In this article we’ll go over Localytics’ approach to protecting end users’ privacy, as well as the options available to our customers to ensure they meet the wider regulations. Through options to opt end users out of data collection, delete a specific end user from our systems, and/or prevent further data collection, Localytics offers the tools to comply with GDPR and other privacy regulations.
It’s important to note: this article is only an overview. We recommend that you work internally with your developers, engineers, product, privacy, and legal teams to ensure your implementation of Localytics meets your unique privacy and regulatory requirements.
Ensuring proper handling of data is a shared responsibility. We must work together to ensure privacy rights are respected and protected.
GDPR specifies the roles of a data processor and a data controller. In the case of the Localytics-customer relationship, Localytics acts as the data processor, with the customer fulfilling the requirements of data controller.
As a data processor, Localytics is responsible for processing data in accordance with our customer’s instructions. Our customers, the data controllers, are responsible for controlling all data collected as well as providing all necessary processing instructions through appropriate configuration and implementation of our products.
This means that our customers’ responsibilities, as a data controller, may include:
- Providing end users easy access to concise, transparent privacy notices
- Clearly informing end users what data will be collected, and for what purposes
- Obtaining consent from end users to collect/process their personal data
- Providing ongoing support for the end user to exercise their rights to restrict data collection, opt-out of data collection altogether, and/or to be forgotten
- Effectively instructing Localytics to process, cease processing, and/or delete data as required through proper configuration and implementation of our product
- Ensuring personal data is only collected where expected, and no personal data is tagged as an event, attribute, custom dimension, value property, screen view, or other data point where Localytics would be unaware of the requirement to handle as personal data
Every customer’s policies and privacy requirements will vary, and your specific situation will determine the degree to which any of the data controller responsibilities apply.
In turn, Localytics’ responsibilities, as the data processor, include:
- Providing our customers the ability to opt their end users out of data collection through our SDKs
- Providing our customers the ability to instruct Localytics to delete that end users personal data and identifiers
- Providing our customers easy access to Localytics privacy policies, and data handling information as it applies to our role as a data processor
Localytics will not act upon any individual end user’s request to exercise their privacy rights. We’ll direct any individual end user requests to the owner of the application, our customer. This approach is necessary because our customers are the owners and controllers of the data, and Localytics generally has no way to identify an individual end user in our data set.
As it stands, Localytics is unable to effectively delete every event, attribute, and data point recorded for an individual end user (or device). Instead, our approach is to delete all Personal Data and unique identifiers associated with that individual, and cease collecting any future data from that identified end user. This will effectively orphan all event, attribute, and session dimension data, forgetting this individual’s historical activity.
To make sure an end user’s personal data is effectively deleted, and to remain compliant with GDPR, data points considered Personal Data need to be defined and mutually understood. Localytics SDK collects basic session data automatically, while customers control all other optional data collected.
According to GDPR, Personal Data is: data that includes direct personal information (like name, email address), as well as data that, when linked with other information, can reveal the identity of the end user (e.g., behavioral data when linked with advertiser ID). For a full definition, please see the GDPR documentation.
Only these two types of data (directly identifiable data, and linkable data) will be handled in GDPR accordance by Localytics. It’s important to note: if Personal Data (again, as defined by GDPR) is set in any other fields, Localytics may not be aware of this, and will be unable to support GDPR compliance.
Localytics will ensure these specific data points are deleted and handled as Personal Data:
- Automatically Collected
- IP Address
- Install/Device_UUID (universally unique identifier) this is a random, alphanumeric value generated by Localytics
- Auto Profile Attributes
- Customer Configurable/Optional
- Custom Profile Attributes
These data may not be deleted upon request, as they aren’t considered Personal Data, or aren’t considered Personal Data once unlinked from identifiers:
- Session open/close + Session dimension data
- Screen view data
- Tagged events, event attributes and Lifetime Value data
- Tagged custom dimensions
The Localytics SDKs support a set client-side APIs that allow our customers to better comply with GDPR. Those methods are:
This allows customers to configure our SDK to opt an end user out of any data collection. Specifically, customers can call
[Localytics setOptedOut:YES] (iOS) or
Localytics.setOptedOut(true) (Android) to opt an end user out of data collection, and check their status with
[Localytics isOptedOut] or
Localytics.isOptedOut(). This will upload an event to Localytics saying that the end user has opted out of data collection and will prevent any further events or sessions being uploaded.
