By Zachary Paruch December 11, 2017

Why You Need to Know What Your Third-Party Service Providers Really Do

Have you ever used services like Google Analytics, Google AdWords, or PayPal for your mobile application or online business? Your answer is most likely “yes,” as services like these are incredibly useful to developers and product managers in delivering high-quality products to their customers.

They are called third-party services—as they are not developed, owned, or run by you—and they can be invaluable to the software development process. Developers tend to use them because they save time and money, reduce risk and complexity, and increase the ease of use and reliability of your app.

However, these third-party services may be doing more than just optimizing your software—and it is your legal responsibility to know what they are up to.

The Walt Disney Company didn’t know, and now they are facing a lawsuit that could end up costing them millions of dollars.

The multinational entertainment conglomerate is being sued by the state of California for violations to the Children’s Online Privacy Protection Act (COPPA), which pertains to the collection of personal information of children under the age of 13. It is alleged that 42 of the company’s mobile apps were using third-party services that collected, tracked, and shared the personal information of its users—many of whom were under the age of 13—without first obtaining parental consent.

Violations of COPPA are not taken lightly by the Federal Trade Commission, with fines of up to $40,654 per user a very real possibility. The Disney apps in question had millions of users between them, meaning the civil penalties could range in the tens of millions of dollars!

So how can you help your mobile app or online business avoid a similar fate?

Below, we’ve outlined the reasons why you need to know what your third-party service providers do, and four ways to ensure that they will not end up causing you a legal headache down the road.

I’m going to share with you the same advice I offer to the small businesses I work with. But let me note that, although I consult with developers to tailor legal policies for their apps, I am not a lawyer. And while these considerations are crucial for your mobile app or online business, it’s important to seek legal counsel from actual legal professionals.

You Are Legally Responsible for What Your Third-Party Services Do

According to several state, federal, and international laws and regulations, you are legally responsible for not only the data you collect and share, but also understanding and disclosing the personal data collection practices of third-party services you employ.

California Online Privacy Protection Act (CalOPPA)

Passed into law in 2003, CalOPPA is a California state law pertaining to privacy policies and the collection of personal information online.

The law stipulates that any commercial website or app that collects personally identifiable information (PII) from California residents must provide a privacy policy that discloses these practices in a conspicuous location. For most businesses, this means simply putting a clear and visible link to the privacy policy in the footer of every page where personal information may be collected.

According to the law, PII is defined as anything that would allow for someone to be contacted directly—online or in person. This information includes names, physical addresses, birthdates, email addresses, credit card information, and physical attributes.

CalOPPA was amended in 2013 to require new privacy policy disclosures pertaining to Do-Not-Track signals and the PII collection practices of third-party services employed by a website or mobile app.

The revised legislation states that websites and other online services must disclose whether the third-party services they use may collect PII from users—but importantly, not what those service providers do with the information. When possible, links to the privacy policies of those third-party service providers must also be included in the disclosure.

Failure to provide these disclosures is a direct violation of CalOPPA—and could cost you $2,500 per user whose personal information was collected by your third-party services. Thus, in order to fully comply with CalOPPA, you need to not only know what the third-party services you employ are up to regarding data collection, but also disclose those practices in your own privacy policy.

COPPA

As Disney has discovered, COPPA is a federal law that was enacted in 1998. The law applies to websites, mobile apps, and other online services that collect the personal information of children under the age of 13.

It mandates that affected websites and apps must post a comprehensive privacy policy in a conspicuous place. Furthermore, this policy must describe in detail the practices relating to the collection of data from users under age 13. They must also first obtain verifiable parental consent before any data is collected from children.

In 2011, the law was expanded to include provisions relating to the practices of third-party services. Websites and mobile apps that target children under age 13 are now responsible for the data collection practices of the third-party services they use, pursuant to federal law.

This means that even if you comprehensively outline in your privacy policy your own data collection practices relating to children under age 13 and get verifiable parental consent to your practices, you could still be in violation of COPPA if the practices of your third-party services are unaccounted for.

Disney is finding out the hard way that violations to COPPA are no laughing matter.

In order to stay on the right side of COPPA, you must first know and understand the data collection practices of your third-party services. In the event that any one of those third-party services collects the personal information of children under age 13, you must specifically obtain parental consent for that data, as well.

COPPA aims to protect young children from having their personal data exploited and used for financial gain. For this reason, any method of obtaining parental consent must include a description of the data collection practices of your third-party service providers. This includes innocuous, seemingly anonymous services such as Google Analytics, Crashlytics, and Kissmetrics.

You are not only required to detail the data collection practices of those services in your own privacy policy, but also ensure that the data collected by them is secure and protected.

General Data Protection Regulation (GDPR)

Because it is an upcoming regulation in the European Union (EU), many webmasters and software developers are probably still unaware of the GDPR. However, when it becomes enforceable on May 25, 2018, it will forever change the data privacy landscape of Europe—and the rest of the world along with it.

The GDPR will replace and expand upon the European Data Protection Directive of 1995, and will pertain to online businesses and mobile apps that are located in or do business with users in the EU. This means that even if your business is located in Arkansas, if your mobile app can be downloaded by someone in the EU, you are subject to this legislation.

A fundamental aspect of the GDPR legislation is the concept of Privacy by Design (PbD). PbD is an approach to online systems development that makes end-user privacy a priority throughout every step of the design process.

Essentially, PbD—and therefore the GDPR—will make privacy the default setting for consumers. According to the legislation, any practice relating to the collection and/or disclosure of personal information must be opt-in. This includes the practices of third-party services used by a website or mobile app.

