WHATS THE GDPR
The GDPR is a new legal framework from the EU that takes effect on May 25, 2018. It’s an updated version of the Data Protection Directive.This law is designed to accomplish two main things:
- Unify the current data protection privacy laws throughout the EU, and
- Enhance the rights of citizens of the EU to protect their personal information
Who the GDPR Applies to
While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well. Learn about the differences of these two here to make sure you’re clear on your role.
Each role has specific requirements that you’ll also need to be aware of.
For example, data controllers must now conduct Data Privacy Impact Assessments (DPIAs) and add more thorough methods of obtaining consent for collecting data. Find more information about data controller requirements here.
Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data. Read more about these requirements here.
In some instances you may be required to appoint a Data Protection Officer (DPO) to oversee your data security strategy and GDPR compliance.
Find more information here to help you determine if you need a DPO.
The GDPR requires that users are provided with thorough information about how their personal data is processed.
According to Article 12 of the GDPR, you need to communicate information about how you process personal data in a way that’s:
- Concise
- Transparent
- Intelligible
- Easily accessible
- In clear and plain language
- Free of charge
WHAT THE GDPR REQUIS
While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well. Learn about the differences of these two here to make sure you’re clear on your role.
Each role has specific requirements that you’ll also need to be aware of.
For example, data controllers must now conduct Data Privacy Impact Assessments (DPIAs) and add more thorough methods of obtaining consent for collecting data. Find more information about data controller requirements here.
Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data. Read more about these requirements here.
In some instances you may be required to appoint a Data Protection Officer (DPO) to oversee your data security strategy and GDPR compliance.
Find more information here to help you determine if you need a DPO.
The GDPR requires that users are provided with thorough information about how their personal data is processed.
According to Article 12 of the GDPR, you need to communicate information about how you process personal data in a way that’s:
- Concise
- Transparent
- Intelligible
- Easily accessible
- In clear and plain language
- Free of charge
How to Comply with GDPR
This article is only going to cover the Privacy Policy, privacy notice and consent aspects of GDPR compliance.For more information about other compliance requirements, check out our GDPR Compliance Plan – also linked earlier in this article.
Remember that under the GDPR, you need to communicate your data collection and processing procedures in a way that’s concise, transparent, intelligible and in clear and plain language.
The GDPR now requires you to disclose more information in your Privacy Policy. However, it also requires you to do it in a more concise and clear way.
By having an informative, detailed, yet user-friendly Privacy Policy as well as concise summarized Privacy Notices you can effectively satisfy the requirements of the GDPR.
Have a Privacy Policy
Data protection laws around the world require a Privacy Policy when you collect or use personal information from your users, so chances are you already have this agreement in place on your website.
Start our GDPR Privacy Policy Generator and create your compliant policy today.
A Privacy Policy is where you let your users know:- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties with access to it
- If you use cookies
- How users can control any aspects of this
Update your Privacy Policy to be GDPR-compliant by cutting out legalese and using clear language that your average user will understand.
Along with the seven standard points above, you must also include the following information in your Privacy Policy to be GDPR-compliant.
Note that each point doesn’t have to be a separate clause. As long as the information is somewhere in your Policy, it will work.
1. Identify yourself as a Data Controller or Data Processor (or both)
The data controller will likely be your business unless your business operates as a data processor for other companies.Privacy Policy for Advertising SDKs
People love free apps. Unfortunately, to keep apps free, different types of in-app advertising are usually included in free apps.
These advertisements can include everything from 30-second videos a user must watch every so often while using the app, a banner bar located somewhere on the main page of the app that a user can click if interested in the product or advert, or other forms of in-app advertising.
If your mobile app shows ads through an advertising platform, do your need to update your Privacy Policy?
The short answer is yes, you probably do need to update your Privacy Policy.
Advertising platforms for mobile apps
Advertising platforms are platforms where app developers can become publishers and publish ads to their apps via the platform.
For example, an app developer will sign up to use a platform, such as AdMob. The developer will then integrate the AdMob SDK into an app. AdMob will then serve ads within the developer's app to end users/consumers who download and use the app.
There are a number of different advertising platforms available. Some of the most common, popular and successful platforms include the following:
If you show tailored ads, or interest-based ads that collect any sort of information about the habits, interests, or app uses of a user and then you use this information to show ads custom-tailored to the interests of that user, you'll need to update your Privacy Policy.
Updates to your legal agreement should let users know that you may serve interest-based ads within your app through a third-party platform, and you should give them the option to opt out of your behavioral marketing practices with each individual platform you use.
When you participate in interest-based advertising, you're collecting and using information about a user in order to custom-tailor and show ads, which legally must be disclosed, and users must be given an option to opt out of having their information tracked/used.
Even if you just show general ads to everyone and don't do any specific ad-tailoring for subject matter based on activity or interests of the users, you may still need to update your Privacy Policy.
This is because ad platforms tend to collect non-personally-identifying information when showing ads, such as the operating system used on your device, the device model, and type, what language the device uses, and the date and time the advertisement was shown.
Just the collection and use of this information is enough to trigger a required update in your Privacy Policy informing users about this collection and use of this data.
