Reviewing business app T&Cs isn’t as fun as it sounds … until it is. Some app developers take their GDPR compliance seriously, while some clearly just want to tick the appropriate boxes and move on. And then there are those that are completely oblivious.
This month, we’ve come across some real howlers while doing a data audit for a client. We’ve uncovered about 70 different apps and websites that this client uses in its business. Each of these apps *should* have GDPR-compliant T&Cs and privacy notices, but few of them do.
The list of apps this client uses is pretty typical – some are among the most widely used apps today. Their approaches to data privacy are… let’s say… not as widely compliant.
Where you live makes a difference.
Some apps try to deal with GDPR by not dealing with it at all. A favourite example:
“[this app is] not GDPR compliant. If you are based in the European Union, you are prohibited from using [this app].”
Nice try. If we can access your app from the EU or the UK, then the GDPR probably applies. This attempt at a cheap and cheerful dodge isn’t likely to work.
An apology isn’t security.
Many apps explain their security features, data storage facilities, and international data transfer safeguards. That’s great.
Some apps prefer to make apologies instead:
“We don’t currently run any external vulnerability scanning tools, but are happy to at the request of a client (costs may apply). We don’t have a formal process for ensuring compliance with security standards, but all servers are updated on a weekly basis. We’re not as big as Google :-).” [happy face emoji is original]
Yes, privacy compliance is challenging and can be expensive. Most app developers don’t find it terribly exciting, either. But being small is no excuse for not securing data properly. And using apps that use this excuse is risky business – when they get hacked, their data breach becomes your data breach in a hurry.
T&Cs can be well hidden.
If you want to read through the T&Cs of most apps, you can usually find a link in their website’s footer to ‘Terms of Use’ or ‘Terms of Service.’ But this isn’t always the case.
Larger tech companies can be the worst. Some direct you to the parent company’s website and leave you to wade through dozens of screens of umbrella T&Cs for the whole portfolio. Good luck figuring out if they even apply to the app you’re interested in.
Can you even find the T&Cs?
Investigating over 70 apps for this one client required a fair bit of scrambling. This is annoyingly common, and in some cases the only way we could see the T&Cs was by requesting a copy from the app developer.
Are you reading the latest version?
Check the date on the T&Cs. In one case, we clicked the ‘Terms of Use’ link in the website footer arrived at a perfectly normal-looking document dated November 2016. This seemed a bit old for any app that’s in constant development. Then we saw the note advising this version was no longer in force. Strange document to link from the website footer, but hey ho.
In fairness, we eventually found the current T&Cs, but it took a bit of work.
“We are GDPR compliant.”
Always our favourite line. We have a short reply to that: “That’s unlikely. Now could you show us your T&Cs and privacy notice please?”
Trust no one.
And just before we went cross-eyed after pages and pages of T&Cs, we came across this little gem:
“[this app] can help when it comes to data transfer and secure communication. This means that all data (including media and files) that you send and receive via [the app] cannot be deciphered when intercepted by your internet service provider, owners of Wi-Fi routers you connect to, or other third parties.
But please remember that we cannot protect you from your own mother if she takes your unlocked phone without a passcode.”
Mic drop.
