Mobile SDKs and Privacy Lawsuits: Emerging Legal Risks

Privacy litigation is at the forefront of legal battles in the technology sector, with increasing scrutiny on Software Development Kits (SDKs) embedded in mobile applications. Both plaintiff and defense attorneys must now navigate complex legal challenges involving SDKs that allegedly collect, aggregate, and monetize sensitive user data without adequate consent. 

An SDK is a collection of software tools, libraries, and documentation that developers use to create applications for specific platforms. SDKs enable app functionality but can also embed third-party tracking capabilities, which has raised significant privacy concerns.

Recent lawsuits indicate a growing trend in targeting SDK providers and companies that rely on these tools, raising significant legal and compliance concerns for stakeholders on both sides of the courtroom.

Key Lawsuits Shaping SDK Privacy Litigation

Major tech companies are facing lawsuits alleging their SDKs collect and monetize sensitive user data without proper consent. Some of the most prominent ones include:

Amazon Faces Class Action Over SDK-Based Data Tracking

• Case: Albano et al. v. Amazon.com Inc.
• Allegations: Amazon’s ad-tech SDK is accused of secretly tracking users’ geolocation data across third-party applications without proper disclosure or consent. Plaintiffs argue that this violates California privacy laws, including the California Consumer Privacy Act (CCPA) and the California Invasion of Privacy Act (CIPA).

Meta Platforms Inc. and Facebook Audience Network SDK Litigation

• Case: Tsering v. Meta Platforms, Inc.
• Allegations: Plaintiffs contend that Meta’s SDK collects user activity, location data, and behavioral insights without valid user consent, enabling monetization of personal information.

Twilio and Amplitude Data Interception Claims

• Case: Bender v. Twilio Inc. & Atkins v. Amplitude Inc.
• Allegations: Twilio and Amplitude’s SDKs are alleged to collect sensitive data, including communication logs and location details, in violation of consumer protection and wiretap laws.

Xandr Faces Litigation Over SDK Data Practices

• Case: Allen v. Xandr, Inc.
• Allegations: Plaintiffs allege that Xandr’s SDK collects extensive user data, including browsing history and geolocation, without proper consent, enabling precise behavioral targeting for advertising purposes.

Verve Group and InMarket Media Class Actions

• Case: Lionetta v. InMarket Media, LLC
• Allegations: Plaintiffs claim that these SDK providers embed trackers in consumer apps to collect, aggregate, and sell location data without clear notice.

Understanding SDK Privacy Risks

"SDKs complicate mobile app privacy management and require greater attention paid to consent management and the technical processes that enable app usage." — Andrew Folks, IAPP Staff Writer, CIPP/US, CIPP/E, CIPM

Mobile apps with Software Development Kits (SDKs) raise major privacy concerns due to how much data they collect. Research shows that about 60% of smartphone apps give away customer data to other companies.

Types of Data Collected by SDKs

SDKs collect way beyond what they need for simple functions. Each mobile app gathers 16 different types of data and 24 specific pieces of information on average. For example, the Google Mobile Ads SDK automatically collects:

• IP addresses to figure out location.
• How users interact with products and when they open apps.
• App performance details.
• Device IDs and account data.

Research reveals that 80% of the data items these apps collect don't help the app work better. Games top the list in gathering data for outside advertisers. Shopping apps come next as they collect lots of information to analyze, market, and customize products.

Hidden Data Collection Mechanisms

SDKs use clever methods to gather user information quietly. These methods create special risks because users can't remove or delete SDK tracking like they can with website cookies. These hidden collection methods can manifest in:

• Users Having No Control: People can't choose what data SDKs collect or how companies use it.
• Too Much Collection: SDKs grab more data than they need for their main job.
• Being Hard to Track: SDK data collection runs automatically in app code, which makes checking it or being aware of it more difficult.

Complex SDK systems have caused big privacy problems. To cite an instance, the Bright Data SDK turns apps into data collection tools that let others run commands without users knowing. The Mintegral SDK, which runs in more than 1,200 iOS apps with 300 million monthly users, reportedly hid code that collected data secretly.

Apple's iOS 17 brought privacy manifests that make SDKs spell out their data collection clearly to deal with these hidden methods. But SDK providers still control user data until detailed rules take effect, and they often work without being open or getting proper permission.

Legal Framework for SDK Privacy Litigation

"Browsing and location data are sensitive. Full stop." — Federal Trade Commission, U.S. Government Agency

The FTC has highlighted the risks associated with SDKs embedded in apps, which can expose users to privacy risks that even the app developers may not fully understand.

Courts on the other hand continue to shape the legal landscape of SDK privacy litigation. They now apply both 10-year old and new frameworks to handle data collection concerns. Recent cases show a change toward stricter interpretation of privacy laws for SDK implementations.

California Privacy Laws (CIPA)

CIPA has become a powerful tool in SDK-related lawsuits. Companies can face statutory damages of $5,000 for each violation under this law. 

CIPA defines key legal terms relevant to SDK tracking:

• Pen Register: “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.
• Trap and Trace Device: A device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.

The Southern District of California court's decision in Greenley v. Kochava set a major precedent in July 2023. The court gave CIPA's pen register provisions a broad interpretation to cover SDK tracking technologies. This ruling helped speed the momentum of claims against SDK providers who collect user data without clear consent to move forward.

However, It is worth noting CIPA’s interpretation varies across courts, emphasizing the need for SDK providers and app developers to implement robust privacy frameworks that comply with evolving judicial standards.

Federal Wiretap Act and Stored Communications Act

The Federal Wiretap Act and the Stored Communications Act (SCA) have both emerged as key legal avenues in SDK-related lawsuits. Plaintiffs frequently argue that SDK providers unlawfully intercept electronic communications without proper consent. To establish a violation under the Wiretap Act, claims typically demonstrate:

1. Intentional interception of electronic communications in transit.
2. Lack of user consent, as SDKs often operate in the background without explicit approval.
3. Monetization or use of intercepted data, which may strengthen claims of harm or unauthorized exploitation.

The Wiretap Act governs the unauthorized interception of communications as they occur, while the SCA focuses on unauthorized access to stored electronic communications. SDK-related claims often hinge on whether data collection happens contemporaneously with transmission (Wiretap Act) or from stored records (SCA).

Washington My Health My Data Act

The Washington My Health My Data Act brings new requirements for SDK providers starting March 2024. SDK providers must get express consent to collect health data and could pay up to $25,000 for each violation.

One of the most prominent cases filed recently under the Federal Wiretap Act, SCA, and Washington My Health My Data is Cassaundra Maxwell v. Amazon.com, Inc., and Amazon Advertising.

Staying Ahead in SDK Privacy Litigation

The rise in SDK-related privacy litigation underscores the evolving regulatory and legal landscape in digital data collection. 

For plaintiff attorneys, these cases offer a growing avenue for challenging unauthorized data monetization. For defense attorneys, they present an opportunity to refine strategies that emphasize compliance and industry standards. 

With tools like Rain Intelligence providing early insights into upcoming litigation, both sides can better anticipate legal trends and adapt their strategies accordingly. As courts continue to address these issues, staying ahead of the legal curve remains essential for effective advocacy.

‍