Advertise here




Advertise here

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

GDPR Compliance

bellissimobellissimo Posts: 232Registered Users @ @
Just interested in what steps, if any, people are taking to comply with the upcoming EU General Data Protection Regulation (GDPR), which is coming into effect on the 25th May 2018.

eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Any app devs based in the EU, or any non-EU devs who have EU users will need to comply, and I guess this covers most devs in practice.

There will be stricter rules as to what is now counted as 'personal data', which now includes things such as 'Advertiser ID', 'Vendor ID' and 'IP Address'. Therefore Analytics Services, Crash Reporters and Ad Networks, e.g. Fabric, Crashlytics, Firebase Analytics, AdMob, are all deemed to collect personal data and explicit consent will be required to continue using these. Again, I expect this to cover most serious apps.

As far as I can tell, apps will basically be required to ask users to explicitly 'opt in' on first use in order to partake in analytics, crash reporting and targeted ad serving. They will also need to provide means for opting out and possibly provide means of deleting data already collected.

Google have started sending out mails regarding this, but they are yet to provide many tools to deal with compliance, and seem to mostly be leaving it up to devs to sort out for themselves. I find this a little odd as you would think it is in their interests (especially for AdMob) that as many users consent as possible so that they get the maximum profit.

This seems to me like a serious change, and the fines for non-compliance are severe. It would be fair to assume that the majority of users would 'not' give consent when asked, which would have a severe impact on obtaining useful analytics, fixing bugs and will also impact on the profitability of ads if they are no longer targeted by the Advertising Id.

All in all, a real headache. The only possible loophole I can see is the 'legitimate interests' argument where you could claim that crash reporting and analytics are essential for the smooth running and maintenance of the app and should therefore be exempt from explicit consent.

«13

Replies

  • savannasavanna Posts: 275New Users @ @
    edited April 16

    If I had user accounts or any user generated data, particularly sensitive data, on servers I was responsible for Id look deeper into it. But my own circumstances are very vanilla, just flurry and admob in my apps, which puts me into a very large common group.

    What they are asking for is onerous to the point of insanity, and as part of a huge group I can probably keep under the radar while I wait to see where this goes.

    Presumably it will be scaled back to some extent.
    Post edited by savanna on
  • bellissimobellissimo Posts: 232Registered Users @ @
    Regarding the 'wait and see' argument, I agree with you to some extent. The only concern is if some users decide to try out the new rights to export or delete data, which could lead to some awkward questions being asked. If this is followed up by the users, then it could lead to some repercussions, but not sure how likely this is in practice.

    It seems to me like this is a re-run of the whole 'cookies consent' debacle, where users are asked a million times to consent to a cookie in return for a small privacy enhancement. This has the potential for a similar scope of annoyance, with hundreds of apps bombarding you with copious consent details and forcing you to agree or disagree.

    They seem to have finally come to their senses with regards to the cookies and are planning to let it be handled via the browser controls instead. Bear in mind this is several years after the fact, so I wouldn't hold your breath for any regulation changes in the short term (i.e. next five years).

    You would have thought they would have learned their lesson and insisted the platform providers introduce consent at an operating system level for things that most apps use as standard, such as analytics and crash data. I am not sure that the people who make up the EU legislation are the most tech savvy unfortunately.

    Personally I think I will go for a combo of 'wait and see' at the same time as having a release prepped with consent embedded, just in case.
  • tmongytmongy Posts: 105New Users @ @
    bellissimo wrote: »
    Personally I think I will go for a combo of 'wait and see' at the same time as having a release prepped with consent embedded, just in case.

    I was thinking of that, but I couldn't figure out how I would implement it. It would be straightforward for analytics, if they don't consent I can switch it off.

    But where I'm stumped is for Ad networks like Admob, Chartboost, Unity Ads etc... If the user refuses to consent, I don't want to just switch off Ads for them obviously. And as of now, the SDK's for these Ad networks don't provide a way to show generic, non-personalized, non-targeted ads.

    I don't know if all these Ad networks will be releasing new SDK's with these options. If they don't, then I don't see how I'm supposed to proceed.
  • bellissimobellissimo Posts: 232Registered Users @ @
    AdMob have stated they are going to provide a 'non-personalised' ad option. This has not been released yet though, so as you say it is not possible to proceed fully yet without turning ads off completely for non-consenters and losing income as a result.

    Google also plan to add options to Firebase Analytics for deletion of data, but this has also failed to appear yet.

