@andrey_butov
GDPR for iOS developers
Andrey Butov
[email protected]
Slide 2
Slide 2 text
What is GDPR?
(General Data Protection Regulation)
Regulation designed to give individuals
more control over their personal data.
Slide 3
Slide 3 text
To whom does GDPR
apply?
Slide 4
Slide 4 text
Where do I fit in?
Data Controller
Data Processor
Data Subject
Data Protection Officer
Uses the data for business goals (app owner, etc).
Processes the data on behalf of the controller (ad network, crash
handler, Crashlytics, Urban Airship, Google, Bugsnag, etc.
The app user.
A person appointed to be explicitly in charge of all this stuff -
probably does not apply to you unless you are processing a large
amount of personal data and run a large operation.
Slide 5
Slide 5 text
Things to keep in mind.
Written by politicians.
Slide 6
Slide 6 text
Things to keep in mind.
Mainly with larger companies in mind.
Written by politicians.
Slide 7
Slide 7 text
Things to keep in mind.
Lawyers don’t have all the answers.
Mainly with larger companies in mind.
Written by politicians.
Slide 8
Slide 8 text
Things to keep in mind.
Litigation sets precedent.
Lawyers don’t have all the answers.
Mainly with larger companies in mind.
Written by politicians.
Slide 9
Slide 9 text
Things to keep in mind.
Best sincere effort, while keeping
the intent of the regulation in mind.
Litigation sets precedent.
Lawyers don’t have all the answers.
Mainly with larger companies in mind.
Written by politicians.
Slide 10
Slide 10 text
Personal data
• Email address
• IP address
• Advertising identifier
• GPS location
• MAC address
• Physical address
• Date of birth
• Social security number
• Financial information
Slide 11
Slide 11 text
Personal data
• Physical characteristics like eye color, weight, etc.
• Salary and tax information.
• Religious and political preferences.
• Medical information.
Why?
Slide 12
Slide 12 text
Anything that, by itself, or in combination
with other pieces of data, can be used to
identify an individual.
Personal data
Slide 13
Slide 13 text
Personal data
… which means?
Every piece of data ever?
Anything that, by itself, or in combination
with other pieces of data, can be used to
identify an individual.
Slide 14
Slide 14 text
If you hesitate, or feel you have to ask “is
this personal data”, it is personal data.
Slide 15
Slide 15 text
If you hesitate, or feel you have to ask “is
this personal data”, it is personal data.
• Because we just don’t know.
Slide 16
Slide 16 text
If you hesitate, or feel you have to ask “is
this personal data”, it is personal data.
• Because until it’s resolved through litigation
and has precedent (and even then), we just
don’t know.
• Because we just don’t know.
Slide 17
Slide 17 text
If you hesitate, or feel you have to ask “is
this personal data”, it is personal data.
• Because it’s safer to follow the intent of the
regulation, be conservative, and err on the side
of caution.
• Because until it’s resolved through litigation
and has precedent (and even then), we just
don’t know.
• Because we just don’t know.
Slide 18
Slide 18 text
What if you fail to comply?
Slide 19
Slide 19 text
What if you fail to comply?
€20 million or 4% of annual revenue
Slide 20
Slide 20 text
What if you fail to comply?
€20 million or 4% of annual revenue
(whichever is higher)
Slide 21
Slide 21 text
iOS app backed by a web app?
Your web app privacy policy should reflect what
data is being collected and for what purpose.
Slide 22
Slide 22 text
Privacy by design
You can only hold and process data that’s
absolutely necessary for a project to be
completed.
Slide 23
Slide 23 text
Privacy by design
You can only hold and process data that’s
absolutely necessary for a project to be
completed.
Data should be deleted after it’s no longer
needed.
Slide 24
Slide 24 text
Privacy by design
You can only hold and process data that’s
absolutely necessary for a project to be
completed.
Data should be deleted after it’s no longer
needed.
If there’s a data breach, you must notify users
within 72 hours.
Slide 25
Slide 25 text
Data portability
The user (data subject) has the right to
request his/her data from you (data
controller), at any time.
Slide 26
Slide 26 text
Data portability
You must provide for a way to transfer the
data to another controller, if requested.
The user (data subject) has the right to
request his/her data from you (data
controller), at any time.
Slide 27
Slide 27 text
Data portability
You must provide that data in a commonly-
used, machine-readable format.
