Apple has reportedly issued an ultimatum to companies that rely on "session replay" tools to track the way users interact with their iPhone apps: disclose the practice and seek explicit consent for it, or be removed from the app store.
Apple's mandate comes after a TechCrunch report last Wednesday revealed that Air Canada, Hollister, Expedia, Singapore Airlines, Abercrombie & Fitch, Hotels.com and other brands have been using code that records users' screens as they interact with their apps, allowing the companies to view these sessions later to evaluate the overall experience. None of the apps evaluated for the report sought permission for, or even referenced, this activity.
"Your app uses analytics software to collect and send user or device data to a third party without the user's consent," says an email Apple sent to companies using the session replay technology – developed by customer experience firm Glassbox. "Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity," the email continues, according to TechCrunch, in a follow-up to its original report.
Apps developers were reportedly given less than a day to comply by removing the controversial code and resubmitting their apps.
According to the exposé, at least one company using Glassbox – Air Canada – failed to properly mask their session replays. Consequently, sensitive customer information such as credit card data and password numbers were not properly redacted, and thus were visible to employees reviewing the recorded user sessions.
Glassbox's technology also works with Android versions of apps; however, Google did not immediately respond to TechCrunch's request for comment.
Other companies offering similar mobile experience technologies include Appsee and UXCam.
"Glassbox and its customers are not interested in 'spying' on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective," said Glassbox in an official statement provided to SC Media. "We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded – just as contact centers inform users that their calls are being recorded."
Furthermore, Glassbox said that in order to address global privacy concerns, it "plans to implement development changes and improve the user opt-in methodologies contained within the Glassbox solution and work with Glassbox customers to configure the same within their user subscription processes. In addition, Glassbox intends to increase the contractual compliance accountability of its clients by requiring its customers to certify compliance on a semi-regular basis or risk suspension/termination."