    Also waiting for Google to give some guidance as to how exactly we are supposed to word the consent. It is required to name the third party services we are sending data to, along with contact details, how they use the data and probably more besides. Google say they are working with some European body to eventually provide some guidance, but again we are still waiting.

    hm3agg6q9cak.png


  • savannasavanna Posts: 275New Users @ @
    edited April 17
    tmongy wrote: »
    as of now, the SDK's for these Ad networks don't provide a way to show generic, non-personalized, non-targeted ads.

    I don't know if all these Ad networks will be releasing new SDK's with these options.

    I only use admob, and the latest email from google regarding this says that there will be an option in the future to only show non-targeted ads, so my hope is you could prevent user data collection on the server side with a simple switch.

    That will lead to some drop in revenue of course, as users by default will see untargeted ads.

    Its my guess that a consent from the user will be an optional thing to include, but you will need to do it to show targeted ads.


    On the analytics point, it might just be time to get rid of 3rd party analytics SDKs and rely on apple. Their suite in iTunes is improving and you get some basic information there at this point, and thats only from users that consent... perhaps that consent will need to be more obvious in the future, but thats something apple need to do something about at the OS level, not us. ... Although having said that it might be our responsibility if they don't do that, this legislation is that crazy.

    My initial thought for indies is that we can be under the umbrella of apples and googles reaction to this fairly comfortably, depending what data your app sends.


    .
  • savannasavanna Posts: 275New Users @ @
    edited April 17
    bellissimo wrote: »
    The only concern is if some users decide to try out the new rights to export or delete data, which could lead to some awkward questions being asked. If this is followed up by the users, then it could lead to some repercussions, but not sure how likely this is in practice.

    Where this legislation, in my view, enters batshit crazy land is in their definition of personal data. My guess is that most users won't know about any of this, and likely think of personal data as most people would, so things like name & address. Whereas the legislation talks about a username, or even 'behavior' as personal data.

    If your app doesn't send anything a reasonable person would term as 'personal data' I'd expect you don't have much cause for concern. You might get the odd user on the back of Facebook etc, wondering what you're collecting if they're particularly paranoid. Telling them its not personal data as they would view it should be enough to assuage any concerns whipped up by this, I would have thought.


    .
  • bellissimobellissimo Posts: 232Registered Users @ @
    savanna wrote: »
    Its my guess that a consent from the user will be an optional thing to include, but you will need to do it to show targeted ads.

    This is true, but at the moment we don't know what the difference in revenue will be between targeted and non-targeted ads. If it is terrible, then we will have no choice but to ask for consent.
    savanna wrote: »
    On the analytics point, it might just be time to get rid of 3rd party analytics SDKs and rely on apple. Their suite in iTunes is improving and you get some basic information there at this point, and thats only from users that consent... perhaps that consent will need to be more obvious in the future, but thats something apple need to do something about at the OS level, not us. ... Although having said that it might be our responsibility if they don't do that, this legislation is that crazy.

    My initial thought for indies is that we can be under the umbrella of apples and googles reaction to this fairly comfortably, depending what data your app sends.

    If you rely on Apple's analytics then they will definitely be responsible for GDPR as the data is not collected within your app.

    Interesting point, hadn't considered dropping the analytics altogether. It does mean though that you have no custom behaviour if you go that route. A lot of analytics is used for sending bespoke events to optimise things like user retention, maximising revenue and evaluating new features. Crash reporters also let you attach extra data to reports, which can be critical in tracking down particularly troublesome and intermittent problems.

    I can't help but think that this regulation will lead to poorer quality and more unreliable apps overall.

  • iekeiiekei Posts: 614Registered Users @ @ @
    The e-mail Google sent today doen't make much sense either.
  • tmongytmongy Posts: 105New Users @ @
    iekei wrote: »
    The e-mail Google sent today doen't make much sense either.

    Yeah was just reading it; didn't make anything clearer. I still don't understand if we have to integrate a new SDK or if it will be something you can control from the dashboard. It's all a bit of a mess right now :neutral:
  • dev666999dev666999 Posts: 3,632New Users @ @ @ @ @
    bellissimo wrote: »
    This seems to me like a serious change, and the fines for non-compliance are severe.

    Yes, this is a major headache for developers.

    But how can the eu fine USA developers?

    If the penalties are huge, there is no way to collect from USA developers.

    I guess they can complain to Apple and get the app banned, or Apple will do the tests and not allow new apps that do not comply to pass review.
  • bellissimobellissimo Posts: 232Registered Users @ @
    tmongy wrote: »
    iekei wrote: »
    The e-mail Google sent today doen't make much sense either.

