Prosecution Insights
Last updated: July 17, 2026
Application No. 18/490,344

SCANNING APPLICATION CODE TO DETECT AND CLASSIFY SDK DATA INTO DATA CATEGORIES

Final Rejection §102§103
Filed
Oct 19, 2023
Priority
Oct 20, 2022 — provisional 63/380,334
Examiner
MITCHELL, JASON D
Art Unit
2199
Tech Center
2100 — Computer Architecture & Software
Assignee
OneTrust LLC
OA Round
2 (Final)
55%
Grant Probability
Moderate
3-4
OA Rounds
1y 7m
Est. Remaining
87%
With Interview

Examiner Intelligence

Grants 55% of resolved cases
55%
Career Allowance Rate
352 granted / 635 resolved
At TC average
Strong +32% interview lift
Without
With
+31.5%
Interview Lift
resolved cases with interview
Typical timeline
4y 3m
Avg Prosecution
19 currently pending
Career history
660
Total Applications
across all art units

Statute-Specific Performance

§101
1.6%
-38.4% vs TC avg
§103
92.0%
+52.0% vs TC avg
§102
4.5%
-35.5% vs TC avg
§112
1.4%
-38.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 635 resolved cases

Office Action

§102 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Rejections under 35 U.S.C. §101 Applicant’s arguments, see remarks, filed 2/2/26, with respect to 35 U.S.C. §101 have been fully considered and are persuasive. The rejections have been withdrawn. Specifically, the claims provide “an automated technical solution for identifying and categorizing data processing activities within application code, which enables developers and organizations to understand and manage data privacy implications of their software” addressing the problem that conventional cod-scanning tools generate large, confusing outputs that are hard to understand and navigate (see e.g. par. [0002]-]0005]), and thus provides an improvement to a technology or technological field. Rejection under 35 U.S.C. §102 Applicant's arguments have been fully considered but they are not persuasive. … This is fundamentally different from the claimed, "determining ... data categories for the one or more data processing activity components, wherein the data categories comprise data types or data processing purpose type corresponding to the one or more data processing activity components," at least because Barday, merely describes SDKs at a high level without determining "data types or data processing purpose type corresponding to the one or more data processing activity components." Barday discloses “In response to determining that the app is collection one or more specified types of personal data” (col. 52, lines 52-57). This refers to the exemplary types of “privacy-related attributes” (1)-(7) described at col. 52 lines 29-46. Accordingly Barday explicitly discloses determining data categories for the processing activities comprising data type or purpose of the activit(ies). Barday 's monitoring determines "whether the code has changed to add any additional privacy-related attributes." Barday et al., 53:53-62. This differs from tracking modifications to detected data processing activity components themselves. This claim language requires maintaining and comparing distinct sets of detected data processing activity components (e.g., SDK components, API components, or function call components) across different versions of the application code to identify what specific components have been added, removed, or modified between versions. Barday 's method differs from tracking modifications to detected data processing activity components themselves. Barday's approach monitors for changes in high-level privacy-related attributes, for example, whether the code uses location-based services, issues calls to third party software, accesses communications logs, uses cookies to track user behavior, or collects personal data. Barday et al., 52:28-43. These privacy-related attributes represent behavioral characteristics of the code as a whole, not specific data processing activity components that have been detected within the code. For example, if a first version of an application code includes SDK components from Company A and Company B, and a second version of the application code includes SDK components from Company A and Company C, the claimed invention would identify that the SDK component from Company B was removed and the SDK component from Company C was added. Barday's system, in contrast, may detect that the code still "issues calls to third party software" in both versions without identifying which specific third-party components have changed. Barday's attribute-level monitoring does not provide the granular component-level modification tracking recited in claim 11. The claim does not define what constitutes a “data processing activity component” in a way that would distinguish over Barday’s identified components. For example Barday’s “location based services” describe a component for processing data and thus a data processing component as claimed. The claim requires “identifying” sets but does not require “maintaining” those sets. Barday’s system identifies these sets of components and “maintains” the sets at least to the extent that the comparison can be made. The claim recites nothing that would require SDK components from third party companies. The applicant has misconstrued the claim scope and the prior art disclosure. Accordingly, at least without more, the arguments are unpersuasive. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1-7, 10-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 11,025,675 to Barday et al. (Barday). Claims 1 and 17: Barday discloses a computer-implemented method comprising: identifying, by processing hardware, an input application code (col. 52, lines 14-18 “use the location provided by the user to obtain the computer code”); based on a scan of the input application code, determining, by the processing hardware, one or more data processing activity components within the input application code (col. 52, lines 19-25 “determine a plurality of privacy-related attributes of the computer code … types of personal information the computer code collects and/or accesses”); and determining, by the processing hardware, data categories for the one or more data processing activity components, wherein the data categories comprise data types or data processing purpose type corresponding to the one or more data processing activity components (col. 52, lines 22-43 “types of personal information the computer code collects and/or accesses”). Claims 2 and 12: Barday discloses claims 1 and 11, further comprising determining the one or more data processing activity components by identifying a data processing component reference within the input application