GDPR Art. 28 requires a Data Processing Agreement with every third-party vendor that processes personal data on your behalf. Apple's Privacy Manifest requirement (since May 2024) means that any third-party SDK accessing protected APIs must be declared — if the SDK is not in your iOS privacy manifest, Apple rejects the submission. Google Play Data Safety requires disclosure of every SDK that collects or shares data, including the data types and purposes. An SDK that is configured to collect aggressively (e.g., full session replay, uncapped event logging) without a user-facing opt-out mechanism can create CCPA violations independently of your own app's consent UI — the SDK acts on your behalf, and its data collection is attributed to you.
Medium because an undisclosed data-handling SDK creates Google Play Data Safety inaccuracies and GDPR Art. 28 violations, but exploitation requires the SDK to actually transmit data — not merely be present in dependencies.
Audit every entry in package.json that handles user data and verify each is declared in your Google Play Data Safety form and iOS Privacy Manifest. Gate aggressive features behind consent checks.
// Gate third-party SDK initialization behind consent
const consent = await AsyncStorage.getItem('gdpr_consent')
if (consent === 'accepted') {
// Enable full analytics
Analytics.init({ sessionReplay: true, eventSampling: 1.0 })
Crashlytics.setCrashlyticsCollectionEnabled(true)
} else {
// Minimal or disabled
Analytics.init({ sessionReplay: false, eventSampling: 0 })
Crashlytics.setCrashlyticsCollectionEnabled(false)
}
Check each SDK's privacy manifest documentation: Firebase, Amplitude, Segment, and Braze all publish the required NSPrivacyAccessedAPITypeReasons codes you must include in ios/PrivacyInfo.xcprivacy.
ID: mobile-permissions-privacy.privacy-compliance.sdk-privacy
Severity: medium
What to look for: Count all third-party SDKs in package.json that handle data (analytics, ads, crash reporting, social SDKs). For each, classify whether it has a privacy policy, respects user consent, and is documented in the iOS privacy manifest (if applicable). Report: "X of Y data-handling SDKs are privacy-compliant."
Pass criteria: At least 100% of third-party data-handling SDKs are reputable, have privacy policies, and are configured to respect user consent/opt-out preferences. If a privacy manifest is required (iOS), it includes entries for all SDK API access.
Fail criteria: Any third-party SDK lacks privacy transparency, is configured to collect data aggressively without consent, or the iOS privacy manifest is missing entries for SDK API access.
Skip (N/A) when: App uses no third-party data-handling SDKs (no analytics, ads, crash reporting, or social SDKs in dependencies).
Detail on fail: Name the SDKs with privacy concerns. Quote the configuration. Example: "Analytics SDK configured with aggressive tracking enabled and no user opt-out" or "Firebase Crashlytics requires NSPrivacyAccessedAPITypes entry but iOS privacy manifest does not include it"
Remediation: Evaluate third-party SDKs for privacy compliance and configure them to respect user preferences:
// Example: Configure analytics to respect user consent
import { initializeAnalytics } from 'analytics-sdk'
const userConsent = await AsyncStorage.getItem('userConsent')
if (userConsent === 'true') {
initializeAnalytics({ enabled: true })
} else {
initializeAnalytics({ enabled: false })
}