GDPR for iOS Developers

Transcript

1. @andrey_butov
   GDPR for iOS developers
   Andrey Butov
   [email protected]
   

   View Slide

2. What is GDPR?
   (General Data Protection Regulation)
   Regulation designed to give individuals
   more control over their personal data.
   

   View Slide

3. To whom does GDPR
   apply?
   

   View Slide

4. Where do I fit in?
   Data Controller
   Data Processor
   Data Subject
   Data Protection Officer
   Uses the data for business goals (app owner, etc).
   Processes the data on behalf of the controller (ad network, crash
   handler, Crashlytics, Urban Airship, Google, Bugsnag, etc.
   The app user.
   A person appointed to be explicitly in charge of all this stuff -
   probably does not apply to you unless you are processing a large
   amount of personal data and run a large operation.
   

   View Slide

5. Things to keep in mind.
   Written by politicians.
   

   View Slide

6. Things to keep in mind.
   Mainly with larger companies in mind.
   Written by politicians.
   

   View Slide

7. Things to keep in mind.
   Lawyers don’t have all the answers.
   Mainly with larger companies in mind.
   Written by politicians.
   

   View Slide

8. Things to keep in mind.
   Litigation sets precedent.
   Lawyers don’t have all the answers.
   Mainly with larger companies in mind.
   Written by politicians.
   

   View Slide

9. Things to keep in mind.
   Best sincere effort, while keeping
   the intent of the regulation in mind.
   Litigation sets precedent.
   Lawyers don’t have all the answers.
   Mainly with larger companies in mind.
   Written by politicians.
   

   View Slide

10. Personal data
    • Email address
    • IP address
    • Advertising identifier
    • GPS location
    • MAC address
    • Physical address
    • Date of birth
    • Social security number
    • Financial information
    

    View Slide

11. Personal data
    • Physical characteristics like eye color, weight, etc.
    • Salary and tax information.
    • Religious and political preferences.
    • Medical information.
    Why?
    

    View Slide

12. Anything that, by itself, or in combination
    with other pieces of data, can be used to
    identify an individual.
    Personal data
    

    View Slide

13. Personal data
    … which means?
    Every piece of data ever?
    Anything that, by itself, or in combination
    with other pieces of data, can be used to
    identify an individual.
    

    View Slide

14. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.
    

    View Slide

15. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.
    • Because we just don’t know.
    

    View Slide

16. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.
    • Because until it’s resolved through litigation
    and has precedent (and even then), we just
    don’t know.
    • Because we just don’t know.
    

    View Slide

17. If you hesitate, or feel you have to ask “is
    this personal data”, it is personal data.
    • Because it’s safer to follow the intent of the
    regulation, be conservative, and err on the side
    of caution.
    • Because until it’s resolved through litigation
    and has precedent (and even then), we just
    don’t know.
    • Because we just don’t know.
    

    View Slide

18. What if you fail to comply?
    

    View Slide

19. What if you fail to comply?
    €20 million or 4% of annual revenue
    

    View Slide

20. What if you fail to comply?
    €20 million or 4% of annual revenue
    (whichever is higher)
    

    View Slide

21. iOS app backed by a web app?
    Your web app privacy policy should reflect what
    data is being collected and for what purpose.
    

    View Slide

22. Privacy by design
    You can only hold and process data that’s
    absolutely necessary for a project to be
    completed.
    

    View Slide

23. Privacy by design
    You can only hold and process data that’s
    absolutely necessary for a project to be
    completed.
    Data should be deleted after it’s no longer
    needed.
    

    View Slide

24. Privacy by design
    You can only hold and process data that’s
    absolutely necessary for a project to be
    completed.
    Data should be deleted after it’s no longer
    needed.
    If there’s a data breach, you must notify users
    within 72 hours.
    

    View Slide

25. Data portability
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.
    

    View Slide

26. Data portability
    You must provide for a way to transfer the
    data to another controller, if requested.
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.
    

    View Slide

27. Data portability
    You must provide that data in a commonly-
    used, machine-readable format.
    You must provide for a way to transfer the
    data to another controller, if requested.
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.
    

