Advertise here




Advertise here

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

GDPR Compliance

bellissimobellissimo Posts: 215Registered Users @ @
Just interested in what steps, if any, people are taking to comply with the upcoming EU General Data Protection Regulation (GDPR), which is coming into effect on the 25th May 2018.

eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Any app devs based in the EU, or any non-EU devs who have EU users will need to comply, and I guess this covers most devs in practice.

There will be stricter rules as to what is now counted as 'personal data', which now includes things such as 'Advertiser ID', 'Vendor ID' and 'IP Address'. Therefore Analytics Services, Crash Reporters and Ad Networks, e.g. Fabric, Crashlytics, Firebase Analytics, AdMob, are all deemed to collect personal data and explicit consent will be required to continue using these. Again, I expect this to cover most serious apps.

As far as I can tell, apps will basically be required to ask users to explicitly 'opt in' on first use in order to partake in analytics, crash reporting and targeted ad serving. They will also need to provide means for opting out and possibly provide means of deleting data already collected.

Google have started sending out mails regarding this, but they are yet to provide many tools to deal with compliance, and seem to mostly be leaving it up to devs to sort out for themselves. I find this a little odd as you would think it is in their interests (especially for AdMob) that as many users consent as possible so that they get the maximum profit.

This seems to me like a serious change, and the fines for non-compliance are severe. It would be fair to assume that the majority of users would 'not' give consent when asked, which would have a severe impact on obtaining useful analytics, fixing bugs and will also impact on the profitability of ads if they are no longer targeted by the Advertising Id.

All in all, a real headache. The only possible loophole I can see is the 'legitimate interests' argument where you could claim that crash reporting and analytics are essential for the smooth running and maintenance of the app and should therefore be exempt from explicit consent.

Replies

  • savannasavanna Posts: 273New Users @ @
    edited April 16

    If I had user accounts or any user generated data, particularly sensitive data, on servers I was responsible for Id look deeper into it. But my own circumstances are very vanilla, just flurry and admob in my apps, which puts me into a very large common group.

    What they are asking for is onerous to the point of insanity, and as part of a huge group I can probably keep under the radar while I wait to see where this goes.

    Presumably it will be scaled back to some extent.
    Post edited by savanna on
  • bellissimobellissimo Posts: 215Registered Users @ @
    Regarding the 'wait and see' argument, I agree with you to some extent. The only concern is if some users decide to try out the new rights to export or delete data, which could lead to some awkward questions being asked. If this is followed up by the users, then it could lead to some repercussions, but not sure how likely this is in practice.

    It seems to me like this is a re-run of the whole 'cookies consent' debacle, where users are asked a million times to consent to a cookie in return for a small privacy enhancement. This has the potential for a similar scope of annoyance, with hundreds of apps bombarding you with copious consent details and forcing you to agree or disagree.

    They seem to have finally come to their senses with regards to the cookies and are planning to let it be handled via the browser controls instead. Bear in mind this is several years after the fact, so I wouldn't hold your breath for any regulation changes in the short term (i.e. next five years).

    You would have thought they would have learned their lesson and insisted the platform providers introduce consent at an operating system level for things that most apps use as standard, such as analytics and crash data. I am not sure that the people who make up the EU legislation are the most tech savvy unfortunately.

    Personally I think I will go for a combo of 'wait and see' at the same time as having a release prepped with consent embedded, just in case.
  • tmongytmongy Posts: 99New Users @
    bellissimo wrote: »
    Personally I think I will go for a combo of 'wait and see' at the same time as having a release prepped with consent embedded, just in case.

    I was thinking of that, but I couldn't figure out how I would implement it. It would be straightforward for analytics, if they don't consent I can switch it off.

    But where I'm stumped is for Ad networks like Admob, Chartboost, Unity Ads etc... If the user refuses to consent, I don't want to just switch off Ads for them obviously. And as of now, the SDK's for these Ad networks don't provide a way to show generic, non-personalized, non-targeted ads.

