Csdrhrt

If you don't agree with what the company is doing ethically, then you should probably quit asap.

If you think they are doing something illegal or in breach of regulations, then you may want to consider reporting them to the relevant authorities.

What I do in such situations. (had a situation where my employer did not want to buy some licenses of software we used commercially)

Step one: Make sure I get my facts straight and have evidence of my claim.

Step two: Make management aware of the Problem. Leave a paper-trail of doing so. Assume no malice and make no accusations. Just describe the Problem and offer a solution.

Step tree: After some time, ask if action has been taken. If not ask for a timeline. Again, leave a paper-trail.

If it gets clear to you no action will be taken, think about

A. Do you want to keep working there?

B. Do you want to / have to report this to the police etc. I´d ask a lawyer about this.

The thinking is (in my jurisdiction, Germany) you have the obligation to protect your employer from harm. You also have the obligation not to break the law. So the first step if your employer is doing something (unintentionally?) unlawful, would be to make them aware of that. If they decide to take no action, and you make their misconduct public, harm is not on you, but on them, since they ignored you.

If you want to keep working there or not is up to you. Either way, be prepared to be fired immediately, especially if they do violate the rules intentionally. An never knowingly contribute to any unlawful conduct yourself.

Do I have to concern about being accused by the government?

If you have to ask the question the answer is probably "yes", but I am not a lawyer.

You're deep into "flee right now" territory.

Get a lawyer. Yesterday. They can help you navigate local laws. They can tell you if anything you did was complicit or illegal. They can help you mitigate that if you are. And they can help you navigate whistleblowing.

What you need now more than anything is legal help and a well-informed exit strategy.

You need to quit, and then you need to blow a whistle. Get on Twitter or snitch really hard to whichever government agency would do something about this. Ethics exist for a reason.

A speculation over the legality of such actions has reminded me to advise you to get a lawyer to check to see if whistle blowing is legal in your situation.

Why have websites all had popups about cookies for the last year? What is the last Supreme Court ruling in this area? You don't know? Ok. Take some perspective here and embrace the fact that you are not a lawyer, not a compliance officer, and not even very experienced in this sort of thing. Your concerns are fair but you're "in over your head" legally as to what to do.

Harvesting contacts by logging into their email is rude in my opinion, but it's also gold standard - Facebook does it, Linkedin does it, Twitter does it, everybody does it. No legal issue there. You could try to make an issue, but you'll have to "make new law*" in that area, and you would be a legal superhero if you pulled it off.

Deleting the data on request is fair.

"soft delete", that really is a matter of what happens next. It may be reasonable, for load-balancing reasons, to flip a "soft delete" bit, then have a scrubber process run nightly or weekly that looks for accounts with soft-delete set, and does hard-delete on the data. Delaying that delete a few days is also reasonable where users tend to "rage-quit", delete their account and then regret it and want it restored.

As far as logging user location, that is a side-effect of logging IP address, and that is the first thing any web log records; again gold standard. And very helpful for troubleshooting and abuse prevention reasons. If you mean "using the app to get their GPS geolocation" the user consented to that, and that consent is enforced by the phone OS because they know developers can't be trusted.

So when you look at all that in balance, there are obviously a lot of fine distinctions and other gotchas in this entire area of practice. It isn't clear. What's clear is You need to become much more of an expert on these subjects than you presently are.

So instead of asking "How can I report", you should be asking "How can I distinguish exactly what is legal and proper, and what is not?", or on a case by case basis, "My company is doing X. Is that OK?" For this you should be turning to security and privacy experts.

* "make new law" is slang for having a legal case with a unique enough situation that an appeals court decides and makes it precedent. You must a) sue someome, b) have the case turn on a a question not yet resolved in legislative law or case law, c) lose so you can d) appeal the case on up into the appeals system (or win and convince the opponent to appeal), then e) win at appeal, and f) convince the appeals court that their decision is unique and solid enough to publish as a precedent. I know someone who did this; he is an aggressive, malicious [censored] and that's kinda what it takes.