The UK’s top mobile apps and the GDPR

Spencer Zeke Depas
Jun 6, 2018 · 7 min read

Before creating this article I did the best I could to apply The General Data Protection Regulation (GDPR) to my products. I created granular consent, age consent, an option to delete all user data, a clear and explicit explanation of what data was being used, I removed libraries and changed features to adhere to GDPR. After creating this article my strategy has changed and I think yours might too. Below I take a look at the UK’s top downloaded apps in April 2018 and see how they handle GDPR.

*Information was gathered on May 31st, 2018.

Image for post
Image for post

No granular consent

One of the most important thing I found was that one app out of ten asked for granular consent. In my mobile apps, I have seen a drop in on-boarding and I am attributing it to the three extra dialogs explicitly stating what data is being collected and for what reason. All the top players are simply providing a button that says ‘Continue’, and in the area some text that says if you continue you agree to our privacy policy. Please see the consent forms for Instagram, Messenger, Wish, Snapchat and Whatsapp below.

Apps are location independent

All apps seemed to have no different flow depending on location or IP address. I signed up for all apps using an EU IP address and a non-EU IP address.

Online counterparts

Some apps have online counterparts so the features we are seeking may be online only, like the exporting of data or deletion of data. I did not explore all online components.

No request for personalized ads

None of the apps asked for explicit consent for personalized ads.

Uk’s top 10 apps

Below you will find the UK’s top ten apps and how they dealt with GDPR. There are notes regarding each app. Click on the app icon for the apps Privacy policy. For all apps I created a new account.

Helix jump and GDPR

Image for post
Image for post
No privacy policy when you click on the Privacy policy on the play store it takes you to a webpage providing only an email.

Whatsapp and GDPR

Image for post
Image for post
  • ’Tap agree and Continue’ to accept the Whatsapp Terms of Service and Privacy Policy
  • You can delete your account within the app. In the privacy policy, it says, “When you delete your WhatsApp account, your undelivered messages are deleted from our servers as well as any of your other information we no longer need to operate and provide our Services”. This does not strictly say we delete all of your PII.
  • In the PP “If you live in a country in the European Region, you must be at least 16”
  • It says in the PP there is a way to port data. I can’t see any way to do this online or in-app.

Pubg and GDPR

Image for post
Image for post
  • If you select North America for your country no consent screen is displayed. But If you choose anywhere in the EU a consent screen is displayed.
  • The app claims that after 7 days of deleting your account it will delete all your data. On the mobile version, I was unable to find a way to delete an account.
  • The privacy policy gives no clear instructions on exporting the data
  • You can use the app if you are under 16 If you get your parents permission otherwise the app will not let you. This could be relating to the app having violence.

Harry Potter Hogwarts Mystery and GDPR

Image for post
Image for post
*Privacy policy in app-only

Home workout and GDPR

Image for post
Image for post
  • This is the only app that explicitly states it does not collect PPI(Personal Identifiable data)

Messenger and GDPR

Image for post
Image for post
  • In the on-boarding, it says, “By tapping continue, you accept our terms and agree that you have read our Data policy”
  • It asks you to change and exercise your GDPR rights by going on What is funny about this is if you do not have a facebook account you would have to make one. ”you have the right to access, rectify, port and delete your data…find out how to exercise your rights in the Facebook settings.”
  • The messenger app seems to have the same privacy policy as
  • In the app it says you can export data on settings

Wish and GDPR

Image for post
Image for post
  • Privacy policy button is next to sign up button. In the PP “By using or accessing the Services, you acknowledge that we will collect, use, and share your information as described in this Privacy Policy
  • I downloaded Wish on two devices. The versions were slightly different including the privacy policy. One PP was updated April 5th, 2017 and the other was updated May 25th, 2018
  • The first time I installed the app I was presented with an age requesting dialog. I only saw this once. I tried to recreate it to test being above and below 16.
  • There is an option to delete the account. But it does not say it deletes the data. In the PP it says you can delete the data in settings but there is not a dedicated button.
  • In the privacy policy, it states you can export data but gives you no mention as to how.

Instagram and GDPR

Image for post
Image for post
  • By clicking next you agree to our data policy
  • ”We provide you with the ability to access, rectify, port and erase your data. Learn more in your … Instagram settings.” There is an option to export the data but it does not say that it will export all data. It says, “Get a copy of what you have shared on Instagram”.
  • You can delete your data but not in-app. To delete your data you must delete your account. ”Go to the Delete Your Account page. If you’re not logged into Instagram on the web, you’ll be asked to log in first. You can’t delete your account from within the Instagram app.”

Spotify and GDPR

Image for post
Image for post
  • If you continue you agree to our terms and service data policy consent
  • I have found no way to do this. ”If you request, we will delete or anonymise your personal data “
  • “Declining the terms and conditions will exit the Spotify app”
  • The play store listing privacy policy takes you to a 404 error. I found the online version here.
  • In the app, there is an option to delete Cache and data. This could mean PII but I don’t think it does.
  • There is no mention of exporting data in the privacy policy but I did find an export data option online.
  • I found nothing on GDPR specific age requirements which is 16
  • Age limit of 13, Can use above 13. (GDPR requires users to be 16)
  • You can export data outside of the app

Snapchat and GDPR

Image for post
Image for post
  • This is below the sign-up fields: “By tapping sign up & accept you accept, you acknowledge that you have read the privacy policy”. The signup button says “Sign up & Accept”
  • It implies in the privacy policy you can delete your data by deleting your account but it does not explicitly say that.
  • You can export data outside the app here

Top ten wrap up

One app asked for granular consent. No one asked for consent for personalized ads. None of the apps let you use the app if you denied consent. The consent to the terms and conditions seemed very passive and inexplicit. I hope this case study was helpful. If you have any questions please leave a comment bellow.

~If you liked the article, click the 💚 below so more people can see it! Also, you can follow me on Medium or on My Blog, so you get updates regarding my future articles!~

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store