More than 55 percent of all mobile apps may not comply with the new European privacy regulations and Google Play privacy policies that go into effect this spring, according to a report from SafeDK, a marketplace that monitors the use of software development kits (SDKs) in mobile apps.

The European Union’s General Data Protection Regulation goes into effect in Europe on May 25, and it strengthens the rights of individuals to control the use of their personal data. SafeDK’s latest report found that more than half of the hundreds of thousands of Android apps in the study used at least one SDK that accessed users’ private data. The most commonly accessed private data was a user’s location (26 percent), and the second was data about the apps installed on the user’s device (40 percent). Nearly 30 percent of the apps used an SDK that accessed a user’s contacts.

Herzliya, Israel-based SafeDK studied the apps and matched their use of more than 1,000 SDKs. More than 58 percent of ad network SDKs also accessed a user’s location. SafeDK said these mobile app companies will have to make code changes in the near future to comply with both the GDPR and Google Play requirements. They will also need to evaluate and monitor their third-party SDKs.

Image Credit: SafeDK

The average number of SDKs per mobile app is 18.5. Sports, dating, and shopping apps have been particularly busy adding more SDKs in the past quarter.

SafeDK said that integrating SDKs is important for mobile app companies. But those SDKs are often “black boxes” of third-party code that app publishers integrated into their apps. In the past few months, integrated SDKs have been sources of lawsuits about the collection of private user data from underage users.

And after May 25, the EU will require that users must be made aware that the information is taken or passed to third parties, they have the right to be “forgotten” (having all personal details deleted from servers), and more. Any violation could result in extremely high fines. Google also said it will start enforcing stricter regulations about private user data access. Starting in February, apps must only access information integral to their core functionality or provide information about the data being taken.

One of the examples Google gives of unnecessary private user data being accessed (and soon to be verboten) is access to the list of installed apps on a user’s device. This information is not guarded by any permission that user can grant or revoke, but is rather up for grabs, SafeDK said. The intention was to check for installed apps so they can communicate with one another whenever possible. However, it appears this information is being accessed for other purposes and far too often for Google’s liking.