The PbD concept basically dictates a complete restructuring of the site so that webmasters are able to inform end users of data collection practices (including those of their third parties) and also give end users a method for opting in to their use. The default setting should automatically be “opted out” so that no information is automatically collected.

Not only must you obtain consent and provide disclosure in a privacy policy for your own data collection practices, but you must also do so for each and every third-party service you employ.

Violations to the GDPR can result in penalties of up to €20 million, or 4 percent of your annual revenue. As such, for any business that has customers in the EU, it is vital to be aware of and account for the practices of your third-party services.

4 Tips for Ensuring Your Third-Party Services Won’t Get You Into Trouble

In a perfect world, you would have performed a thorough review of the privacy policies and information collection practices of each third-party service before deciding to use it with your software.

Unfortunately, life isn’t perfect, and most of us just jump on the most popular and/or most highly rated services for a given need.

Fear not, as we’ve been through the same situation and subsequently compiled four simple tips for mitigating risk and ensuring that you are as knowledgeable and protected as possible.

1. Read Privacy Policies

Although not exactly an interesting or glory-laden task, carefully reading through the privacy policies of prospective third-party services is integral to understanding the data collection practices of those services.

Once you understand what these services do, you can begin to ensure that your own privacy policy reflects their practices, and that you obtain adequate consent from users when and where necessary.

Particularly important to understand are issues like:

  • What kinds of data do they collect?
  • From whom do they collect data?
  • How long do they retain it?
  • Will they share or disclose the data with any other parties?

If the answers to these questions are at all unclear or you are unsure how to cover these behaviors in your policy, it’s vital to continue your search for information via our next tip.

2. Contact the Third-Party Service Provider Directly

Privacy policies are not the most approachable documents, especially if they are replete with legalese and technical jargon. It’s not always possible to glean the information you need in order to keep your software compliant by simply reading through the documents.

If this is the case, you have to go the extra mile by getting in touch with the provider and asking the nitty-gritty questions relevant to your own policy. You should also inquire about the company’s awareness of and compliance with the various laws and regulations—specifically the aforementioned COPPA and CalOPPA legislation.

With so much that goes into building a website or developing a mobile app, it’s often difficult to think of the right questions to ask to get the information you need. Some examples of important questions to ask include:

  • Under what circumstances will third-party services access personal information?
  • How will third-party services access personal information?
  • Will third-party services allow other parties to access the personal information they’ve collected?
  • How long will the third-party service provider store the personal information?
  • What steps does the third-party service take toward compliance with existing legislation, including but not limited to CalOPPA and COPPA?

Some online business owners even go as far as sending a due diligence questionnaire, which is a document that provides the third party with questions about its data practices and safeguards.

3. Assess Your Contract With the Third Party

Whether you’re using a premium, paid service or a free tool you found through Google, when you decide to use software provided by another party, you are agreeing to a contract with that company.

It’s important to get this contract in writing, and if possible, negotiate the terms of that contract. Unfortunately, with major companies that serve thousands—if not millions—of clients, it will not always be possible to negotiate specific terms. However, it is still vital to look over the contract carefully and ensure that you agree with and can account for their privacy practices.

The document should clearly specify the company’s treatment of user data and stipulate that it adheres to all relevant compliance requirements according to state, federal, and international laws and regulations.

Having this contract in writing will protect your position in the event that the third party is found to have violated regulations or has been irresponsible with user data. You will be able to point to their independent breach of contract and save yourself a headache.

4. Regularly Monitor Third-Party Operations

Unfortunately, mitigating the risk you take on when employing third-party services with your website or app is a task that doesn’t end when you sign the contract or decide to download the software. The laws place the burden of responsibility on you to monitor and continue to be aware of the ongoing practices of these third parties.

According to the regulations, you must “use reasonable means” to ensure that third parties maintain the confidentiality and security of the personal information they collect in conjunction with your software.

Schedule regular audits of third-party service operations. This means reviewing their privacy policies for updates/changes to the terms, monitoring their practices via your tech team, or using tracking software to help you.

These audits can reasonably be done on a biannual or annual basis. Those services that employ particularly risky practices can be audited quarterly.

Again, the regulations stipulate that you must use reasonable means, so based on the size of your business, audits could mean anything from regularly reviewing the third party’s privacy policies to having your tech team determine what data is collected by a given service provider.

For a small operation with limited means, regularly checking for privacy policy updates and potentially using software are your only forms of recourse.

Regular audits may seem like a hassle and an unnecessary addition to an already heavy workload, but performing them may be the difference between smooth operation and enormous legal penalties. If you don’t have the time, you can hire an auditing firm to conduct these checks for you, or even use third-party tracking software.

Understand Your Third-Party Services as Thoroughly as Your Own Business

For most websites, apps, and software packages, third-party services are unavoidable for providing a better user experience and staying competitive in today’s market. They offer capabilities and functionality that are invaluable to up-and-coming businesses for getting a foothold in the ever-saturated world of online business.

Although they carry with them a modicum of risk, by educating yourself of their practices and policies, and regularly monitoring their operations, you can do what Disney didn’t do—stay on the right side of the law and out of the courtroom.

About the author

    Zachary Paruch

    Zachary Paruch is a product manager and small business expert at Termly, where he helps to develop legal policy software for small businesses. When he’s not saving SMBs from lawsuits and financial ruin, he can be found playing soccer, binging a Netflix series, or getting a beer with some good friends.