You must provide for a way to transfer the
data to another controller, if requested.
The user (data subject) has the right to
request his/her data from you (data
controller), at any time.
Slide 28
Slide 28 text
Data portability
This must be done without hindrance or
penalty to the user.
You must provide that data in a commonly-
used, machine-readable format.
You must provide for a way to transfer the
data to another controller, if requested.
The user (data subject) has the right to
request his/her data from you (data
controller), at any time.
Slide 29
Slide 29 text
Consent
Slide 30
Slide 30 text
“Do I need to ask for consent if I just want to
show ads in my app?”
Slide 31
Slide 31 text
“Do I need to ask for consent if I just want to
show ads in my app?”
Yes
Slide 32
Slide 32 text
“Do I need to ask for consent if I just want to
show ads in my app?”
“But I’m not collecting any personal data!”
Yes
Slide 33
Slide 33 text
“Do I need to ask for consent if I just want to
show ads in my app?”
“But I’m not collecting any personal data!”
But your ad network is, and you’re
responsible.
Yes
Slide 34
Slide 34 text
3rd-party ad network SDKs collect the
advertising identifier (IDFA), which is
personally-identifiable data, and, in some
cases, the GPS location, both of which
require consent.
Slide 35
Slide 35 text
Some ad networks (Admob), let you turn
off personalized ads.
Slide 36
Slide 36 text
Some ad networks (Admob), let you turn
off personalized ads.
Option 1:
Ask for consent (properly). Receive consent.
Allow Admob to collect the IDFA, and show
personalized ads.
Slide 37
Slide 37 text
Some ad networks (Admob), let you turn
off personalized ads.
Option 1:
Ask for consent (properly). Receive consent.
Allow Admob to collect the IDFA, and show
personalized ads.
Option 2:
Don’t ask for consent (or consent is denied,
etc). Configure Admob to show generic ads.
Slide 38
Slide 38 text
What about Google’s Consent SDK?
Slide 39
Slide 39 text
What about Google’s Consent SDK?
This was rushed. Google did not
want to do this.
Slide 40
Slide 40 text
What about Google’s Consent SDK?
This was rushed. Google did not
want to do this.
The phrasing is a bit … slimy.
Slide 41
Slide 41 text
What about Google’s Consent SDK?
This was rushed. Google did not
want to do this.
The phrasing is a bit … slimy.
You are still responsible. Google
does not want to be a data
controller.
Slide 42
Slide 42 text
The consent request must be prominent
and separate from your terms and
conditions.
Slide 43
Slide 43 text
You can’t stick a “you agree that we will
collect …” paragraph inside the EULA.
The consent request must be prominent
and separate from your terms and
conditions.
Slide 44
Slide 44 text
Your request for consent should not use
any pre-ticked checkboxes, or any other
pre-selected default values.
Slide 45
Slide 45 text
Your requests must use clear, plain
language, that is easy for the user to
understand.
Slide 46
Slide 46 text
You need to explain why you are
collecting the data (for what purpose is it
going to be used?)
consentmonitor.com
Slide 47
Slide 47 text
Each distinct piece of
data you collect needs
its own consent.
consentmonitor.com
Slide 48
Slide 48 text
Inform users about
all third-parties that
will be using the
data.
consentmonitor.com
Slide 49
Slide 49 text
You need to keep a record of when and how
you collected consent for each piece of data,
from each of your app users.
Slide 50
Slide 50 text
You need to keep a record of the exact wording
of the request that the user gave consent to.
consentmonitor.com
Slide 51
Slide 51 text
You need to inform
users about their
right to withdraw
consent at any time.
consentmonitor.com
Slide 52
Slide 52 text
You need to inform
users about their
right to withdraw
consent at any time.
consentmonitor.com
You need to give
users the ability to
withdraw consent at
any time.
Slide 53
Slide 53 text
You need to give users the
ability to submit a request-
to-be-forgotten.
consentmonitor.com
Slide 54
Slide 54 text
consentmonitor.com
Slide 55
Slide 55 text
consentmonitor.com
Properly requests consent, as required by GDPR.
Retains a record of consent for every piece of data, for every
user, including meta-data on how the consent was requested.
Allows your users to easily revoke or update consent.
Allows your users to easily submit a request-to-be-forgotten.
Gives you a trail of evidence that consent was given by this
exact user, for this exact piece of collected data, for this
exact purpose.