Attention to users' privacy and the proper handling of their data is one of the most discussed topics online. Dealing with app development, I inquired about what arrangements are necessary for the data processing of users using apps installed on tablets and cell phones according to EU regulations.
Apps and data according to the EU: how to obtain consent for data processing
There are many occasions when app users are required to submit data. Indeed, during installation, the user downloading the app enters information, and often the apps themselves automatically access data stored on the device for which consent would need to be sought.
The first prerequisite for proper treatment is, therefore, to obtain from the user the prior consent to data access which must be requested both when installing apps and when storing and managing users' personal data.
The validity of consent must be obtained in accordance with the definition in Article 4, No. 11 of the GDPR. Let's see together what are the different types of will with respect to the acceptance of data processing defined by the legislation.
Free will - options at installation
Users must be able to choose whether to accept or reject the processing of their personal information when an application requests it.
The person who downloads our app must therefore be free to accept or reject the processing of personal data without being faced with a screen containing a single "Yes, I agree" option to complete the installation. A "Cancel" option that has the effect of aborting the installation must also be available to him.
Informed will - debugging or tracking
The user must have the information necessary to make his or her own judgment about whether or not to give consent.
The information must therefore be available before any processing of personal data, including processing that might take place during installation, such as for debugging or tracking purposes.
Specific will through granular consent
Asking your users to agree to a long set of terms and conditions and/or privacy policies, as most app owners who are not yet complying with the regulations' obligations do, does not constitute specific consent.
The manifestation of will must refer to the processing of a particular piece of data or a limited category of data.
Simply tapping on "install" button cannot be considered a valid consent for processing personal data.
Under Article 7 of the GDPR, where processing is based on consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of his or her personal data.
If the data subject's consent is expressed in the context of a written statement that also covers other matters, the request for consent must be made in a clearly distinguishable manner from other subjects, in an understandable and easily accessible form, using simple and clear language.
When users are able to provide granular consent, they can choose whether to grant required consent for each type of data that the application intends to access.
Data subjects can verify exactly what functions involve processing and what data. This satisfies two important legal requirements: adequately informing the user about important elements of the service and requiring specific consent for each.
Withdrawal of consent
Data subjects have the right to revoke their consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to withdrawal. Before consent is given, the data subject is informed and consent can be withdrawn as easily as it is given.
The performance of a contract, including the provision of a service, depends on consent to the processing of data not necessary for the performance of that contract.
How to acquire informed consent and provide waiver
Users have the right to be informed about who collects their data and for what purpose.
One of the most important requirements of the GDPR is. Acquire active and informed consent from your app users before collecting or processing their personal information.
Until now, many apps assumed that a user's decision to proceed with registration and use of the app was equivalent to the user's consent to data collection. This is no longer the case.
GDPR requires apps to acquire active, informed user consent before personal data are collected .
To comply with this requirement, the app must provide users with certain disclosures about the information collected, as well as a checkbox, button, or other means for users to tap and confirm actively consent to collect their data.
It is not possible to pre-select a consent box or button or assume that continued use of the app meets the GDPR requirements for active consent capture.
Examples of consent in app
On the latest apps we have developed we collect consent in this way:
To give you another example of correct indication, I show the way the Waze app presents users with an overview of why Waze uses personal data, along with some specific examples of what types of data it uses. Users must tap "I agree" to allow Waze to do this.
The GDPR further increases the requirements for consent. When requesting specific data, it is necessary to provide individual (or "granular") options for obtaining consent. It is incumbent, therefore, to inform users about the different purposes behind the collection of each piece of data.
Once consent has been granted, under the GDPR, apps must provide users with ongoing control over their information, including the right to revoke previously granted consent.