code, wherein a data processing activity component comprises a software development kit (SDK) component, an application programming interface (API) component, or a function call component (e.g. col. 52, lines 34-35 “issues calls to third party software”, col. 2, line 65-col. 3, line 2 “third party code includes … use of other software development kits (SDKs)”). Claim 3: Barday discloses the computer-implemented method of claim 1, further comprising determining the one or more data processing activity components by matching a namespace from the input application code to a detector specification entry, within a detector specification, indicating pairings between one or more namespaces and one or more data processing components, wherein the detector specification entry comprises at least one of the namespace, a scanning identifier for the namespace, a data processing description for the namespace, a data type, or a functionality type (col. 45, lines 38-43 “the URL of the website … and/or 3rd party SDKs”). Claim 4: Barday discloses the computer-implemented method of claim 1, further comprising determining the data categories for the one or more data processing activity components by: identifying a data type corresponding to a data processing activity component from the one or more data processing activity components (col. 52, lines 19-25 “determine a plurality of privacy-related attributes of the computer code … types of personal information the computer code collects and/or accesses”); and utilizing the data type to assign the data processing activity component with a data category (col. 52, lines 19-25 “determine a plurality of privacy-related attributes of the computer code … types of personal information the computer code collects and/or accesses”). Claim 5: Barday discloses the computer-implemented method of claim 3, wherein the data type comprises location data, cookie data, camera data, computing device data, demographic data, hit-level data, device usage data, or personal identifiable information data (col. 52, lines 22-43 “(1) uses location-based services … (5) accesses communication logs … (6) uses cookies … (7) collects personal data”). Claims 6 and 19: Barday discloses the computer-implemented method of claim 1, 17, further comprising determining the data categories for the one or more data processing activity components by: identifying a data processing purpose type corresponding to a data processing activity component from the one or more data processing activity components, wherein the data processing purpose type comprises utilization for application function, analytics, digital advertisement targeting, data aggregation, or debugging (e.g. col. 53, lines 1-2 “For what business reason is the data being collected”); and utilizing the data processing purpose type to assign the data processing activity component with a data category (col. 52, lines 19-25 “determine a plurality of privacy-related attributes of the computer code … types of personal information the computer code collects and/or accesses”, col. 53, lines 15-25 “communicated to one or more second users”). Claim 7: Barday discloses the computer-implemented method of claim 1, further comprising determining the data categories for the one or more data processing activity components by determining a source for a data processing activity component, wherein the source comprises an owner entity or a developer for the data processing activity component (col. 45, lines 38-43 “the URL of the website … and/or 3rd party SDKs”). Claim 10: Barday discloses the computer-implemented method of claim 1, further comprising generating a software profile for the input application code by: assigning the data categories for the one or more data processing activity components to a first version of the input application code (col. 52, lines 22-43 “types of personal information the computer code collects and/or accesses”); determining, from a second version of the input application code, additional data categories for additional data processing activity components (col. 55, lines 3-5 “compare the code that was obtained with a previously assessed version”); and assigning the additional data categories for the additional data processing activity components to the second version of the input application code (col. 55, lines 24-31 “privacy-related attributes that have changed or been added”, col. 52, lines 22-43 “types of personal information the computer code collects and/or accesses”, see e.g. fig. 21, 2120 “Access to phone photos”). Claim 11: Barday discloses a non-transitory computer-readable medium storing executable instructions which, when executed by a processing device, cause the processing device to perform operations comprising: identifying a set of detected data processing activity components within a first version of an input application code (col. 52, lines 22-43 “types of personal information the computer code collects and/or accesses”); scanning a second version of the input application code to identify an additional set of detected data processing activity components within the second version of the input application code (col. 55, lines 3-5 “compare the code that was obtained with a previously assessed version”); and determining data processing activity component modifications between the first version of the input application code and the second version of the input application code based on the set of detected data processing activity components and the additional set of detected data processing activity components (col. 55, lines 24-31 “privacy-related attributes that have changed or been added”, col. 52, lines 22-43 “types of personal information the computer code collects and/or accesses”, see e.g. fig. 21, 2120 “Access to phone photos”). Claim 13: Barday discloses the non-transitory computer-readable medium of claim 11, wherein the operations further comprise determining the data processing activity component modifications between the first version of the input application code and the second version of the input application code by identifying an addition or removal of a data processing activity component between the set of detected data processing activity components and the additional set of detected data processing activity components (col. 55, lines 24-31 “privacy-related attributes that have changed or been added”). Claim 14: Barday discloses the non-transitory computer-readable medium of claim 11, wherein the operations further comprise: identifying a set of data categories for the set of detected data processing activity components, wherein