Localytics (iOS and Android) SDK v5.1+ (and React SDK v2.1.0+) supports a client-side call that allows customers to configure the SDK to opt an end user out of data collection, and delete all historical data. Specifically, customers can call
[Localytics setPrivacyOptedOut:YES] (iOS) or
Localytics.setPrivacyOptedOut(true) (Android) to opt an end user out of data collection, and check their status with
[Localytics isPrivacyOptedOut] or
- opt the device out of future data collection,
- preventing further events or sessions being uploaded,
- delete local data,
- disable location monitoring,
- delete push tokens,
- disable location monitoring,
- and set the
“privacy_delete” : “1”profile attribute.
By setting of this profile attribute, you’ll instruct Localytics to delete that end user’s personal data and identifiers. (See the server-side methods for additional details on the data deletion process.)
Localytics (iOS and Android) SDK v5.1+ (and React SDK v2.1.0+) supports a client-side call that will delay any data uploading to Localytics, while still allowing for collection of data. The intention is to store, but not upload, data until after you have received consent from the end user. When they have opted in, all that data will be uploaded for inclusion in analytics and messaging tools.
Here’s an example snippet of code for Android:
Localytics.pauseDataUploading(true); Localytics.autoIntegrate(this); String customerId = Localytics.getCustomerId(); //trigger server call to determine user privacy opt in status using the given customer id //Server returns with value for opt in: Localytics.setPrivacyOptedOut(VALUE_FROM_SERVER); Localytics.pauseDataUploading(false);
This will ensure that an end user who may have opted out in a different way (ie, web, email, etc) will have their privacy rights respected on a mobile app integrated with Localytics.
setPrivacyOptedOutwill delete push tokens, and disable location monitoring by default. This will cease receipt of Push messages and Places notifications.
setPrivacyOptedOutwill delete the end user’s data, preventing targeted in-app and inbox messaging. However broadcast in-app and inbox messages will continue to be delivered by default.
The Localytics Profile API supports an attribute to mark an end user for deletion on the Localytics side. This attribute will run a back-end process to delete the identified end user’s personal data and identifiers.
You would need to write (POST or PATCH) this app-scoped profile attribute. Once the attribute is marked, Localytics will begin dropping any additional data uploaded from the known individual’s device for 30 days, and will proceed with deleting all personal data and identifiers to complete the intended Right-to-be-Forgotten request.
- Server-side calls are app-scoped, and will require making an API call to each application for which the end user would like to be forgotten.
- The API call will require a known Customer_ID for the end user.
- Depending upon the specific integration of our SDK, or when the opt-out is set client-side, it’s possible that some data may already be processed and uploaded after the privacy_delete attribute is set. To account for this, Localytics has implemented a back-end process that will filter these unaccounted data points. However, customers must implement controls to opt these end users out of data collection as necessary in the relevant applications to ensure data collection is prevented going forward.
For additional documentation, refer to Localytics’ Profile API docs.
Localytics allows customers to export data through a dedicated AWS S3 bucket. Upon customer request, Localytics will write a time-stamped blob of application session and event data to the S3 bucket.
The default workflow for this feature is to write raw log data to a dedicated S3 bucket in the Localytics AWS account, and allow customer exports from this bucket through bucket policy. We’ll retain the data in this S3 bucket indefinitely as long as you’re a customer, deleting the data 90 days after contract termination.
The data written to the S3 raw logs includes all event, and session data with identifiers including:
This data, depending upon your configuration and/or privacy requirements, may be considered personal data. In scenarios where this data is considered personal data, and must have Right-to-be-Forgotten requests propagated through this S3 raw logs, Localytics recommends migrating the raw logs out of our S3 environment, and into a customer-controlled AWS account.
This is the recommended approach since S3—as a Write Once, Read Many (WORM) storage solution—does not provide a practical method to surgically delete a specific individual’s data. Moving to customer-managed AWS S3 buckets allows our customers to manage appropriate handling of data in accordance with their existing data management and retention policies.
To migrate, customers should reach out to Localytics Support to begin the process. At a high-level the process is:
- Customer creates a dedicated S3 bucket for Localytics raw logs.
- Customer will create a bucket policy allowing Localytics AWS account to write to their new bucket.
- Once the new bucket is provisioned, and the policies created, Localytics will begin writing data to this bucket.
- Any data written to Localytics-managed S3 buckets prior to migration should be exported, and scheduled for deletion.
- Customers that require encryption at rest can set up KMS and keys in their AWS account to add additional layers of security and data safeguards.