-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathguidelines.tex
357 lines (335 loc) · 13.7 KB
/
guidelines.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
\documentclass[
12pt,
a4paper,
%oneside
]{scrartcl}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage{lmodern}
\usepackage[autostyle=true]{csquotes} % Quotes
\usepackage[UKenglish]{babel} % Language support
\usepackage{url}
\usepackage{microtype} % improve text
\usepackage[splitrule,multiple]{footmisc} % prevent footnotes from breaking
\usepackage[pdftex,
pdfauthor={Konrad Kollnig},
pdftitle={An App Developer's Guide to
GDPR},hidelinks,hyperfootnotes=false,bookmarksopen=true]{hyperref}
\usepackage{longtable}
\usepackage{booktabs}
%%% Some options
\setlength{\parindent}{0pt}
\setlength{\parskip}{10pt}
%%% Slightly larger line spacing
\usepackage{setspace}
\linespread{1.5}
\begin{document}
\title{An App Developer's Guide to GDPR}
\author{Konrad Kollnig}
\date{Version: \today}
\maketitle
\begin{center}
\emph{No legal advice, only an app developer’s attempt to make
data protection more understandable.}
\end{center}
If you have app users from the European Union, you are responsible for
personal data collected through your app. Personal data is data
relating
to individuals. This may include device data, pseudonyms, user
identifiers, advertising identifiers, (dynamic) IP addresses, and
postcodes, especially in combination with other data. For these
reasons,
it is usually not possible to make personal data non-personal.
You are also responsible for personal data collected from your app for
third-party services, such as advertising, analytics, or crash
reporting
services.
\textbf{Risk evaluation and documentation.} GDPR acknowledges that
there
will never be full protection of personal data. Instead, it encourages
a
risk-based approach, that is, seriously analysing the possible risks to
data protection and taking appropriate data protection measures. If you
can prove that you took all appropriate measures, there is no need to
be
overly afraid of high fines.
Make sure that you can provide such proof, by \emph{documenting all
data
protection considerations, decisions, and actions}.
\textbf{Reasonable data collection.} You and your third-parties may
only
collect personal data reasonably, that is, only for the
purposes stated in your privacy policy (purpose limitation) and
restricted to what is necessary for the stated purposes (data
minimisation).
Furthermore:
\begin{itemize}
\item
\textit{iOS:} According the Apple's terms, you should ask
for user consent, before you or your third-parties collect
\emph{any data}, no matter if personal and non-personal.\\
\textit{Android:} According
to Google's terms, if you process sensitive data (e.g.
health-related),
or process data in unexpected ways, do tell the user in a clear
manner
and ask for his \textit{consent} (no pre-ticked boxes allowed).
\item At best, use at most one third-party service for one
purpose,
that is, at most one advertising, analytics, and crash reporting
service.
\item Check with every app release, if you can reduce data
collection or remove any third-party services.
\item Verify the default settings of your third-party services
(on-device and server-wise), since third-parties have an interest
in
collecting ever more data.
Only activate third-party services, once user consent is
established. More information can be
found in the Appendix below.
\item If your app is aimed at \textit{children}, do not employ any
third-party services. It's not good practice, and a
violation of Apple's terms.
\item If possible, use libraries that make their source code available. Otherwise, you have no means to verify the underlying data practices.
\end{itemize}
\textbf{Always provide a privacy policy.}
Provide a privacy policy on the app store and within the app.
You may want to use one of the privacy policy generators, such as
\url{iubenda.com}.
Make sure it discloses the data collection of you and your
third-parties
adequately.
\textbf{Handling user requests.}
The GDPR entitles users to manage
(e.g.~access, delete, correct) any data about them. You can implement
these user rights directly in software, which would show your efforts
towards GDPR compliance. Yet, taking requests via email seriously is
just as fine. You have one month to respond to user requests. This
response may either address the request, or, for complex user requests,
request an extension for a further 2 months.
