Some popular apps for Android smartphones are feeding data to Facebook without user consent, which could be a breach of the European Union’s (EU’s) General Data Protection Regulation (GDPR). When looking at 34 Android apps, the campaign group Privacy International discovered that at least 20 — including Skyscanner, TripAdvisor and MyFitnessPal — immediately send certain data to the social media site before users are asked for permission.
The information shared included the app’s name, the user’s unique ID with Google, and the number of times the app was opened and closed after being downloaded. Some travel apps, like Kayak, sent details to Facebook as well, such as travel dates, whether the users had children, and which flights and locations had been searched.
This sharing of data could be a major breach of GDPR, which came into effect in May. With the new regulation, mobile apps must have the consent of users before collecting their personal information or face fines of up to 4 percent of revenues — or €20 million ($22.8 million USD), whichever is greater.
Researcher Frederike Kaltheuner explained that while the app needs to make sure it complies with the regulations, Facebook’s developer kit did not provide the option of waiting for a user’s permission before sending the data.
“At least four weeks after GDPR, it wasn’t even possible to ask for consent because of the default setting of Facebook’s [software development kit (SDK)]. This means data is automatically shared the moment the app opens,” she said, according to Financial Times.
However, a Facebook spokesperson said that app developers could disable automatic data collection, and that the company also recently introduced a feature that allows developers to delay collection of app analytics information.
The report came as the social media giant already faces issues related to GDPR. In October, it was reported that the company could be fined billions of dollars due to a data breach of about 50 million user accounts.