What is the General Data Protection Regulation? If your app is available in Europe, you’ll want to know about GDPR. Effective May 25, 2018, the GDPR stipulates the adherence to consistent data protection rules in the EU. Any business or app developer located within the EU or processing the personal data of any user residing in the EU must abide by the data protection rules or face hefty fines. If you work for an ad agency, read up.
Here are nine commonly asked app developer questions about the new rules for the EU.
Do Developers Need to Make Changes to Use Facebook Platform Products Under the GDPR?
Apps must prominently display a clear link within the settings, within any privacy policy, or anywhere the app is accessible that directs users to a comprehensible explanation of the following:
- How third parties (such as Facebook) may use information from the app and other apps to inform measurement services and targeted ads
- How to opt out of said information gathering and use in ad targeting
What Data Does Facebook Collect Via the SDK?
Facebook SDK collects explicit events (e.g. “AddtoCart” or “logPurchase”), implicit events (e.g. integration with Facebook login or the “Like” button), and automatically logged events (e.g. app installs or launches, SDK loading). Automatically logged events can be disabled.
Facebook also logs data pertaining to Facebook app ID, mobile advertiser ID, and metadata from the request (e.g. mobile OS type and version, client IP address, time zone, processor cores, etc.).
What Data Does Facebook Collect Via SDK for Facebook Login?
For Facebook login, SDK collects
- App Events: Generic app events, such as app install and app launch and standard logging for metrics such as SDK loading and SDK performance.
- Configuration Data: The SDK periodically conducts background requests when a user logs in, automatically managing the lifetime of the access token.
- Error Information: For example, the user IDs of logged-in individuals during SDK initialization.
- Short-term Data: Some user activity may be measured to manage fraud and abuse, and the data is only kept for a brief amount of time for users who aren’t logged into Facebook.
Do Advertisers Need to Change Their SDK Implementation for App Events Because of GDPR?
Advertisers must provide users with a clear link to a full explanation of how third parties may use any personal information obtained and how users can opt out. Facebook also has a consent guide developers can use for best practices for following GDPR’s requirements.
Do Developers Need Additional Disclosures or Consent to Use Facebook Login and Account Kit?
When developers control the data for Account Kit, they must fulfill the necessary, legal obligations, including possible additional consent for gathering marketing information such as email addresses. If Facebook controls the data, however, it manages personal data according to its Data Policy.
For Facebook Login, Facebook does not collect consent for users’ data processing on behalf of a developer’s business. Developers are thus required to obtain the appropriate consent for such data processing on their own, as Facebook stipulates in its Platform Policy.
Can Developers Still Gather Special Category Data?
Developers are no longer allowed to gather special category data related to sensitive topics like politics or religious beliefs as a result of Facebook’s recent updates to its privacy standards.
Are There Any GDPR-Related Changes to Account Kit?
Facebook says there are no GDPR-related changes to Account Kit. The only data Account Kit shares with a developer’s business is basic contact information like email addresses for account ID purposes. Anything beyond that is the business’s responsibility.
How Can Developers Ensure GDPR Compliance When Using Facebook Analytics?
Developers are deemed responsible per Facebook’s Platform Policy and Business Tool Terms to inform users when they are using Facebook measurement tools, such as pixels, SDKs, and APIs to collect and process data. Developers are also responsible for obtaining user consent for such use of these tools. Developers that are the data controller of all data measured through Facebook Analytics must adhere to all data laws and regulations applicable to the jurisdiction of the business’s operations.
Can Businesses Continue to Use Facebook Plugins (e.g. Like Button, Page Plugin) Under GDPR?
Yes, because GDPR does not affect Facebook’s plugin functionalities.
Businesses and developers should continue to stay up-to-date on changes Facebook makes for its platform and all its products to ensure they’re not violating any regulations or policies. In some cases, it may be that the particular business simply cannot advertise on Facebook.