    I don't know if all these Ad networks will be releasing new SDK's with these options. If they don't, then I don't see how I'm supposed to proceed.
  • bellissimobellissimo Posts: 215Registered Users @ @
    AdMob have stated they are going to provide a 'non-personalised' ad option. This has not been released yet though, so as you say it is not possible to proceed fully yet without turning ads off completely for non-consenters and losing income as a result.

    Google also plan to add options to Firebase Analytics for deletion of data, but this has also failed to appear yet.

    Also waiting for Google to give some guidance as to how exactly we are supposed to word the consent. It is required to name the third party services we are sending data to, along with contact details, how they use the data and probably more besides. Google say they are working with some European body to eventually provide some guidance, but again we are still waiting.

    hm3agg6q9cak.png


  • savannasavanna Posts: 273New Users @ @
    edited April 17
    tmongy wrote: »
    as of now, the SDK's for these Ad networks don't provide a way to show generic, non-personalized, non-targeted ads.

    I don't know if all these Ad networks will be releasing new SDK's with these options.

    I only use admob, and the latest email from google regarding this says that there will be an option in the future to only show non-targeted ads, so my hope is you could prevent user data collection on the server side with a simple switch.

    That will lead to some drop in revenue of course, as users by default will see untargeted ads.

    Its my guess that a consent from the user will be an optional thing to include, but you will need to do it to show targeted ads.


    On the analytics point, it might just be time to get rid of 3rd party analytics SDKs and rely on apple. Their suite in iTunes is improving and you get some basic information there at this point, and thats only from users that consent... perhaps that consent will need to be more obvious in the future, but thats something apple need to do something about at the OS level, not us. ... Although having said that it might be our responsibility if they don't do that, this legislation is that crazy.

    My initial thought for indies is that we can be under the umbrella of apples and googles reaction to this fairly comfortably, depending what data your app sends.


    .
  • savannasavanna Posts: 273New Users @ @
    edited April 17
    bellissimo wrote: »
    The only concern is if some users decide to try out the new rights to export or delete data, which could lead to some awkward questions being asked. If this is followed up by the users, then it could lead to some repercussions, but not sure how likely this is in practice.

    Where this legislation, in my view, enters batshit crazy land is in their definition of personal data. My guess is that most users won't know about any of this, and likely think of personal data as most people would, so things like name & address. Whereas the legislation talks about a username, or even 'behavior' as personal data.

    If your app doesn't send anything a reasonable person would term as 'personal data' I'd expect you don't have much cause for concern. You might get the odd user on the back of Facebook etc, wondering what you're collecting if they're particularly paranoid. Telling them its not personal data as they would view it should be enough to assuage any concerns whipped up by this, I would have thought.


    .
  • bellissimobellissimo Posts: 215Registered Users @ @
    savanna wrote: »
    Its my guess that a consent from the user will be an optional thing to include, but you will need to do it to show targeted ads.

    This is true, but at the moment we don't know what the difference in revenue will be between targeted and non-targeted ads. If it is terrible, then we will have no choice but to ask for consent.
    savanna wrote: »
    On the analytics point, it might just be time to get rid of 3rd party analytics SDKs and rely on apple. Their suite in iTunes is improving and you get some basic information there at this point, and thats only from users that consent... perhaps that consent will need to be more obvious in the future, but thats something apple need to do something about at the OS level, not us. ... Although having said that it might be our responsibility if they don't do that, this legislation is that crazy.

    My initial thought for indies is that we can be under the umbrella of apples and googles reaction to this fairly comfortably, depending what data your app sends.

    If you rely on Apple's analytics then they will definitely be responsible for GDPR as the data is not collected within your app.

    Interesting point, hadn't considered dropping the analytics altogether. It does mean though that you have no custom behaviour if you go that route. A lot of analytics is used for sending bespoke events to optimise things like user retention, maximising revenue and evaluating new features. Crash reporters also let you attach extra data to reports, which can be critical in tracking down particularly troublesome and intermittent problems.

    I can't help but think that this regulation will lead to poorer quality and more unreliable apps overall.

Sign In or Register to comment.