Mobile Data Primer: The GDPR

If you work anywhere even remotely adjacent to digital data right now, then you have likely heard the letters “GDPR.” Also known as the General Data Protection Regulation, this is a set of European Union (EU) rules around how users’ personal data must be collected, stored, and shared, and it goes into full effect on May 25, 2018. And even if you don’t have operations in the EU, it may affect your business. In this piece we review the major themes of the GDPR that mobile marketers and app publishers should be aware of.

What is the GDPR?

The GDPR was passed in April of 2016 and will go into enforceable effect in May of 2018 after a two-year transition period. It replaces the 1995 Data Protection Directive and brings more unity to data regulations across the EU. It covers all personal data collected from EU citizens, which includes anything that may be used to identify a person: IP address, email address, mobile ad ID, photos, social media posts, location data, biometric data, and more.

The law distinguishes between two different types of data handlers: data controllers and data processors. A data controller is any entity that collects first party data or directly decides what data will be processed and how, such as a mobile app or a website. A data processor is an entity that performs basically any operation on data, such as collecting second party data, storing, transferring, or analyzing first or second party data, etc. on the instruction of the controller.

Data controllers have the heavier burden because they are ultimately responsible for ensuring that their processors are compliant and that the many requirements of GDPR are met. But don’t be fooled: processors too must sign up to and comply with various contractual and regulatory requirements. Further, anytime a processor determines the purpose and means of processing (rather than acting only on the instructions of the controller),it will be considered to be a joint-controller and will have the same responsibilities and liability as a controller.

The GDPR carries heavy fines for noncompliance: for lower tier infractions penalties can go up to €10M or 2% of annual worldwide revenue; for major non-compliance with the fundamental aspects of the regulation, companies can expect to see enforcements of up to €20M or 4% of annual worldwide revenue, whichever is greater.

The Big Themes In The GDPR

Theme 1: You must have a lawful reason for processing data.

Although some people think the GDPR limits data collection entirely, the reality is more nuanced than that. A business may process (collect, store, analyze, etc.) data under these lawful circumstances:

  • Contractual necessity: Data may be processed if it is needed to perform a contract with the data subject. For example, you might need a person’s name and contact info to ship an item they ordered from your website.
  • Legal obligations: Data may be processed if there is a legal obligation to do so. For example, a company might need to collect age or domicile information in order to sell restricted products online.
  • Vital interests: Data may be processed if it is needed to preserve the life or health of the data subject or one of their children. An example might be recording an allergy or other medical restriction.
  • Public interest: Data may be processed if it is required by a public authority—for example, the collection of census data.
  • Legitimate interests: Data may be processed if it is in the legitimate interests of the company, such as collecting payment information. This interest must not conflict with the privacy rights of the data subject, however; it remains to be seen whether a company simply wanting to make money by targeting the data subject with ads would supercede the data subject’s rights.
  • Consent: And finally—and most relevant to this article—data may be processed for other purposes as long as the data subject gives their consent.
Theme 2: The concept of data ownership is clarified.

It is a long-established practice for companies to gather data on customers to better power product development and business decisions. Their ability to gather data creates a proprietary asset that gives firms a defensible advantage.

The GDPR clarifies that individual data subjects are the owners of the personal data relating to them and establishes processes for individuals to assert control over their data by giving or withholding permission to use this data in specific ways. And just as you might have the right to, for example, review marketing lists you’re signed up for and unsubscribe or change your subscriptions, the GDPR gives data subjects unprecedented new rights around seeing and managing the data that has been collected on them:

  • The right to review: When a user requests it they must be presented with a full listing of the data that has been stored about them. For example, digital music streaming services could conceivably need to keep a copy of all the listening preferences from customers.
  • The right to portability: A user may also request to transfer data from one processing system to another. To continue our example, the digital music streaming company would need to deliver a structured file of a user’s data to a competitor, if so requested by the user.
  • The right to be forgotten: At a user’s request, a company must delete all the personal data on file that is related to that user. If the data has been shared with other companies, the deletion request must be shared and the partners must also delete the data.
Theme 3: The concept of consent is expanded.

In the United States the standard for consent has been to disclose in a privacy policy what data a company plans to collect and how it might be used and shared. This is basically passive consent, often called “opt-out”.  With the GDPR, however, this passive consent is not sufficient. Consent for data collection must be fully opt-in by being:

  • Freely given: You can’t block the user from using portions of your app or website if they don’t give you consent for data collection.
  • Specific: Rather than telling the user you will share their data with generic “companies,” you must tell them specifically which partners data is shared with. This will require tracking and obviously updating permissions regularly.
  • Informed: The data being collected and what it’s being used for must be described in clear, plain language.
  • Revocable: The user must be able to withdraw their consent at any time without losing functionality in the app or website.
Theme 4: The applicability of the law is broad.

In the face of these changes some companies have reacted by putting off expansion into the EU—or even by withdrawing from countries where they had already expanded. However, this might not be sufficient: the regulation can be interpreted to mean that it covers the data of EU citizens even when they are not on EU soil.

It’s not clear how swift or successful regulators will be in enforcing EU regulations outside the EU; lawsuits may be the bigger risk here. At any rate, it will make sense for companies to be aware of the requirements of GDPR even if they aren’t necessarily involved in the EU at this time. They will want to understand their exposure to any potential fines or lawsuits that may occur.

How the GDPR Affects App Publishers

If you are collecting data on your users, even simple usage data tied back to a mobile ad ID or other persistent identifier, you should at a minimum figure out with a lawyer how much the GDPR will impact you. Remember, getting even one EU install means that the regulations could apply to you, and you could be at risk.

You’ll also want to work with your network of ad tech and other partners to make sure that they are also compliant. One critical area to review is whether partners are willing and able to delete user data on demand. If you get a revocation of permission from a user, will your partners be able to honor it? If not, you could find yourself in violation of the regulation.

How the GDPR Affects Mobile Marketers

For ad tech firms, agencies, and brands that use mobile data for analytics or targeting, it will be vital to understand exactly where your data comes from and to have a plan for how to deal with EU data that you might get. Even if you don’t plan to use the data, the fact that you are collecting or storing it will make you subject to the GDPR. Review each data source to make sure that they are following best practices, and phase out those that aren’t.

The GDPR represents a sea change in how companies will have to collect, store, and manage user data. Understanding its effects on your business will be key to avoiding costly litigation and fines.

(This article was prepared with the assistance of Kari Kelly of Centric Legal and cross-posted on Medium. Nothing in this article should be construed as legal advice or as a comprehensive understanding of everything you need to know about data privacy and protection. We recommend that you retain an attorney to lay out your GDPR strategy.)