Making Web Push Notifications Experience Compliant with GDPR

Disclaimer – This is not a legal advice for your product/company to comply with GDPR. It is simply our assessment of how it will affect businesses operating in the growth and the marketing domains.

A lot has been said and written about GDPR in the last few days. It is being termed as a watershed moment for growth and retargeting tools, and rightly so. GDPR is aimed at providing users in EU with complete control over their personal data and the kind of communication they would want to receive, enforcing businesses that deal with their data in transparent and secure manner. The penalty for non-compliance is huge, up to €20 million or 4% of the total revenue of the previous financial year, whichever is higher.

With GDPR, businesses dealing with users in EU have been asked to either fall in the line or fall by the wayside.

What is GDPR?

General Data Protection Regulation (GDPR) is a regulation under EU law to ensure data protection and privacy to all individuals in the European Union. GDPR was approved by the EU parliament in April 2016 and was enforced on 25th May 2018.

GDPR is the most significant change to data regulation in the last 20 years. It replaces the Data Protection Directive 95/ 46/ EC.

Does it apply to you?

GDPR is focused on safeguarding interests and privacy of users in EU. Whether your business operates out of EU or not, if you have any user from EU accessing your product or website, you need to comply to GDPR.

GDPR applies to you if you are

  • Tracking user activities on your website or within your app for personalization or marketing
  • Capturing any Personally Identifiable Information (PII)

PII is any information that can identify a user uniquely such as

  • Name
  • Email address
  • IP address
  • Cookie
  • Location

If your product or service is involved in any of the activities mentioned above without taking explicit consent from end-users, you should change the user flow to ensure that users make informed decisions before opting-in or sharing their data.

What are the compliance requirements?

Let’s go through the guiding principles of GDPR compliance. GDPR emphasizes on following two things primarily-

  • Right to data collection: This part addresses whether you as a business have the right to collect and process user data and personal information or not.
  • Right to Data processing: This part addresses the way the user data is handled.

Right to data collection

Businesses can collect and process personal level data provided that they have the ‘lawful basis’ to justify the same. Lawful basis gives businesses rights to process user data under following scenarios.

1.Consent

If users give explicit consent to share their personal information for the exact reasons the business is requesting it for, it grants permission for a business to collect and process personal information.

A consent is an affirmative action taken by the user allowing the business to capture required data, every user consent has to be

  • A clear affirmative action: No pre-checked checkboxes
  • Given freely: Users should not be incentivized or enforced to give consent to the promise of a service
  • Specific, informed: Users should be aware of the exact information they are going to share and the reasons they are going to share it for
  • Unambiguous
  • Documented
  • Easily withdrawable

Please note that you need to seek consents from your existing users from EU again i.e. re-opt in your existing subscribers.

cookie consent Facebook

A non-GDPR compliant flow to use cookies by Facebook

GDPR email consent

A GDPR compliant email consent from dpnetwork.org.uk

Reference – https://www.reforge.com/blog/gdpr-growth-marketing

Other valid grounds for collecting and processing personal information are –

2. Contractual obligation

Contractual obligation is when the nature of the contract between the business and the users require processing of personal data. For instance, purchasing an insurance policy would require users to provide their personal information.

3. Legal obligation

If the business is bound by a legal obligation, it can collect and process personal data. For instance, providing social security number while opening up a new bank account is enforced by law and hence is allowed.

4. Vital interest

If collecting personal data is in the vital interest of the user, it’s a valid ground. For instance, getting information about a person’s previous health records will be vital for giving health advice or medical prescriptions.

5. Legitimate interest

Legitimate interests of the users can be one of the reasons for businesses to collect personal information. The definition of legitimate interest is a bit vague and open for interpretation. Processing data for fraud detection, direct marketing considering user’s interests, internal compliance requirements such as payroll are few of the examples of legitimate interests.

6. Public task

If processing of data is necessary for the performance of a task carried out in the public interest or the business entity has legal rights to do so, it’s a lawful basis of processing information. This basis can be used by government entities or local authorities to process personal data.

Reference – https://blog.focal-point.com/9-examples-of-lawful-basis-for-processing-under-the-gdpr

Right to Data processing

Data processing encompasses any activity or operation performed on the personal information which includes data collection, transfer, access, modification, storage, usage etc. You should ensure all the data operations follow secure protocols and the data retention policies are outlined clearly.

Additionally, users should be able to access, modify, export and delete their own data. If there is an identifier for the users, the tool you are using should provide you with either an interface or a set of APIs to perform these operations.

How should a web push notification tool comply?

Web push notifications require explicit consent from the website visitors by design. All browsers that support web push notifications provide an opt-in for users to subscribe to notifications.

For communication meant for all users, this consent would suffice. For instance, if you want to announce a flash sale or inform users about a new category launched on your e-commerce store, you need not take any additional consent from your subscribers.

web push notification GDPRweb push notification GDPR

Broadcast messages / Announcements

For targeted communication, where you need to communicate to a particular audience basis their attributes such as location, gender or send personalized notifications basis their website activity, you should take explicit consent from the users.

web push notification GDPRweb push notification GDPR

Personalized Messages

The kind of data that you capture can fall into two broad categories – user attributes, website activity.

Here is a suggested subscription flow for three scenarios

  1. Capture no personal data template
  2. Capture location data / other attributes template
  3. Capture location and web activity data

Capture No Personal Data template

a) Subscription process

push notification GDPR subscription process

b) Unsubscription process

web push notification GDPR unsubscription process

Capture Location Data Template

a)Subscription process

web push notification GDPR subscription process

b)Unsubscription process

web push notification GDPR unsubscription process

c) Resubscription process for existing subscribers

web push notification GDPR re-subscription

Capture Location and Web activity Data

a) Subscription process

web push notification GDPR subscription processb) Unsubscription process

web push notification GDPR subscription process

c) Resubscription process for existing subscribers

web push notification GDPR re-subscription

Apart from this, you should –

  1. Appoint a Data Protection Officer who will be responsible for assessing the impact of data protection regulations, implementing the required changes, educating employees within the organization.
  2. Update your privacy policy to reflect the new privacy measures undertaken.
  3. Engage in Data Processing Addendum (DPA) with all the 3rd party tools you are using.

The underlying objective here is to provide the end-users with a better experience, treat their personal data carefully and establish trust in their minds about your business. While changing your existing processes or creating new ones, adding new 3rd party tools, you should incorporate ‘Privacy by Design’.

Making Web Push Notifications Experience Compliant with GDPR
Making Web Push Notifications Experience Compliant with GDPR
A lot has been said and written about GDPR in the last few days. It is being termed as a watershed moment for growth and retargeting tools, and rightly so. See how GDPR will affect businesses operating in the growth and the marketing domains.
Datability Solutions

Shrikant Kale

Shrikant R Kale, our very own SRK, is the Product Head at iZooto. An IIM-C product, he is looked up to for his dedication and calm demeanor. This passionate bike-lover can be easily spotted in our office 24*7 (almost!). Follow him on twitter: @shrikantkale

Related Posts

0 Shares
+1
Tweet
Share
Share