\textbf{Security measures and data breaches.}
Take the standard measures for security, such as HTTPS communications,
salted passwords, validation of user inputs.
Apple\footnote{\url{https://developer.apple.com/documentation/security}}\footnote{\url{https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide}}
and
Google\footnote{\url{https://developer.android.com/training/articles/security-tips}}
provide comprehensive guidance on this.
Try to remove identifiable information whenever possible, through
pseudonymisation or anonymisation.
If you experience a \textit{personal data breach}, you must notify the
data protection
authority\footnote{\url{https://edpb.europa.eu/about-edpb/board/members}}
within 72 hours, plus the individuals in case of high risk.
\textbf{Consent for third-party services.}
If you use third-party services, the user must be asked for consent in
almost all circumstances.
This consent must be sought before the third-party service is
activated
and begins to share data.
%The usage of third-party services, such as Google Analytics or
%Facebook
%Advertising, centralises data about a large number of users.
%Whilst there is no principle reason against using these services, you
%must assess the risks to the individual carefully and bear
%responsibility
%for taking all reasonable steps to minimise these risks.
%You should be aware that third-parties profit from amassing data, and
%carefully assess what data is shared by the third-party.
%Make sure that you activate a third-party SDK, only when user consent
%is
%granted.
%Include detail about the third-party services in your app's privacy
%policy, just as you would about your own app; the policies of the
%third-party service tell you what to do.
Beyond consent, the Appendix
provides
more detail on the correct implementation of the most widely used
third-party services.
\textbf{Closing remarks.}
By implementing these measures, you should come an important step
closer
to compliance with GDPR.
Additionally, you should consult the guidelines of an EU data
protection
authority.
The British Data Protection Authority, called ICO, provides excellent
guidance\footnote{\url{https://ico.org.uk/for-organisations/}} on data
protection.
\pagebreak
\section*{Appendix: Using Third-Party Services}
Implementation guidance for the most commonly used third-party
services, as well as links to their GDPR guidelines.
\begin{footnotesize}
\begin{longtable}{lp{.65\textwidth}}
%\caption{Implementation guidance for the most commonly used
%third-party services, as well as links to their GDPR
%guidelines.}\label{tab:implementation_guidance_trackers} \\
\toprule
Service & Implementation Notes \\
\midrule
Adjust & Once the Adjust SDK is enabled in your app, data
sharing
takes place, notably of device events.
User consent should be established before enabling this SDK.
It stands out that Adjust integrates the GDPR \textit{right to
deletion} into their SDK. This could be implemented in your
app,
to show your efforts to comply with GDPR. \newline
\textbf{More
info:} \url{https://github.com/adjust/sdks} \\
\midrule
AppLovin & For EU users, AppLovin requires consent to be
passed on
programmatically.
If consent is given, the Advertising ID and IP address will be
sent to advertising partners, otherwise only a country code.
Once loaded at runtime,
AppLovin automatically receives the information that the app
was
installed. \newline \textbf{More info:}
\url{https://www.applovin.com/gdprfaqs/} \\
\midrule
AppsFlyer & The service collects the Advertising ID and a
unique
AppsFlyer user ID from the first app start.
User consent should be established before activating this
service.
If the Advertising ID cannot be accessed, permanent
identifiers,
notably the device's IMEI, are shared with AppsFlyer, unless
programmatically disabled. Such permanent identifiers are
highly
critical from a data protection standpoint.
This practice should be communicated transparently to the
user, if
not disabled. \newline
\textbf{More info:}
\url{https://support.appsflyer.com/hc/en-us/articles/360001422989}.
\\
\midrule
Facebook SDK & From the first app start, the Facebook SDK
collects
device information and events (app installation, app start,
in-app
purchases), unless programmatically disabled.
User consent should be established before activating this SDK.
