal Data in the Ad Bid Stream
| Rank | Title | Developer | Developer Country | Est. No of EU+UK Users Impacted (H1 2024) |
| 1 | LALIGA Fantasy 23-24 | Liga Nacional de Futbol Profesional | SPAIN | 79K (20%) |
| 2 | Paint the Flag | Mobsmile Yazilim Hizmetleri Limited Sirketi | UNITED KINGDOM | 14K (4%) |
| 3 | My Monster Pet: Train & Fight | traxnet ou | ESTONIA | 4K (1%) |
| 4 | Führerschein ClickClickDrive | ClickClickDrive GmbH | GERMANY | 4K (0.96%) |
| 5 | Dingbats - Between the lines | Romain Lebouc | FRANCE | 2K (0.53%) |
| 6 | Handy Craft | Voodoo | FRANCE | 2K (0.51%) |
| 7 | Freecell - move all cards to the top | Brilliant Labs Limited | UNITED KINGDOM | 1K (0.34%) |
| 8 | Crush the Monsters:Cannon Game | HEROCRAFT LTD | UNITED KINGDOM | 1K (0.3%) |
| 9 | Closer – Actu et exclus People | Reworld Media Magazines | FRANCE | 1K (0.29%) |
| 10 | Tipping Point Blast! Coin Game | Two Way Media Ltd | UNITED KINGDOM | 1K (0.29%) |
Access the full H1 2024 GDPR Violation Risks Report – Apple App Store here. You will also receive the list of 1,384 App Store-hosted apps without detected privacy policies that are sharing EU and UK-based users’ personal data in the ad bid stream during H1 2024, as measured by Pixalate.
About Pixalate
Pixalate is the market-leading fraud protection, privacy, and compliance analytics platform for Connected TV (CTV) and Mobile Advertising. We work 24/7 to guard your reputation and grow your media value. Pixalate offers the only system of coordinated solutions across display, app, video, and CTV for better detection and elimination of ad fraud. Pixalate is an MRC-accredited service for the detection and filtration of sophisticated invalid traffic (SIVT) across desktop and mobile web, mobile in-app, and CTV advertising. www.pixalate.com
Disclaimer
The content of this press release, and the associated report – including all content set forth herein – reflects Pixalate’s opinions with respect to subject matter that Pixalate believes may be useful to the digital media industry, inclusive of advertisers, advertising technology companies, developers of mobile applications, professional advisors, non-governmental entities, and regulators. Pixalate is sharing this report’s data–and opinions relating thereto–not to impugn the standing or reputation of any entity, person, or app, but, instead, to report opinions and suggest trends pertaining certain apps available for download via the Apple App Store during the H1 2024 time period studied. Any data shared herein is grounded in Pixalate’s proprietary technology and compliance analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that: opinions (i.e., they are neither facts nor guarantees). Pixalate's opinions regarding possible applicability of, legal obligations under, and compliance with the GDPR are for informational purposes only, and are not offered as legal advice. Nothing in this report: (i) is intended to constitute professional and/or legal advice; (ii) actually constitutes professional and/or legal advice; or (ii) sets forth a comprehensive or complete statement of the matters discussed or the law relating thereto.
