How many apps are affected by the GDPR?
GDPR is the talk of the industry - but how many apps will it affect in reality?
Depending on where you’re reading this, the answer might be less obvious than you think. Your app might only target users in a specific location, or only be language-accessible to places far from the reach of EU law. Your app may not even appear on a European based app store.
Yet these are no reason to be lax about the new law. A new user can install an app at any time, any place - and if they download an app within the EU, then you’re liable under the GDPR.
So how many global apps see installations within the EU? Is it 100% of them? Or more like 50%? Are they all affected, or just some?
We wanted to find out, and below you can see our results.
How we untangled the data
From all the apps we track, we created a cohort based on installs between January 2nd and January 31st, 2018 (a period of 30 days).
Within those installs, we also filtered by installs based within the EU, to find a ratio between the number of installs that each app has in the EU and out.
We explicitly looked at apps based outside of Europe - by default, apps within the EU must be 100% compliant with the law, so it made sense to look at other nations’ likelihood of being affected.
What resulted was a dataset of countries as distant from each other as Uruguay, Egypt, and the Democratic People’s Republic of Korea. The US, Japan and China have the largest presence of the cohort. In total, our dataset reached almost 9000 apps.
How many apps are affected by the GDPR?
In our dataset, 1,871 apps (21%) had no European users, and 2,473 (27%) received no installs at all in Europe.
Taking a sample of this group, we then looked at those with 1000 installs or more, but which had no users in Europe. This left us with 55 apps (or .6%). Here’s the distribution by country:
The distribution is probably the most revealing aspect of who’s likely concerned with the European market. Japan, in particular, is a hyper-local market, with language differences and a different focus, they’re less likely to have any users in Europe than other markets - though, of course, it only takes one install to suddenly need to become GDPR compliant.
Now, there are some other things to mention which might have an effect on the dataset. January is a low period of travel for Europe, and with summer vacation rolling around the same time as the GDPR is implemented, travel apps need to be aware of holidaymakers downloading apps, or using them cross-regionally. Furthermore, as we’ve seen in our recent mobile benchmarks report, app usage is generally lower in January than in other months, and we might spot more activity at other times of the year as it rolls on.
That said, from our study, 79% of apps outside of the EU need to keep up with the rules, and the more users who download, the higher the likelihood of needing to comply. Let’s look at some best practices.
GDPR best practices
We’re often asked about some tips on what to do when it comes to preparing for the GDPR. Below you can find three simple points to help clarify the basics.
Personal data redefined
Our ‘digital identifiers' are now more of what constitutes a user’s ‘personal data’. Previously, name, photos, email and so on, were typical identifiers. Now, this list has expanded to include specifically:
- IP addresses
- Online identifiers
- A user’s location data
- Biometric data (fingerprints and retina scans)
- Behavioral and demographic profiling data
If your users consent to be tracked, you must protect this data.
More consent required
If you’re now asking for personal data, you need to be explicit in doing so. Requests must be unambiguous in their wording, and they have to include the intended use and purpose of their information in order to justify the request.
The right to be forgotten
EU users can, at any time (and to any business, wherever it’s located) request where, why and how their data is being used, and can also send a request for such information to be deleted. A business who receives either of these requests must comply.
Deletion requests can be made from any location, and include any type of data that’s recorded - from cookies to multiple user profiles. If received, user information must also be deleted from Adjust servers, and app businesses must send us deletion requests to process.
Read the first instalment of our Transparency Series, our GDPR checklist, to get caught up on even more best practices. If you want to look at how we began our GDPR reporting, please take a look at this article for more
While the content on this page is designed to help you understand the GDPR when working with third parties, the information contained should not be construed as legal advice. You should consult with your own legal counsel with respect to interpreting your unique obligations under the GDPR and the use of a company's products and services to process personal data.