    Yeah was just reading it; didn't make anything clearer. I still don't understand if we have to integrate a new SDK or if it will be something you can control from the dashboard. It's all a bit of a mess right now :neutral:

    I believe there are SDK changes to come (for AdMob at least). From what I can glean, the new SDK will give you a 'non-personalised' ads options. You can then optionally ask the user if they want personalised or non-personalised ads.

    If you don't ask them, then you will need to show them non-personalised ads.

    Even if you decide to show non-personalised ads, the Advertising Id is going to be used for ad measurement and anti-fraud purposes. So you will still need to ask them to agree to this usage. This is to satisfy the ePrivacy Directive more than the GDPR, so I don't think it requires explicit consent. You are basically letting them know and they can choose not to use the app if they disagree. An example is shown here:

    https://cookiechoices.org/
  • bellissimobellissimo Posts: 232Registered Users @ @
    edited April 27
    dev666999 wrote: »
    bellissimo wrote: »
    This seems to me like a serious change, and the fines for non-compliance are severe.

    But how can the eu fine USA developers?

    If the penalties are huge, there is no way to collect from USA developers.

    I guess they can complain to Apple and get the app banned, or Apple will do the tests and not allow new apps that do not comply to pass review.

    There are treaties in place which could allow for fines to be collected and action to be taken against US companies. We won't really know how this may work in practice till it is in place though.

    Apple seem to be setting themselves up as very privacy focused these days, so they may be more than willing to set an example to apps which do not comply.

  • dev666999dev666999 Posts: 3,632New Users @ @ @ @ @
    bellissimo wrote: »
    dev666999 wrote: »
    bellissimo wrote: »
    This seems to me like a serious change, and the fines for non-compliance are severe.

    But how can the eu fine USA developers?

    If the penalties are huge, there is no way to collect from USA developers.

    I guess they can complain to Apple and get the app banned, or Apple will do the tests and not allow new apps that do not comply to pass review.

    There are treaties in place which could allow for fines to be collected and action to be taken against US companies. We won't really know how this may work in practice till it is in place though.

    Apple seem to be setting themselves up as very privacy focused these days, so they may be more than willing to set an example to apps which do not comply.

    Looks like Apple will most likely be the enforcer. Which will make passing review that much more difficult.

    As for the eu collecting the fines, even with the treaty, they will have a hard time collecting it.

    For example, I set up an LLC for my apps. The LLC gets hit with the fines from the eu. To avoid paying, my LLC then declares bankruptcy. Once bankruptcy is filed, the eu is out of luck, based on USA law. Of course you would not keep significant assets inside your LLC, which is the case for most developers.
  • iekeiiekei Posts: 614Registered Users @ @ @
    To know whether or not a user is in the EEA and allow them to opt-out, the app will require the user to opt-in by enabling Location Services for that app.
  • bellissimobellissimo Posts: 232Registered Users @ @
    dev666999 wrote: »
    Of course you would not keep significant assets inside your LLC, which is the case for most developers.

    I expect LLCs operate differently in the US, but in the UK at least the other way round is more likely to be true for small companies. Drawing excessive money out of the company generally incurs very heavy taxes, so better to keep the money in the company if possible and either invest it through the company, or draw it out only as and when needed. Fines are likely to be in proportion to your ability to pay them though. The big 'headline' fines will be reserved for the big fish they are really after and who have unlimited funds to pay them.

    Data privacy is a hot topic at the moment, so it makes sense for companies like Apple to position themselves as being big on privacy and I would be surprised if the app review guidelines do not change to reflect that. Google have also started sending out stricter rules for compliance. They even started removing a small number of apps from the store recently because they had Crashlytics installed but did not ask for consent to send the crash data.



  • bellissimobellissimo Posts: 232Registered Users @ @
    iekei wrote: »
    To know whether or not a user is in the EEA and allow them to opt-out, the app will require the user to opt-in by enabling Location Services for that app.

    The whole topic of who counts as 'resident' in the EU seems to be hotly debated, and is only vaguely defined in the legislation. It almost certainly won't get resolved until the first cases come to court.

    Not that there is a practical way of reliably finding out anyway.
  • savannasavanna Posts: 275New Users @ @
    edited April 30
    bellissimo wrote: »
    I believe there are SDK changes to come (for AdMob at least). From what I can glean, the new SDK will give you a 'non-personalised' ads options. You can then optionally ask the user if they want personalised or non-personalised ads.

    If you don't ask them, then you will need to show them non-personalised ads.

    This was my interpretation also, pretty much.

    My best guess is that what is served, personalised or non-personalised, can be determined on the server side as a blanket rule across all your apps.

