GDPR In The Ad Tech Industry: Everything App Publishers Need To Know
What is GDPR?
Introduced on April 27th, 2016, by the European Union(EU), General Data Protection Regulation is a data protection and privacy-centric law that became enforceable starting May 25th, 2018. The law aims to protect European citizens’ privacy, offering them complete control over their personal information.
The 2019 incident of Cambridge Analytica-Facebook has brought more spotlight to GDPR, making it an essential step in protecting user privacy. The law holds controllers accountable for misusing user data and outlines punitive fines in Article 83. According to GDPR, a company may be liable to pay a fine of up to 20 million euros on infringement of principles related to personal information processing.
Implication of GDPR
GDPR aims to give people more control over the personal information they share online. To make this possible, the law lists four fundamental aspects that you (app developers, data processors, or websites) must respect. The law aims to provide:
- Easy access to personal data - Every user is entitled to knowing how their data is processed clearly and understandably.
- Right to data portability - Users must be empowered to transfer their personal information from one service provider to another easily.
- Right to be forgotten - Users must have an option to delete their data by intimating their service provider through simple steps. Once users exercise the right, service providers must permanently delete the data from their database.
- Right to be informed on data breaches - UUsers must be informed about a personal data breach if and when it occurs. You must notify national supervisory authorities within 72 hours of identification of a data breach.
Preparing your app for GDPR compliance
GDPR is serious about the privacy of app users and protects their rights thoroughly. This means you must revisit your app planning, development, and management efforts to ensure you comply with the guidelines in the law. Though the privacy law does not define a step-by-step process, it has outlined some general rules while developing and publishing a mobile app.
According to this law, you are directly responsible for the security of personal user data. The term ‘personal data’ refers to any information that identifies a person, including phone number, name, email address, username, location, and insights.
You must endeavor to be more transparent and provide more control to the users. This includes changing how you acquire, store, transfer, and use data currently. You must do everything to enhance security and give users real-time access. At the same time, you must document the complete history of changes to personal data and encrypt transfers between the server and app mandatorily.
As an app owner, you must incorporate the following guidelines in your app design to offer the users complete control over their personal data.
- Relevance: Determine if your app requires all the information you are requesting.
- Consent: Inform users and obtain consent from them to collect their private information.
- Accountability: Answer all user queries about private data usage and sharing.
- Security: Encrypt personal user data and secure communication through HTTPS.
- Transparency: Inform your users about data breaches and security loopholes.
- Portability: Implement a protocol for data portability.
- Privacy: Destroy cookies and stop tracking user activity after they log out.
- Disclosure: Inform users when capturing location and IP address, or sharing data with third parties.
- Safety: Store user logs in an encrypted manner.
- Clarity: Create terms and conditions that can be easily understood and ensure the user reads them thoroughly.
- Erasure: Delete personal user data if they opt out of the service.
Furthermore, you must do the following to keep your app GDPR compliant.
1. Create apps based on Privacy by Design
According to Article 25 of the GDPR, Privacy by Design is a legal mandate. It is a concept that requires you to consider user privacy before starting to develop the app. Your app development initiatives should take steps to encourage user privacy from the outset rather than treating it as an afterthought.
2. Explicitly take users’ consent
Every app owner must request users to provide their consent to collect, use, and transfer personal data. A user, while opting in, must clearly understand the terms and conditions of personal data collection and usage.
If you are considering collecting user data in your mobile app, you must have an opt-in screen immediately after the app launches. The opt-in process should allow the user to consent to data collection, receive communication, and know where the data will be used.
For example, if you want to track user activity through Google Analytics, you must inform the user about it. At the same time, the user must be able to easily opt out of future communications and request to delete personal information. Apps must have a dedicated page to allow users to opt out to be completely GDPR-compliant.
4. Respond to user requests
Under GDPR, you are legally required to tell users how you use their personal data if asked. To make your app compliant, you must create a mechanism for users to place a Subject Access Request. Once you receive such a request from a user, you must respond to it within a month. If it is a complicated request, you can take up to three months to respond.
Developing a system for Subject Access Requests is essential to stay compliant in the long term, failing which you would be breaking the privacy law and landing yourself in legal trouble.
5. Review all your third-party data processors
If you use the services of an external data processor to analyze your app usage, you must disclose the fact explicitly. It would help if you were transparent with the users about data transfer and processing and, at the same time, sign a detailed data processing agreement.
A documented agreement with your data processors is mandatory to comply with GDPR. This means you must ensure all third parties and SDKs associated with your app comply with GDPR. You will be held accountable in the case of a security breach.
6. Notify users about data breaches
As a data controller, you must notify all the users and supervisory authorities of a data breach within 72 hours. For this, you may have to continuously monitor your data, identify risks, and plug-in loopholes. You must have a policy to inform users and take the necessary steps to protect personal data if a breach occurs.
7. Encrypt all the stored data and external communications
Mobile apps must use SSL or HTTPS protocol for interaction with external parties. When your mobile app interacts with websites or web servers to transfer personal data such as username or password, an SSL or HTTPS protocol must be in place. Also, personal data sharing must be encrypted at all times.
Data must be stored safely with appropriate encrypted backups to ensure that it is always secure. You must notify users about the tenure of this storage explicitly to give them control over their personal information.
8. Log all data collection activities in detail
As per Article 30 of the GDPR, you must record all the data processing activities. You must maintain a detailed document of every byte of data you collect through the mobile app or with the help of a third party. The data should be stored in a secure and comprehensive log, including all the personal data collected, such as IP addresses, names, email addresses, etc.
After collecting this data, you should also justify to the user why you are collecting the data, where you will store it, and for how long.
Apart from the steps above, you might need to appoint a data protection officer if you are a public authority or require large-scale monitoring, collection, or processing of personal data. If you are unsure how to get your app to adhere to GDPR guidelines, you can always contact experts who have developed and launched GDPR-compliant apps.