GDPR is a complex set of regulations. It can be difficult to determine what parts apply to your iOS apps, and what exactly you need to do to comply with GDPR.
Turns out, there's quite a bit to know about how GDPR affects your iOS app. Here are 12 important items to keep in mind when getting your app prepared for GDPR compliance.
1. You need to get consent to show ads in your app.
If you show ads in your app through a third-party ad network, such as Admob, you need to get consent from the user.
Ad networks use the IDFA (advertising identifier) to show personalized ads in your app. The IDFA is personally-identifiable data, and you need consent to collect such data.
Chances are, you don't have any actual code in your app to collect and use the advertising identifier. Instead, the ad network SDK is collecting that data and is using it to show personalized ads to your users. In this case, you still need to get consent from the user. You also need to tell the user that the data is being shared with the ad network to display ads in the app.
2. Your consent request should be prominent and separate from your terms and conditions.
3. Your requests for consent cannot use pre-ticked checkboxes or any other default values.
Your app's default assumption must be that the user has not given consent to anything. In other words, the default value for a permission request should not be "I agree". If you are displaying checkboxes, leave them unchecked by default. GDPR requires that the users check those boxes themselves to show that they gave consent. Your app cannot pre-fill consent responses on behalf of the user.
4. Your requests must use clear, plain language, that is easy for the user to understand.
When asking for consent to collect data, use simple, easy to understand language. This means no legalese. GDPR states that the user needs to understand the request completely. With simple language, more of your users will read your requests, and you'll save money on lawyer fees.
5. You need to explain why you are collecting the data, and for what purpose.
It's not enough to ask for permission to collect a piece of data. GDPR requires that you tell the user the purpose for collecting that data. For example, if you are collecting the GPS location, you need to explain what that data is for. If you are sharing the GPS location with third-parties, tell the user who they are, and why they need that data.
6. Each distinct piece of data you collect needs its own consent.
If you are collecting several pieces of personal data, you cannot present them as a group. GDPR states that the user needs to be able to accept or deny the request to collect each distinct piece of data.
Let's say your application needs to collect the GPS location, the IDFA, and the user's email address. That's three distinct pieces of personal data. The user needs to be able to give or deny consent to each item.
7. Inform the users about any third-parties that will be relying on the consent.
If your app shares collected data with third-parties, you must let the user know. This is true even if a third-party SDK collects the data on your behalf.
For example, ad network SDKs collect the advertising identifier to display ads. You need to ask the user for permission to collect that advertising identifier. You also need to tell them which ad network will be using that data, and for what purpose.
8. You need to keep a record of when and how you collected consent from each of your app users.
Requesting consent is only one step of having your iOS app be GDPR-compliant. You must also collect and store a record of that consent. You need to do this for each user, and for each piece of data you collect. These records serve as evidence of the user's consent. You must also update the records if the user changes their consent at any point.
This is an essential part of the Consent Monitor service. When you use the Consent Monitor SDK in your iOS app to get permission to collect data, a complete record of consent is automatically collected, retained for future reference, and kept up-to-date.
9. You need to keep a record of the exact wording of the request that the user gave consent to.
You know that you need to keep a record of consent. But what did the user see when they gave consent? GDPR requires that you also keep a record of what the request for consent looked like. How was the consent request presented? What words did your app use to ask for that piece of data? You need to store this meta-data along with every consent record.
This is something that's built into the Consent Monitor service as well. The retained record of consent not only contains the information about what the user gave permission to, it also contains the exact wording of how that permission request was presented to the user, and what, exactly, the user saw when he or she provided permission to have their data collected.
10. You need to inform users about their right to withdraw consent at any time.
When asking to collect personal data, explain to the user that their consent is not permanent. Make it clear that they will be able to change their mind and withdraw consent at any time.
11. You need to give users the ability to withdraw consent at any time.
Explaining to the user that they have the ability to withdraw their consent at any time is only half the task. The other part is actually providing that facility. Your iOS app needs to give the user the ability to withdraw consent at any time, for any collected data item.
When using the Consent Monitor SDK to collect consent in your iOS app, this is done for you automatically. With a single line of code, you can show the user what they've agreed to have collected and allow them to make changes. Their consent records will be automatically updated as needed, with no additional work on your part.
12. You need to give the user the ability to submit a "request-to-be-forgotten".
The user should be able to submit a "request-to-be-forgotten". This is a major part of GDPR. If your app collected personal data from the user, it must give them a way to submit a request to erase that data.
Allowing the user to withdraw consent for an item is not enough. When you receive a "request-to-be-forgotten", you must erase all data related to that user.
If you shared that data with third parties, inform those third parties of the request. To comply with GDPR, those companies will need to erase that data as well.
The Consent Monitor iOS SDK makes this easy. In fact, the ability to submit a 'request-to-be-forgotten' is made available to your users by default, with no additional code.