Step One: What Needs to Be Done
Is your apps usage of Gimbal only applicable to users when they are in the US (actually, anywhere outside of the EU)? That probably means that you don't have any places defined in the EU, your user base is generally not located in the EU and your app may not even be available outside of the US App Store or Play Store.
If so, congratulations, you probably don't need to do anything. By default, Gimbal will not collect Personal Information of any user while they are in the EU after May 25th, 2018.
If your app also supports users in the EU, then you will need to authorize Gimbal to act as a Data Processor and modify your app so that the Gimbal SDK knows when GDPR compliant consent has been granted by each user.
Even after the Gimbal SDK has been informed that each user has granted GDPR compliant consent, Gimbal will not currently send any personal information back to Gimbal servers while the user is in the EU. This means that the requirements for personal information review, and deletion will not apply to Gimbal since there is no stored information to review or delete. This does mean that analytics reports and exports will not include information about users in the EU.
Step Two: Modify Your App for GDPR Compliant User Consent (if needed)
On iOS and recent versions of Android, the app has been required to explicitly ask each user for permission to access and use their location. The permission dialog may not be adequate as GDPR compliant consent.
You may need to explicitly ask the user for consent that is GDPR compliant. The details of that depend on your app, what personal information (including, but not limited to, locations and IP addresses) are collected and used.
Step Three: Modify Your App to Tell Gimbal What Your App User Has Consented To
Gimbal SDKs now have an additional API available to support GDPR compliance. On iOS, there is a GMBLPrivacyManager class and on Android there is a PrivacyManager class. This class provides two things:
- An API that will determine whether the user is currently in the EU (based on the IP address that the last Gimbal configuration request was made from - these requests typically happen at the time Gimbal is initialized on a new device and every 8 hours thereafter).
- An API that manages "consents" that have been requested of the user. Currently, the only supported consent is "Places" - others will be added as necessary.
If your app is primarily targeted at a European audience, you probably don't need to worry about whether the user is currently in the EU and will just always ask for consent. If, however, you app is primarily targeted at an audience outside of the EU but you have places defined in the EU and you want to trigger place events when users are in the EU, you can use the first API to decide whether (and when) to ask for a GDPR compliant consent.
Once you've asked your user for consent, you can use the second API to tell Gimbal that use user has consented to enable place monitoring while in the EU. If the user declined to give consent, you can still use the same API to remember that you've asked.
Currently, Gimbal only supports one kind of consent: "Places". The state of that consent can be one of Unknown, Granted or Refused. Initially, the state is Unknown - once you've asked the user for consent, you should set the state to either Granted or Refused. Now that the state is no longer Unknown, your app will know that it doesn't need to ask again.
Since GDPR requires that a user be able to change their answer at any time, the consent API can be called again with a different value - either changing Granted to Refused or changing Refused to Granted.
iOS code snippets:
if ([GMBLPrivacyManager userConsentFor:GMBLPlacesConsent] == GMBLConsentUnknown)
{
// checks to see if GDPR consent is required to enable Gimbal place monitoring
if ([GMBLPrivacyManager gdprConsentRequirement] == GMBLGDPRConsentRequirementUnknown)
{
// The Gimbal SDK hasn't yet been able to contact it's server to determine the devices location
// This could be due to not yet having called [Gimbal setAPIKey:@"..."] or
// because a network is not available - you will need to check again later
}
else if ([GMBLPrivacyManager gdprConsentRequirement] == GMBLGDPRConsentRequired)
{
// it is required -
}
else
{
// it is not required at the devices current location - it may be required if the device travels
}
}
// sets the consent for Places to Granted and enables place monitoring
[GMBLPrivacyManager setUserConsentFor:GMBLPlacesConsent toState:GMBLConsentGranted];
// sets the consent for Places to Refused and disables place monitoring
[GMBLPrivacyManager setUserConsentFor:GMBLPlacesConsent toState:GMBLConsentRefused];
Android code snippets:
if (PrivacyManager.getInstance().getUserConsent(PrivacyManager.ConsentType.PLACES_CONSENT) == PrivacyManager.ConsentState.CONSENT_UNKNOWN) {
// checks to see if GDPR consent is required to enable Gimbal place monitoring
if (PrivacyManager.getInstance().getGdprConsentRequirement() == PrivacyManager.GdprConsentRequirement.REQUIREMENT_UNKNOWN) {
// The Gimbal SDK hasn't yet been able to contact it's server to determine the devices location
// This could be due to not yet having called Gimbal.setApiKey([Application], "...") or
// because a network is not available - you will need to check again later
}
else if (PrivacyManager.getInstance().getGdprConsentRequirement() == PrivacyManager.GdprConsentRequirement.REQUIRED) {
// it is required -
}
else {
// it is not required at the devices current location - it may be required if the device travels
}
}
// sets the consent for Places to Granted and enables place monitoring
PrivacyManager.getInstance().setUserConsent(PrivacyManager.ConsentType.PLACES_CONSENT, PrivacyManager.ConsentState.CONSENT_GRANTED);
// sets the consent for Places to Refused and disables place monitoring
PrivacyManager.getInstance().setUserConsent(PrivacyManager.ConsentType.PLACES_CONSENT, PrivacyManager.ConsentState.CONSENT_REFUSED);
Step Four: Contact Gimbal
To complete the "Data Processing Addendum" allowing Gimbal to act as a Data Processor, please contact support@gimbal.com.
Comments
0 comments
Please sign in to leave a comment.