Facebook serves no advertising, if the user limits
interest-based
ads from the device settings. \newline \textbf{More info:}
\url{https://developers.facebook.com/docs/app-events/best-practices/gdpr-compliance}
\\
\midrule
Flurry & For ads, this service provides a complicated
mechanism to
establish a user consent.
Since legally required for many advertising services,
you may want to consider easier, alternative approaches to
establish valid user consent.
Unless programmatically disabled, the user location is
collected
for analytics purposes, if the app has the permission to
retrieve
such.
This is highly invasive and may violate GDPR.
At very least, this practice should be disclosed to the user
transparently, if not disabled.
Generally, user consent should be established before
activating
this service. \newline \textbf{More info (Analytics):}
\url{https://developer.yahoo.com/flurry/docs/analytics/gdpr/summary}
\newline \textbf{More info (Ads):}
\url{https://developer.yahoo.com/flurry/docs/publisher/gdpr/}
\\
\midrule
Google AdMob & This service serves personalised advertising by
default, violating Google's policies if used in the EU.
This must be changed by the developer, such that user consent
is
established prior to serving personalised ads.
AdMob shares device statistics and events with Google from the
first app start, unless programmatically changed.
User consent should be established before activating this
service.
\newline \textbf{More info:}
\url{https://developers.google.com/admob/android/eu-consent\#forward_consent_to_the_google_mobile_ads_sdk}.
\\
\midrule
Google Analytics & User opt-out and IP anonymisation are
supported
programmatically and their implementation should be
considered.
User consent should be established before using this service.
\newline \textbf{More info:}
\url{https://developers.google.com/analytics/devguides/collection/android/v4/advanced}
\\
\midrule
Google Crashlytics & This service shares crash reports with
Google from the first app start, unless changed by the
developer.
User consent should be established before activating this
service.
\newline \textbf{More info:}
\url{https://firebase.google.com/docs/crashlytics/customize-crash-reports\#enable_opt-in_reporting}
\\
\midrule
Google DoubleClick & This service serves personalised
advertising
by default,
violating Google's policies if used in the EU.
User consent should be established before activating this
service.
\newline \textbf{More info:}
\url{https://developers.google.com/ad-manager/mobile-ads-sdk/android/eu-consent\#forward_consent_to_the_google_mobile_ads_sdk}.
\\
\midrule
Google Firebase Analytics & This service collects device
statistics from the first app start, unless changed by the
developer.
The collected data includes the Google Advertising ID, unless
programmatically disabled, and may be used for advertising
purposes under certain circumstances. User consent should be
established before activating this service. \newline
\textbf{More
info:}
\url{https://firebase.google.com/docs/analytics/configure-data-collection}
\\
\midrule
Inmobi & The Inmobi SDK only collects personal data, if you
explicitly indicate to the SDK that user consent was
established.
If no consent is given, unpersonalised ads are shown to the
user.
Inmobi encourages you to provide data about location and
demographics for higher revenue, if you programmatically pass
on
this information. Such sensitive data collection should be
transparently disclosed to the user, if not refrained from.
\newline \textbf{More info:}
\url{https://support.inmobi.com/monetize/faqs/gdpr-guide-for-publishers/}
\\
\midrule
MoPub & For increased advertising revenue, MoPub shares data
with
two other services, IAS and Moat, unless programmatically
disabled.
These services must be transparently communicated to the user,
if
not disabled.
User consent should be established before activating this
service.
\newline \textbf{More info:}
\url{https://developers.mopub.com/publishers/best-practices/gdpr-guide/}
\\
\midrule
Unity Ads & Unity automatically asks for user consent, unless
a
special arrangement is reached with Unity.
Personal data is only collected if the user consents.
When ads are served, Unity provides the user with a
\enquote{privacy icon}, to change his opt-out setting.
If the user opts-out, all collected data is deleted. \newline
\textbf{More info:} \url{https://unity3d.com/de/legal/gdpr} \\
\bottomrule
\end{longtable}
\end{footnotesize}
\end{document}