GDPR for iOS Developers

732534b4b0d23be386e5bbcc196490c2?s=47 Andrey Butov
September 11, 2018

GDPR for iOS Developers

GDPR is a complex set of regulations. It can be difficult to figure out what parts apply to your iOS app, and what you should be doing to comply with GDPR. But there's actually quite a bit of regulation in GDPR that applies to iOS apps. This talk dives into 12 of the more important items you should know when getting your iOS app prepared for GDPR.

732534b4b0d23be386e5bbcc196490c2?s=128

Andrey Butov

September 11, 2018
Tweet

Transcript

  1. @andrey_butov GDPR for iOS developers Andrey Butov andreybutov@antair.com

  2. What is GDPR? (General Data Protection Regulation) Regulation designed to

    give individuals more control over their personal data.
  3. To whom does GDPR apply?

  4. Where do I fit in? Data Controller Data Processor Data

    Subject Data Protection Officer Uses the data for business goals (app owner, etc). Processes the data on behalf of the controller (ad network, crash handler, Crashlytics, Urban Airship, Google, Bugsnag, etc. The app user. A person appointed to be explicitly in charge of all this stuff - probably does not apply to you unless you are processing a large amount of personal data and run a large operation.
  5. Things to keep in mind. Written by politicians.

  6. Things to keep in mind. Mainly with larger companies in

    mind. Written by politicians.
  7. Things to keep in mind. Lawyers don’t have all the

    answers. Mainly with larger companies in mind. Written by politicians.
  8. Things to keep in mind. Litigation sets precedent. Lawyers don’t

    have all the answers. Mainly with larger companies in mind. Written by politicians.
  9. Things to keep in mind. Best sincere effort, while keeping

    the intent of the regulation in mind. Litigation sets precedent. Lawyers don’t have all the answers. Mainly with larger companies in mind. Written by politicians.
  10. Personal data • Email address • IP address • Advertising

    identifier • GPS location • MAC address • Physical address • Date of birth • Social security number • Financial information
  11. Personal data • Physical characteristics like eye color, weight, etc.

    • Salary and tax information. • Religious and political preferences. • Medical information. Why?
  12. Anything that, by itself, or in combination with other pieces

    of data, can be used to identify an individual. Personal data
  13. Personal data … which means? Every piece of data ever?

    Anything that, by itself, or in combination with other pieces of data, can be used to identify an individual.
  14. If you hesitate, or feel you have to ask “is

    this personal data”, it is personal data.
  15. If you hesitate, or feel you have to ask “is

    this personal data”, it is personal data. • Because we just don’t know.
  16. If you hesitate, or feel you have to ask “is

    this personal data”, it is personal data. • Because until it’s resolved through litigation and has precedent (and even then), we just don’t know. • Because we just don’t know.
  17. If you hesitate, or feel you have to ask “is

    this personal data”, it is personal data. • Because it’s safer to follow the intent of the regulation, be conservative, and err on the side of caution. • Because until it’s resolved through litigation and has precedent (and even then), we just don’t know. • Because we just don’t know.
  18. What if you fail to comply?

  19. What if you fail to comply? €20 million or 4%

    of annual revenue
  20. What if you fail to comply? €20 million or 4%

    of annual revenue (whichever is higher)
  21. iOS app backed by a web app? Your web app

    privacy policy should reflect what data is being collected and for what purpose.
  22. Privacy by design You can only hold and process data

    that’s absolutely necessary for a project to be completed.
  23. Privacy by design You can only hold and process data

    that’s absolutely necessary for a project to be completed. Data should be deleted after it’s no longer needed.
  24. Privacy by design You can only hold and process data

    that’s absolutely necessary for a project to be completed. Data should be deleted after it’s no longer needed. If there’s a data breach, you must notify users within 72 hours.
  25. Data portability The user (data subject) has the right to

    request his/her data from you (data controller), at any time.
  26. Data portability You must provide for a way to transfer

    the data to another controller, if requested. The user (data subject) has the right to request his/her data from you (data controller), at any time.
  27. Data portability You must provide that data in a commonly-

    used, machine-readable format. You must provide for a way to transfer the data to another controller, if requested. The user (data subject) has the right to request his/her data from you (data controller), at any time.
  28. Data portability This must be done without hindrance or penalty

    to the user. You must provide that data in a commonly- used, machine-readable format. You must provide for a way to transfer the data to another controller, if requested. The user (data subject) has the right to request his/her data from you (data controller), at any time.
  29. Consent

  30. “Do I need to ask for consent if I just

    want to show ads in my app?”
  31. “Do I need to ask for consent if I just

    want to show ads in my app?” Yes
  32. “Do I need to ask for consent if I just

    want to show ads in my app?” “But I’m not collecting any personal data!” Yes
  33. “Do I need to ask for consent if I just

    want to show ads in my app?” “But I’m not collecting any personal data!” But your ad network is, and you’re responsible. Yes
  34. 3rd-party ad network SDKs collect the advertising identifier (IDFA), which

    is personally-identifiable data, and, in some cases, the GPS location, both of which require consent.
  35. Some ad networks (Admob), let you turn off personalized ads.

  36. Some ad networks (Admob), let you turn off personalized ads.

    Option 1: Ask for consent (properly). Receive consent. Allow Admob to collect the IDFA, and show personalized ads.
  37. Some ad networks (Admob), let you turn off personalized ads.

    Option 1: Ask for consent (properly). Receive consent. Allow Admob to collect the IDFA, and show personalized ads. Option 2: Don’t ask for consent (or consent is denied, etc). Configure Admob to show generic ads.
  38. What about Google’s Consent SDK?

  39. What about Google’s Consent SDK? This was rushed. Google did

    not want to do this.
  40. What about Google’s Consent SDK? This was rushed. Google did

    not want to do this. The phrasing is a bit … slimy.
  41. What about Google’s Consent SDK? This was rushed. Google did

    not want to do this. The phrasing is a bit … slimy. You are still responsible. Google does not want to be a data controller.
  42. The consent request must be prominent and separate from your

    terms and conditions.
  43. You can’t stick a “you agree that we will collect

    …” paragraph inside the EULA. The consent request must be prominent and separate from your terms and conditions.
  44. Your request for consent should not use any pre-ticked checkboxes,

    or any other pre-selected default values.
  45. Your requests must use clear, plain language, that is easy

    for the user to understand.
  46. You need to explain why you are collecting the data

    (for what purpose is it going to be used?) consentmonitor.com
  47. Each distinct piece of data you collect needs its own

    consent. consentmonitor.com
  48. Inform users about all third-parties that will be using the

    data. consentmonitor.com
  49. You need to keep a record of when and how

    you collected consent for each piece of data, from each of your app users.
  50. You need to keep a record of the exact wording

    of the request that the user gave consent to. consentmonitor.com
  51. You need to inform users about their right to withdraw

    consent at any time. consentmonitor.com
  52. You need to inform users about their right to withdraw

    consent at any time. consentmonitor.com You need to give users the ability to withdraw consent at any time.
  53. You need to give users the ability to submit a

    request- to-be-forgotten. consentmonitor.com
  54. consentmonitor.com

  55. consentmonitor.com Properly requests consent, as required by GDPR. Retains a

    record of consent for every piece of data, for every user, including meta-data on how the consent was requested. Allows your users to easily revoke or update consent. Allows your users to easily submit a request-to-be-forgotten. Gives you a trail of evidence that consent was given by this exact user, for this exact piece of collected data, for this exact purpose.
  56. @andrey_butov andreybutov@antair.com Thank you!