Blog

Last update: May 2019

5 mins to read

Complying With Data Privacy Laws Post-Cambridge Analytica Scandal

In an age where consumption of digital content is at an all-time high, mobile notifications are a key gateway for communicating with your customers. According to Mary Meeker’s 2018 Internet Trends Report, adults in the US alone are on their phones 3.3 hours per day. A whopping 87% of that is spent on mobile apps.

But in an environment that’s supersaturated with content, it can seem nearly impossible to be able to hold a user’s attention long enough to engage with them in a meaningful way. A notification has to be sent at the perfect moment, and so perfectly targeted for its recipient that it seems your brand is talking one-on-one with them. But how can this positively coexist with data privacy laws?

Using Device-Side Data to Personalize Your Push Notifications

Every customer is different, and everyone has different times of day that they’ll be receptive to receiving mobile communications. People have limited bandwidth for irrelevant or impersonal communications, and inundating customers with generic notifications will do your brand more harm than good.

Luckily, customers provide a wealth of information as to their age, gender, likes and dislikes, geolocation, purchase history, behavioral habits, and more in their personal data. Apps use data triggers such as these to build a well-rounded picture of what a user might be interested in hearing about.

For example, a mobile app can use data regarding a person’s schedule to ascertain that they finish work at 5:30 pm on weekdays, commute home for half an hour, and would be most receptive to reading a notification between the hours of 6:00 and 9:00 pm. They might be at home, connected to Wi-Fi, and with their phone screen unlocked. True, advanced personalization uses real-time context to gauge the best moment of delivery from the user’s end, not the marketer’s end.

As to other metrics, consider following a chain of interest, beginning with a recent purchase. If a user recently booked flights to Barcelona, they might also be interested in notifications about booking a hotel or hiring a car, or about sporting matches or cultural events that might be on in the city the week they’re there. They might be looking to buy a Spanish phrase book, or this might be the opportune moment for Duolingo to remind them to practice their Spanish lessons.

Privacy Laws Preventing the Abuse of Personal Data

However, as our understanding of personal data evolves, it becomes clear that it has enormous potential and can be leveraged for much more than economic benefit. Customers are growing more critical of what happens to their data, and what third parties it’s being sold to. Local privacy laws have be passed to reflect that.

The infamous Cambridge Analytical scandal of 2018 saw the political consulting firm harvest the personal data of up to 87 million Facebook profiles without their owners knowing, with the goal of influencing major political campaigns. During the fallout from this massive data breach, the EU enforced their General Data Protection Regulation (GDPR), which outlines how data can legally be used and collected, with the aim of giving individuals control of their own data.

Data privacy laws in the United States are less defined, with different states having different parameters to work with. Mobile apps operating under US jurisdiction also have to consider HIPAA and COPPA, which deal with the security and privacy of medical and children’s data.

How To Ensure Compliance With Privacy Laws For Your App

Push notification Software Development Kits (SDKs) leverage device-side data to maximize personalization of messages sent, for the benefit of both user and app. But with increased public awareness of data privacy and the passing of GDPR, how can you be sure that your push notification platform remains fully compliant? Some platforms have been forced to reassess their business model, with OneSignal for the first time introducing paid packages where they don’t sell app data to third parties.

However, by far the most secure and compliant route is to work with an SDK that is GDPR compliant by default. That is, the ideal push notification SDK doesn’t need to vouchsafe for the privacy and security of user data, because the data never leaves the individual devices in the first place.

With OpenBack’s device-side SDK, all data triggering of push notifications occurs on the device itself, unless the app gains users’ consent to opt in. A user’s right to be forgotten under GDPR is also protected, as OpenBack supports immediate deletion of a specific user’s data, if requested. As the data processer, OpenBack facilitates compliance for their customers, allowing your app to activate compliance settings for COPPA and HIPAA, as well as GDPR if required, upon onboarding.

Data Privacy Moving Forward

As more and more of our daily lives migrate onto our phones and other devices, it becomes imperative to lay down the parameters of how to leverage data while simultaneously protecting user privacy.

It is likely that, as technology grows in capability, local laws will also evolve to address greater privacy concerns. In light of this, any company that works in the mobile industry is well advised to stay informed of any new developments in data privacy regulation. That way you can continue to provide top-quality communications for your customers while staying on the right side of the law.