Flurry Analytics and GDPR

(updated: May 7, 2018, 11:00PM Pacific)

What is GDPR?

The EU General Data Protection Regulation, or GDPR, is a set of requirements generally designed to give people in Europe, or “data subjects”, more protection of and control over their data. The requirements generally apply to all organizations or products: (1) in any location and industry, that process the personal data of data subjects; or (2) that operate out of the EU.

For consumers, GDPR provides new and stronger rights with regard to their data. Once in effect, consumers will generally be able to access their data, edit or correct it, move it, erase it, opt out of certain uses and restrict it from being processed.

For companies, GDPR requires measures to protect personal data and to notify authorities, and possibly data subjects, if there is ever a breach of personal data by those companies or their vendors. It also introduces new transparency and accountability requirements for processing personal data, including clear notice of data collection and type of data use, and to keep records of data processing.

Flurry Analytics as a Processor

As defined by the GDPR guidelines, “a controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”

You as a Controller

As a Controller, you have at least two responsibilities with regards to the data sent to Flurry:

  • Identify all your responsibilities with regaqrds to GDPR for your properies. Flurry recommends contacting your legal representatives with regard to this.

  • Determine the legally justifiable basis for the EU personal data you send to Flurry for processing. Please consult your legal representative for guidance on your responsibilities.

  • Fufill the requests of your end users with respect to Data Subject Rights. As a Processor, Flurry provides tools that enable you to fulfill thsese requests with respect to the data sent by your app to Flurry. There are two options for this:

    • For those that wish to provide a DSR interface for their users, Flurry has a collection of APIs that allow for you to exercise DSRs you receive from your end users. Details are available here.
    • If you want to leverage a pre-built solution, Flurry has a Privacy Dashboard service that will allow your users to exercize DSRs directly on a site hosted by Flurry’s parent company, Oath. You can read more about this here.

Important Dates

The following dates represent important milestones for Flurry Analytics support for GDPR.

April 25, 2018 - The Flurry Analytics Data Subject Rights APIs - COMPLETED as of April 26, 2018

May 7, 2018 - The updated Flurry Analytics Terms of service - **3rd UPDATE - The updated Flury Terms of Service can be found at https://developer.yahoo.com/flurry/legal-privacy/terms-service/flurry-analytics-terms-service.html and the Flurry Data Processing Agreement at https://developer.yahoo.com/flurry/legal-privacy/flurry-analytics-dpa.html

May 25, 2018 - On this date, GDPR goes into effect and your responsibilities are required to be fulfilled.

FAQ

Q: Do I need to update the Flurry SDK in my app for this?

A: In a processor role, Flurry assumes that the personal data that is sent to us has all the proper legal bases for its use in an Analytics capacity. What this means is that any Flurry SDK can be used to send personal data to Flurry as long as you have gained the proper legal basis to do so, whether via consent from the user, or another basis.

Q: How does Flurry help me service EU citizen Data Subject Rights (DSRs)?

A: Please see the section above You as a Controller.

Q: When will the DSR APIs be availble?

A: UPDATE The Flurry Analytics DSR APIs were made available on April 26, 2018.

Q: Do I have to build a service that allows the users of my app to exercise DSRs?

A: Flurry will be providing, free of charge, a Privacy Dashboard service for any app developers in need of such a service. Details are available here.

Q: Will there be updated Terms of Service (TOS) for Flurry?

A: Yes. These updated terms are under review.

Q: When will the updated TOS be availble for review?

A: You may review the new Flurry Terms of Service here: https://developer.yahoo.com/flurry/legal-privacy/terms-service/flurry-analytics-terms-service.html

Q: Does Flurry have a Data Processing Agreement (DPA)?

A: UPDATE 2 Yes. You can review the DPA here: https://developer.yahoo.com/flurry/legal-privacy/flurry-analytics-dpa.html

Q: Does the Flurry SDK collect what GDPR defines as “personal information”?

A: Yes. In order to provide unique count analytics such as DAU, DAD, MAU, MAD and features such as Retention, Funnels, Crash, and others, Flurry Analytics collects device identifiers that are considered “personal information” under GDPR. This is a standard practice in the marketplace and is required in order to provide these analytics.

Q: Will Flurry Analytics provide a “privacy concern free” version?

A: Not at this time. In reviewing the value of such a service, we determined that the value to you, Flurry Analytic’s customer, would be too low to justify the effort. Such an analytics system could only count things like sessions or events and could provide no analytics such as Unique Counts (e.g. DAU, DAD, MAU, MAD) nor features such as Crash, Funnels, Retention, and other valuable features.

Q: If one of the users of my app exercises a Delete or Object DSR, will it change my metrics?

A: In some cases, yes. For data that has been summarized already (e.g. Sessions, DAU, DAD, etc.), the counts will be unaffected. For features that are calculated on the fly, such as the items in Explorer, the values will change. We expect that the overall volume of Delete, Object, and Restrict DSRs to be low and therefor the impact to your metrics to be negligible.

Q: If one of the users of my app declines the Opt-In, how will that affect my data?

A: For any the users of your app that declines the opt-in, you may not start the Flurry session on the device. For this reason, this device’s data will not be reflected in your metrics.

Q: Do we need to educate users regarding their rights under GDPR?

A: There is pretty clear language in GDPR that provides information on this topic. This is certainly a question that you should take up with your legal representatives.

Q: How will the users of my app get the IDs that they need to exercise a DSR?

A: Your app has access to the necessary identifiers for allowing users to exercise their DSRs. Given this, you have many options on how to collect and execute a DSR for data in Flurry Analytics and any other processor you utilize. One example could be to have an option within your app to Exercise Access DSR, which sends a request which includes the necessary IDs to your systems/team for manual or automated processing. There are many options for doing this and you must work with your legal representatives and team to determine the approach that best fits your needs and meets the requirements of GDPR.

Q: I noticed in the Admin -> Manage -> Versions of the dashboard, there is a function to ‘Stop EU processing’. What does it do exactly?

A: This feature allows you to disable the processing of data from countries covered by the European Union’s General Data Protection Regulation for any version of your app. This feature is designed to provide you with a method for controlling data that comes in from historic versions that don’t have any consent capabilities.

Further Questions

If you have any questions regarding Flurry Analytics and GDPR, please contact support@flurry.com.

Please Note: This is a living document. New details will be added as they become available.