    View Slide

28. Data portability
    This must be done without hindrance or
    penalty to the user.
    You must provide that data in a commonly-
    used, machine-readable format.
    You must provide for a way to transfer the
    data to another controller, if requested.
    The user (data subject) has the right to
    request his/her data from you (data
    controller), at any time.
    

    View Slide

29. Consent
    

    View Slide

30. “Do I need to ask for consent if I just want to
    show ads in my app?”
    

    View Slide

31. “Do I need to ask for consent if I just want to
    show ads in my app?”
    Yes
    

    View Slide

32. “Do I need to ask for consent if I just want to
    show ads in my app?”
    “But I’m not collecting any personal data!”
    Yes
    

    View Slide

33. “Do I need to ask for consent if I just want to
    show ads in my app?”
    “But I’m not collecting any personal data!”
    But your ad network is, and you’re
    responsible.
    Yes
    

    View Slide

34. 3rd-party ad network SDKs collect the
    advertising identifier (IDFA), which is
    personally-identifiable data, and, in some
    cases, the GPS location, both of which
    require consent.
    

    View Slide

35. Some ad networks (Admob), let you turn
    off personalized ads.
    

    View Slide

36. Some ad networks (Admob), let you turn
    off personalized ads.
    Option 1:
    Ask for consent (properly). Receive consent.
    Allow Admob to collect the IDFA, and show
    personalized ads.
    

    View Slide

37. Some ad networks (Admob), let you turn
    off personalized ads.
    Option 1:
    Ask for consent (properly). Receive consent.
    Allow Admob to collect the IDFA, and show
    personalized ads.
    Option 2:
    Don’t ask for consent (or consent is denied,
    etc). Configure Admob to show generic ads.
    

    View Slide

38. What about Google’s Consent SDK?
    

    View Slide

39. What about Google’s Consent SDK?
    This was rushed. Google did not
    want to do this.
    

    View Slide

40. What about Google’s Consent SDK?
    This was rushed. Google did not
    want to do this.
    The phrasing is a bit … slimy.
    

    View Slide

41. What about Google’s Consent SDK?
    This was rushed. Google did not
    want to do this.
    The phrasing is a bit … slimy.
    You are still responsible. Google
    does not want to be a data
    controller.
    

    View Slide

42. The consent request must be prominent
    and separate from your terms and
    conditions.
    

    View Slide

43. You can’t stick a “you agree that we will
    collect …” paragraph inside the EULA.
    The consent request must be prominent
    and separate from your terms and
    conditions.
    

    View Slide

44. Your request for consent should not use
    any pre-ticked checkboxes, or any other
    pre-selected default values.
    

    View Slide

45. Your requests must use clear, plain
    language, that is easy for the user to
    understand.
    

    View Slide

46. You need to explain why you are
    collecting the data (for what purpose is it
    going to be used?)
    consentmonitor.com
    

    View Slide

47. Each distinct piece of
    data you collect needs
    its own consent.
    consentmonitor.com
    

    View Slide

48. Inform users about
    all third-parties that
    will be using the
    data.
    consentmonitor.com
    

    View Slide

49. You need to keep a record of when and how
    you collected consent for each piece of data,
    from each of your app users.
    

    View Slide

50. You need to keep a record of the exact wording
    of the request that the user gave consent to.
    consentmonitor.com
    

    View Slide

51. You need to inform
    users about their
    right to withdraw
    consent at any time.
    consentmonitor.com
    

    View Slide

52. You need to inform
    users about their
    right to withdraw
    consent at any time.
    consentmonitor.com
    You need to give
    users the ability to
    withdraw consent at
    any time.
    

    View Slide

53. You need to give users the
    ability to submit a request-
    to-be-forgotten.
    consentmonitor.com
    

    View Slide

54. consentmonitor.com
    

    View Slide

55. consentmonitor.com
    Properly requests consent, as required by GDPR.
    Retains a record of consent for every piece of data, for every
    user, including meta-data on how the consent was requested.
    Allows your users to easily revoke or update consent.
    Allows your users to easily submit a request-to-be-forgotten.
    Gives you a trail of evidence that consent was given by this
    exact user, for this exact piece of collected data, for this
    exact purpose.
    

    View Slide

56. @andrey_butov
    [email protected]
    Thank you!
    

    View Slide