a data category comprises a data type or data processing purpose type corresponding to one or more data processing components from the set of detected data processing activity components (col. 52, lines 22-43 “types of personal information the computer code collects and/or accesses”); identifying an additional set of data categories for the additional set of detected data processing activity components (col. 55, lines 3-5 “compare the code that was obtained with a previously assessed version”); and determining data category modifications between the first version of the input application code and the second version of the input application code based on the set of data categories and the additional set of data categories (col. 55, lines 24-31 “privacy-related attributes that have changed or been added”). Claim 15: Barday the non-transitory computer-readable medium of claim 14, wherein the operations further comprise determining the data category modifications between the first version of the input application code and the second version of the input application code by identifying an addition or removal of a data category between the set of data categories and the additional set of data categories (col. 55, lines 24-31 “privacy-related attributes that have changed or been added”). Claim 16: Barday discloses the non-transitory computer-readable medium of claim 11, wherein the operations further comprise determining a number of added data processing activity components from the data processing activity component modifications (col. 57, lines 33-38 “here, only one attribute”). Claim 18: Barday discloses the system of claim 17, wherein the processing hardware is configured to cause the system to determine the data categories for the one or more data processing activity components by: identifying a data type corresponding to a data processing activity component from the one or more data processing activity components, wherein the data type comprises location data, cookie data, camera data, computing device data, demographic data, hit-level data, device usage data, or personal identifiable information data (col. 52, lines 22-43 “(1) uses location-based services … (5) accesses communication logs … (6) uses cookies … (7) collects personal data”); and utilizing the data type to assign the data processing activity component with a data category (col. 52, lines 22-43 “(1) uses location-based services … (5) accesses communication logs … (6) uses cookies … (7) collects personal data”). Claim 20: Barday discloses the system of claim 17, wherein the processing hardware is configured to cause the system to determine data categories for the one or more data processing activity components by: determining a first data category associated with a first set of data processing activity components from the one or more data processing activity components grouped by a first data type (col. 52, lines 22-43 “(1) uses location-based services … (5) accesses communication logs … (6) uses cookies … (7) collects personal data”); and determining a second data category associated with a second set of data processing activity components from the one or more data processing activity components grouped by a second data type (col. 55, lines 3-5 “compare the code that was obtained with a previously assessed version”). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 8-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 11,025,675 to Barday et al. (Barday) in view of US 2024/0061332 to Golchehreh et al. (Golchehreh). Claim 8: Barday discloses the computer-implemented method of claim 1, but does not explicitly disclose determining the one or more data processing activity components from a call graph generated from the input application code, wherein the call graph comprises nodes indicating namespaces, class names, or method names within the input application code. Golchehreh teaches: determining the one or more data processing activity components from a call graph generated from the input application code, wherein the call graph comprises nodes indicating namespaces, class names, or method names within the input application code (par. [0036] “detects data of predefined types … with a call graph”). It would have been obvious at the time of filing to determining the components from a generated call graph. Those of ordinary skill in the art would have been motivated to do so as a known means of identifying such data access which would have produced only the expected results. Claim 9: Barday and Golchehreh teach the computer-implemented method of claim 8, further comprising utilizing the call :graph to assign a data processing activity component or a data category to a portion of the input application code (Barday col. 52, lines 19-25 “determine a plurality of privacy-related attributes, Golchehreh par. [0036] “detects data of predefined types … with a call graph”). Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D MITCHELL whose telephone number is (571)272-3728. The examiner can normally be reached Monday through Thursday 7:00am - 4:30pm and alternate Fridays 7:00am 3:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached at (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JASON D MITCHELL/Primary Examiner, Art Unit 2199 Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D MITCHELL whose telephone number is (571)272-3728. The examiner can normally be reached Monday through Thursday 7:00am - 4:30pm and alternate Fridays 7:00am 3:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached at (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Read full office action

Prosecution Timeline

Oct 19, 2023
Application Filed
Oct 01, 2025
Non-Final Rejection mailed — §102, §103
Feb 02, 2026
Response Filed
Jun 08, 2026
Final Rejection mailed — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12619519
APPARATUS AND METHOD FOR SIMULATED VIRTUAL COMPONENT DEVELOPMENT
2y 1m to grant Granted May 05, 2026
Patent 12591423
Determining a security patch for a cyberattack by executing simulations of different security protocols
2y 9m to grant Granted Mar 31, 2026
Patent 12585575
Auto-Complete Testing
2y 7m to grant Granted Mar 24, 2026
Patent 12572346
OTA MASTER, METHOD, AND NON-TRANSITORY STORAGE MEDIUM
3y 11m to grant Granted Mar 10, 2026
Patent 12561122
SOFTWARE PACKAGE UPDATE HANDLING
3y 11m to grant Granted Feb 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
55%
Grant Probability
87%
With Interview (+31.5%)
4y 3m (~1y 7m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 635 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month