As of right now, any app maker catering to an American audience has a remarkable amount of latitude for collecting data. They can track mobile users by location at any time, whether or not the application is running; they can track how often people are using different apps; they can compile and analyze and sell all sorts of datasets -- and they never have to tell their users they're doing so. There is no such thing as mobile data transparency in the United States.
Contrast that to the pending implementation of the European Union's General Data Protection Regulation. Developed to strengthen individual citizens' rights to data privacy, and to simplify the regulation of data export outside the EU.
Among the tenets of the GDPR:
Citizens have the right to consent. The way the regulation is framed, citizens must explicitly consent both to data collection and the purpose for which the data is being collected.
Citizens have the right to request erasure of data when the data is found to privilege the data collector's business interests over any fundamental rights and freedoms of the data subject which require protection of personal data. (In other words, Google can't keep spitting up search results about an EU citizen that could endanger them.)
Know which citizens enjoy none of these rights? U.S. citizens. As our workforce grows increasingly reliant on a liquid computing environment where workers move between desktop, tablet and phone, we'll also be increasingly dependent upon app makers who are under no obligation to tell us what data they're collecting about us while we work.
In 2018, expect to see at least one story about the data being collected on users -- and most likely we'll get that story in one of two ways: When the app maker brags about how it used that data we didn't know it was collecting, or when a cracker brags about the ransom it gets when it invariably breaches the app maker's servers.