The GDPR (General Data Protection Regulation) is set to take effect May 25, 2018, and its regulations apply to any company, person, or group that collects, processes, or otherwise handles the personal data of EU and UK residents.
Leanplum, GDPR, and you
The GDPR defines two different types of organizations who are required to follow the new regulations: data controllers and data processors.
- Data controllers determine why and how personal data is processed. As a Leanplum customer, your organization is considered a data controller.
- Data processors process user data on behalf of the controller. Leanplum processes user data on your behalf, which makes us a data processor.
As a processor, we provide the technical capabilities and organizational processes that will allow you, our customers, to maintain the rights of your EU and UK users while using our product.
See below for some common tasks to help you remain GDPR compliant while using Leanplum.
Informing your end users
As a data controller, you have to inform your end-users about the personal data you collect from them and their rights surrounding this data. The GDPR lays out several requirements for what you must inform your end-users, and it’s up to you to provide the information in a transparent, accessible way.
For more details on how Leanplum handles and protects your users’ data, refer to the security information in your contract’s data processing addendum.
User consent for data collection
Under GDPR, users must explicitly opt-in to data collection before you start tracking with Leanplum. The GDPR has some stringent requirements for how and when to give users the option to consent for data collection, so make sure you are aware of these regulations.
To prevent data collection through Leanplum, do not call
leanplum.start() until after the user opts-in for data collection. You can also offer separate opt-out prompts for different messaging channels in Leanplum. Giving users more options to control their app experience might encourage them to consent (opt-in) to data collection.
For example, if a user opts-in to data collection in general, but not to email or push, your app should call
leanplum.start and the opt-out methods for the push and email channels. See the unsubscribe params in setUserAttributes for more info.
Block data collection and processing
If a user objects to data processing, you can prevent Leanplum from collecting and processing data for that user with the
SetUserBlockStatus API request.
SetUserBlockStatus will stop Leanplum from collecting data for that user moving forward. In order to ensure that Leanplum does not process this user’s old data, we will delete all of their data from our systems.
SetUserBlockStatusis still in development — stay tuned for details and additional documentation on this method.
Erasing user data
Under GDPR, data subjects have the right to request the deletion or removal of personal data.
To delete a user’s data from Leanplum, you can use the
deleteUser request, which will delete all attributes for that user. See our API documentation for more on the deleteUser call.
Support for deleting sessions data will be added to the deleteUser API call in the coming weeks.
Note: If you export data from Leanplum to an S3 bucket, you are responsible for handling GDPR requests involving the exported data.
Data access and portability
Users also have the right to request a copy of their personal data in a human or machine-readable format. The GDPR also specifies that data subjects can obtain and reuse their personal data for their own purposes (for example, to create an account with a competing service).
To receive a copy of a user’s data, you can use the exportUser request. This will return all user attributes. Support for exporting a user’s sessions data will be added in the coming weeks.
More coming soon on how to request your users’ data from Leanplum.
Rectify user data
As a data controller, you must give users the ability to correct personal data if they feel it is inaccurate or incomplete. In Leanplum, this includes user location, user attributes, and device attributes.
If you are unsure of how to use some of the methods or processes above, contact firstname.lastname@example.org for assistance. We are happy to answer any questions on how to use our platform. Of course, please do not mistake this for legal advice. If you have legal questions about the GDPR, we urge you to consult with your lawyer.
You can also find some general guidelines for using the Leanplum API here.