• A Practitioner's Guide to App Privacy
  • Preface
  • About the Author
  • 1 Introduction
    • 1.1 What is privacy?
    • 1.2 What is data?
    • 1.3 The data deal: Would you sell your data?
    • 1.4 So what?
    • 1.5 We need data protection
  • 2 App Privacy
    • 2.1 App Tracking
      • 2.1.1 Vulnerable groups at risk
      • 2.1.2 We’ve been there..
      • 2.1.3 We’re all affected.
    • 2.2 The dangers of real-time bidding
    • 2.3 How is my app doing?
      • 2.3.1 Exodus Privacy
      • 2.3.2 AppCensus
      • 2.3.3 TrackerControl
    • 2.4 Shouldn’t users act on privacy, rather than developers?
      • 2.4.1 History of implementation
      • 2.4.2 Reasons for failure
      • 2.4.3 Privacy, a binary setting?
      • 2.4.4 The spirit of DNT lives on
      • 2.4.5 Tracking continues, what’s next for user privacy?
  • 3 Legal Stuff
    • 3.1 Sources
    • 3.2 Methodology behind these guidelines
      • 3.2.1 Key concepts
      • 3.2.2 User rights
      • 3.2.3 Principles and obligations
  • 4 Technical Implementation (work-in-progress)
    • 4.1 Consent
    • 4.2 Using popular third-party services right
    • 4.3 Privacy-preserving alternatives
      • 4.3.1 Crash Reporting
      • 4.3.2 Analysis
      • 4.3.3 Monetisation
    • 4.4 App Publication
  • 5 Summary
  • References
  • Published with bookdown

A Practitioner’s Guide to Android Privacy

Chapter 3 Legal Stuff

This chapter shall briefly summarise your legal obligations as an app developer, under EU Data Protection Legislation (GDPR). This shall cover the most important buts, when pushling apps in non-legal terms. Note that this is no no legal advice, only an app developer’s attempt to make data protection more understandable.

You must respect the rules of GDPR, if you have app users from the European Union. This will almost always be the case. Usually, you are responsible for all data collected through your app. GDPR protects personal data, which is data relating to individuals. This may include device data, pseudonyms, user identifiers, advertising identifiers, (dynamic) IP addresses, and postcodes, especially in combination with other data. For these reasons, it is usually not possible to make personal data non-personal. Almost all data collected from apps is personal, and requires careful protection.

You are also responsible for personal data collected from your app for third-party services, such as advertising, analytics, or crash reporting services. For instance, this means that you are even responsible for data, that is collected during the use of Google Firebase Analytics or Crashlytics – even if you never see the raw data.

Ask for consent

You can only use most third-party services, including Firebase Analytics, after the user has agreed to this practice.

iOS: According the Apple’s terms, you should ask for user consent, before you or your third-parties collect any data, no matter if personal and non-personal.

Android: According to Google’s terms, if you process sensitive data (e.g. health-related), or process data in unexpected ways, do tell the user in a clear manner and ask for his consent (no pre-ticked boxes allowed). Google also states that the use of some of their services, such as Firebase Analytics, needs explicit user consent.

Always provide a privacy policy. Provide a privacy policy on the app store and within the app. You may want to use one of the privacy policy generators, such as iubenda.com. Make sure it discloses the data collection of you and your third-parties adequately.

Risk evaluation and documentation. GDPR acknowledges that there will never be full protection of personal data. Instead, it encourages a risk-based approach, that is, seriously analysing the possible risks to data protection and taking appropriate data protection measures. If you can prove that you took all appropriate measures, there is no need to be overly afraid of high fines.

Make sure that you can provide such proof, by documenting all data protection considerations, decisions, and actions.

Reasonable data collection. You and your third-parties may only collect personal data reasonably, that is, only for the purposes stated in your privacy policy (purpose limitation) and restricted to what is necessary for the stated purposes (data minimisation).

Furthermore:

  • At best, use at most one third-party service for one purpose, that is, at most one advertising, analytics, and crash reporting service.
  • Check with every app release, if you can reduce data collection or remove any third-party services.
  • Verify the default settings of your third-party services (on-device and server-wise), since third-parties have an interest in collecting ever more data. Only activate third-party services, once user consent is established. More information can be found in the Appendix below.
  • If your app is aimed at children, do not employ any third-party services. It’s not good practice, and a violation of Apple’s terms.

Handling user requests. The GDPR entitles users to manage (e.g. access, delete, correct) any data about them. You can implement these user rights directly in software, which would show your efforts towards GDPR compliance. Yet, taking requests via email seriously is just as fine. You have one month to respond to user requests. This response may either address the request, or, for complex user requests, request an extension for a further 2 months.

Security measures and data breaches. Take the standard measures for security, such as HTTPS communications, salted passwords, validation of user inputs. Apple (here and here) and Google provide comprehensive guidance on this. Try to remove identifiable information whenever possible, through pseudonymisation or anonymisation. If you experience a personal data breach, you must notify the data protection authority within 72 hours, plus the individuals in case of high risk.

Consent for third-party services. If you use third-party services, the user must be asked for consent in almost all circumstances. This consent must be sought before the third-party service is activated and begins to share data. Beyond consent, the Appendix below provides more detail on the correct implementation of the most widely used third-party services.

Closing remarks. By implementing these measures, you should come an important step closer to compliance with GDPR. Additionally, you should consult the guidelines of an EU data protection authority. The British Data Protection Authority, called ICO, provides excellent guidance on data protection.

3.1 Sources

  • European Parliament and Council: “Regulation 2016/679 (General Data Protection Regulation)”
  • Article 29 Data Protection Working Party: “Opinion 02/2013 on apps on smart devices”
  • Google LLC: “Google Play Developer Distribution Agreement” (version 15 April 2019)
  • Google LLC: “Google Play Developer Program Policies” (accessed 20 June 2019)
  • Apple Inc: “Apple Developer Program License Agreement” (accessed 20 June 2019)
  • Apple Inc: “App Store Review Guidelines” (version 3 June 2019)
  • The documentation of the top 18 third-party services in apps, from 10 different companies.

3.2 Methodology behind these guidelines

These legal guidelines shall cover the fundamentals of GDPR. These are 1) the key concepts, 2) user rights, and 3) principles and obligations. Legal terminology shall be avoided, to make the guidelines understandable without expert knowledge.

3.2.1 Key concepts

The app developer shall be made aware of what GDPR protects, that is, personal data. Personal data is relevant for the developer, being responsible for its protection as the data controller. There has been much public attention on the high penalties, introduced by GDPR. The risk of such penalties is low, if the developer follows a risk-based approach to data protection, as advocated by GDPR.

3.2.2 User rights

Not all developers will be aware of the profound rights, that GDPR grants to users. These shall be mentioned.

3.2.3 Principles and obligations

The rest of the document shall cover the seven principles of GDPR, that the developer must follow as data controller:

  • Lawfulness, fairness and transparency,
  • Purpose limitation,
  • Data minimisation,
  • Accuracy,
  • Storage limitation,
  • Security, and
  • Accountability.

To cover the first principle, “lawfulness, fairness and transparency”, the most important step is the provision of an adequate privacy policy. There exist rich online resources, which shall be mentioned.

For simplicity, the principles “purpose limitation”, “data minimisation”, “accuracy”, and “storage limitation” shall be summarised as reasonable data collection. The term “reasonable” is similarly used in the GDPR and occurs widely across the GDPR document, 52 times.

Regarding data collection, the further provisions of the platform providers, Apple and Google, shall be added.

The remaining principles of “security” and “accountability” shall be mentioned. Regarding security, Apple and Google provide support documents, that shall be linked.