However, because these platforms tend to use behavioral marketing by default due to its high levels of effectiveness, and because advertising platforms serve ads within a developer's app, platforms will usually require that apps that use their platforms update their Privacy Policy agreement before a developer sign-ups on the platform.
The required updates to the legal agreement usually include language that explains the use of interest-based advertising through the third-party platform, as well as including a method for users to opt out.
This type of disclosure helps to make sure the platform itself is protected from privacy infringement issues as a third-party to your app.
Here are some examples of how advertising platforms require publishers to update their Privacy Policies when using the platforms:
Legal requirements from advertising platforms
AdMob
AdMob is Google's platform for advertising, monetizing, and promoting mobile apps. It allows developers to utilize in-app advertising and provides insight into aspects of the use of the app by incorporating Google Analytics into the platform.
The "Behavioral Policies" section of the AdMob Policies includes a section on "Interest-based advertising" that makes it clear that interest-based ads may be shown when using AdMob, and that apps that use this platform may need to be update their privacy policies to reflect the use of this interest-based advertising:
Flurry
Flurry is Yahoo's mobile advertising monetization platform that aims to improve marketing through mobile app advertising. A Flurry Analytics component helps developers analyze and measure app activity so as to monetize the app most effectively with this data.
The Terms of Service of Flurry includes a section on "Privacy and Information Collection". Within this section, there's a paragraph that starts with the clear requirement that "You must post a privacy policy."
The section continues to outline what must be included in the Privacy Policy, such as "notice of your use of a tracking pixel, agent or any other visitor identification technology that collects, uses, shares and stores data about end users of your applications and Recommendations..."
You must let your users know that you are using this tracking technology as part of the Flurry platform.
As directed by Flurry, developers must also include "a link to Flurry's Privacy Policy and/or describe Flurry's opt-out of Flurry Analytics to your end users in such a manner that they can easily find it and opt-out of Flurry Analytics tracking and personalizing ads and/or recommendations from Flurry."
Developers are given a choice of either linking directly to the Privacy Policy of Flurry, or describing in a clear manner the content of Flurry's policy. The ability for users to opt-out must be present, and easily accessible.
Note how the opt-out process here only applies specifically to Flurry. If a developer uses Flurry as well as other mobile advertising platforms, each platform's Privacy Policy requirements must be met, and the opt-out process for each individual platform must be included for users.
InMobi
InMobi acts like a global matching service for mobile advertisers and mobile ad publishers all around the world. It works to bring ads and apps together that serve and attract relevant and similar users and markets. InMobi uses retargeting advertising practices to deliver custom-tailored ads to app-users.
The "Advertiser Terms" of InMobi require that all participants in the InMobi service, such as agencies, advertisers, and media companies, "post on their respective Web sites their privacy policies and adhere to their privacy policies, which will abide by applicable laws."
Because InMobi uses retargeting advertising, this must legally be disclosed in the Privacy Policies of apps that use the InMobi platform, and app users must be given a way to opt-out of these practices:
MoPub
MoPub is Twitter's mobile publishing platform for apps, and is the world's largest mobile ad exchange. This platform is used to promote and monetize apps all over the world and in all industries.
The Terms of Service of MoPub includes a section titled "Other Obligations" that outlines a number of obligations placed on developers who use MoPub as an advertising platform.
One of the obligations is to "post and abide by a conspicuous and legally adequate privacy policy on each site, application, and/or service of the Publisher Network that must disclose the collection of Service Data by third parties such as MoPub."
This obligation ends with the requirement that "You must post, and if Your Publisher Network includes third party sites or apps, then You will contractually require such third parties to post, such privacy policy on all apps and sites in Your Publisher Network."
This means that MoPub not only requires a developer to include an adequate Privacy Policy when the app uses the MoPub service platform, it also requires that same developer to require any other third party sites or apps that might be included in the developer's Publisher Network to also have and post their Privacy Policies.
AppLovin
AppLovin is known for giving consumers a lot of power when it comes to managing their privacy preferences and unique in-app ad experiences. This helps consumers feel confident about their privacy and makes opting out and adjusting privacy preferences so easy.
The Terms of Use agreement of AppLovin includes a section titled "Your Privacy Policy and Terms of Use".
This section states that, "If User is a publisher, User will have and abide by a privacy policy that discloses that third parties may be using cookies, web beacons, and other technologies to collect information."
It continues and calls for a User (the app developer) to obtain explicit consent from the User's end-users (the users of the developer's app), and provide them with an easy to use method for opting out of the data collection practices.
This is very clear and informative guidance for developers who are advertising with the AppLovin platform.
Make sure you always read the requirements and terms of use of any mobile app advertising platform service you sign up for to ensure that your Privacy Policy is updated appropriately and includes everything that the platform requires.
As you can see from the examples above, while most of the same general information is required by all platforms (a Privacy Policy that lets users know that you are using methods of data-collection technologies to show them interest-based ads, and how they can opt-out of this data collection), some do have more specific or different requirements above and beyond the basics that you'll be responsible for satisfying.
ليست هناك تعليقات:
إرسال تعليق