We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

TSB Android App uses external trackers

Options
I run an ad blocker on my home network and it seems that the TSB Android banking app requires access to two external sites that are normally used for various devious tracking/logging purposes, namely
tags.tiqcdn.com and csi.gstatic.com. With access to either of these blocked the app will not run.

I would have thought that accessing sites like this, which I believe are US based, from the banking app, would require my permission under the GDPR. Any comments anyone?
«1

Comments

  • You would agree to it when downloading and installing the app
  • masonic
    masonic Posts: 27,158 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    Depends on the usage. For example csi.gstatic.com may be used to display google maps (perhaps to show you nearby branches) and tealium tag management (tags.tiqcdn.com) can be used for live chat. It's not good to make the whole app fail if those domains can't be reached.
  • Lomcevak
    Lomcevak Posts: 1,026 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    clanlaw wrote: »
    I would have thought that accessing sites like this, which I believe are US based, from the banking app, would require my permission under the GDPR. Any comments anyone?


    It's made (fairly) clear in their privacy policy, which looks ok from a GDPR point of view to me. It says what they do with the information - although it's not the most clear explanation that i've seen, it says they collect information so that you can see 'relevant' adverts on other sites - and i'm guessing you've consented to it at some point when you downloaded the app. Personally i'd prefer my bank didn't try to use me to target adverts, but that's a separate issue...


    The privacy policy says that you can object by contacting the "Data Rights Team" so I guess you could try that, although if they can't respond to a complaint in two months I doubt they're responding to much else either.
  • I work for a company that helps mobile developers integrate GDPR compliance into their apps.

    It could be the case that contacting third-party servers is a violation of GDPR here, but only if the app is passing personally identifiable information to those servers. Now, this doesn't have to be stuff like email address or username. Even if they are passing GPS coordinates, or the identifier of the device in order to show ads, etc, that's personally identifiable data for which they do need to request your permission to collect and pass on.

    However, if they aren't sending any personally identifiable information to those servers - such as may be the case if they are using those services for error monitoring or performance monitoring or some other way, then no, they don't need to have your consent to do so.

    Also note that GDPR doesn't allow for your consent to be automatically bundled into their EULA or terms of use or privacy policy or anything like that - if you didn't explicitly give consent to a piece of data being collected, they don't have that consent, as far as GDPR is concerned.

    Andrew
  • andrewCM wrote: »
    I work for a company that helps mobile developers integrate GDPR compliance into their apps.

    It could be the case that contacting third-party servers is a violation of GDPR here, but only if the app is passing personally identifiable information to those servers. Now, this doesn't have to be stuff like email address or username. Even if they are passing GPS coordinates, or the identifier of the device in order to show ads, etc, that's personally identifiable data for which they do need to request your permission to collect and pass on.

    However, if they aren't sending any personally identifiable information to those servers - such as may be the case if they are using those services for error monitoring or performance monitoring or some other way, then no, they don't need to have your consent to do so.

    Also note that GDPR doesn't allow for your consent to be automatically bundled into their EULA or terms of use or privacy policy or anything like that - if you didn't explicitly give consent to a piece of data being collected, they don't have that consent, as far as GDPR is concerned.

    Andrew

    Pretty sure you can't advertise/promote your company in your signature...
  • clanlaw
    clanlaw Posts: 7 Forumite
    Thanks all for the input. I need to do some more research.
  • clanlaw
    clanlaw Posts: 7 Forumite
    Lomcevak wrote: »
    It's made (fairly) clear in their privacy policy, which looks ok from a GDPR point of view to me. It says what they do with the information - although it's not the most clear explanation that i've seen, it says they collect information so that you can see 'relevant' adverts on other sites - and i'm guessing you've consented to it at some point when you downloaded the app. Personally i'd prefer my bank didn't try to use me to target adverts, but that's a separate issue...

    Thanks @Lomcevak, can you point out where you saw this in the privacy policy? In the T&C when installing the app it says the privacy T&C is at tsb.co.uk/privacy and I can't see any reference to adverts in that document. I can't see any ref to adverts in the app terms either.
  • Lomcevak
    Lomcevak Posts: 1,026 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    I only skimmed it, but e.g. this bit from https://www.tsb.co.uk/privacy/#3_Why_we_use_your_information-1490865537398-content
    If you use our online services, when you are logged in we'll aim to give you a personal service so that you see information relevant to you. This will include details of our products that we think will be of interest to you.

    When you log in to other secure websites, you may also see TSB advertisements we think may interest you. You can object to this by contacting our Data Rights Team. This means you'll experience more general webpages. You won't see fewer advertisements, and the pages and ads may be less relevant to you.
    like I said, it's not as explicitly clear as it could be, but I think they'd argue that they've done enough to claim legitimate interest and/or consent under GDPR. Wording like "so that you see information relevant to you" and especially the "you won't see fewer advertisements, and the pages and ads may be less relevant to you" are very standard tracking and ad-targeting phrases that you see time and time again.
  • clanlaw
    clanlaw Posts: 7 Forumite
    @Lomcevak that seems to me to be only talking about serving ads for TSB products, so I don't see why that would need access to the sites mentioned.
  • masonic
    masonic Posts: 27,158 Forumite
    Part of the Furniture 10,000 Posts Photogenic Name Dropper
    edited 3 August 2018 at 6:17PM
    clanlaw wrote: »
    @Lomcevak that seems to me to be only talking about serving ads for TSB products, so I don't see why that would need access to the sites mentioned.
    Did you read the second paragraph? When you are using other websites they want to be able to target you with TSB ads, presumably restricting these to products you don't already have. To do that, they'd definitely need a third party tracking service.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.8K Banking & Borrowing
  • 253K Reduce Debt & Boost Income
  • 453.5K Spending & Discounts
  • 243.8K Work, Benefits & Business
  • 598.6K Mortgages, Homes & Bills
  • 176.8K Life & Family
  • 257.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.