    From reading their site linked to in their email, it sounds like a new SDK will include a consent request of some form, and you'll need to include/call that in your app before google will then send that app personalised ads.

    They'll need to deal with apps that don't update their SDK, and that is why I think there will be a default server side setting of sending only non-personalised ads. If you want personalised ads you'll need to update your app with the new SDK and call the form asking for permission, and only if the user agrees will google then send personalised ads to that installation of your app.

    Im not sure how else they could do it.

    The location point is a mystery to me. Will they ask the OS for permission to use location information with every new app install that carries their SDK? Thats a poor user experience and will happen on many many apps. How else could they know? Might they just default to assuming everywhere is in the EU? I don't know how that will play out.

    Im not planning on updating my apps, since that alone has its own issues and potential costs depending how review goes! I expect my admob ads will only show non personalised from the 25th May. I'll wait and see how that effects revenue.

    Of course even if you update your SDK and ask permission, I don't see many users agreeing to it, particularly when combined with location permission, so we might need to get used to smaller ad revenue in future. As will google and the rest of the online ad industry...

  • bellissimobellissimo Posts: 232Registered Users @ @
    I fear you may be being a bit hopeful in your assumptions. Google seem keen for developers to handle consent themselves and I was not expecting any consent forms to be provided (where did you see this?). Whether they provide a server side switch remains to be seen (though this would be sensible), but I have not seen this mentioned, only an SDK change.

    Either way, I very much doubt they will be requiring location permission or doing the 'EU resident' check themselves, that will be up to you. If you are based in the EU, then it does not matter so much anyway since the GDPR will apply to 'all' your users regardless of location. If you are outside the EU then you are less affected and checking the device 'Region' would probably catch 95% of EU users.

    This is a big old change and will certainly affect Google's revenue to some degree. I would have thought they will wait and see the extent of the damage, and no doubt some new GPDR compliant ad serving strategies will emerge which will increase revenue again.
  • EarlyRiserEarlyRiser Posts: 3New Users Noob
    edited May 2
    Anyone seen this:

    https://developers.google.com/admob/ios/eu-consent#google_rendered_consent_dialog

    I didn't get an email about it but a link to it was added to:

    https://support.google.com/admob/answer/7666366

    next to: "A consent gathering tool for mobile apps, via an SDK"

    Anyway, these links should answer a lot of questions.
  • iekeiiekei Posts: 614Registered Users @ @ @
    Obtaining user consent at every app launch, that sure is going to make people happy.
  • EarlyRiserEarlyRiser Posts: 3New Users Noob
    You just get the consent once and then call an api at each launch to check on the consent status.
  • iekeiiekei Posts: 614Registered Users @ @ @
    "When using the Consent SDK, it is recommended that you determine the state of a user's consent at every app launch."
  • tmongytmongy Posts: 105New Users @ @
    EarlyRiser wrote: »

    Thanks for sharing this didn't see it before. I was reading through it but there are a couple of things I don't understand:

    1. Important: The Google-rendered consent dialog is not supported if the number of ad technology providers in your list of web properties exceeds 12. To collect consent for more than 12 ad technology providers, you must use the Publisher-managed consent collection option. Attempting to load a Google-rendered consent dialog with more than 12 ad technology providers will always fail.

    What is meant by "ad technology providers" here? Do they mean other ad sdks (Chartboost, Unity Ads, etc..) ? If so, does this mean this consent form can be used for all the ad networks used in the app?


    2. When calling requestInfoUpdateForWebProperties:completionHandler: on launch, the returned PACConsentStatus can be PACConsentStatusNotEEA. Does this mean that the SDK automatically checks the device region and returns PACConsentStatusNotEEA if the user is not in the EU? Just wondering if we need to do this check manually or not.
  • iekeiiekei Posts: 614Registered Users @ @ @
    Then how is it revoked, if not given as an option on each on every app launch? From a tiny button next to the ad?
  • tmongytmongy Posts: 105New Users @ @
    iekei wrote: »
    "When using the Consent SDK, it is recommended that you determine the state of a user's consent at every app launch."

    Determining the state of consent on every app launch is just calling requestInfoUpdateForWebProperties:completionHandler:. It doesn't mean you have to present the consent form on every launch.
    iekei wrote: »
    Then how is it revoked, if not given as an option on each on every app launch? From a tiny button next to the ad?

    The documentation says: "To allow users to update their consent, simply repeat the steps outlined in the Collect consent section when the user chooses to update their consent status."

    You can have a button in the app's settings menu or something, that when clicked would launch the consent form again so the user can update their choice.
«13
Sign In or Register to comment.