Flurry Analytics and GDPR

(updated: April 19, 2018, 11:26AM Pacific)

What is GDPR?

The EU General Data Protection Regulation, or GDPR, is a set of requirements generally designed to give people in Europe, or “data subjects”, more protection of and control over their data. The requirements generally apply to all organizations or products: (1) in any location and industry, that process the personal data of data subjects; or (2) that operate out of the EU.

For consumers, GDPR provides new and stronger rights with regard to their data. Once in effect, consumers will generally be able to access their data, edit or correct it, move it, erase it, opt out of certain uses and restrict it from being processed.

For companies, GDPR requires measures to protect personal data and to notify authorities, and possibly data subjects, if there is ever a breach of personal data by those companies or their vendors. It also introduces new transparency and accountability requirements for processing personal data, including clear notice of data collection and type of data use, and to keep records of data processing.

Flurry Analytics as a Processor

As defined by the GDPR guidelines, “a controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”

You as a Controller

As a Controller, you have at least two responsibilities with regards to the data sent to Flurry:

  • Identify all your responsibilities with regaqrds to GDPR for your properies. Flurry recommends contacting your legal representatives with regard to this.

  • Determine the legally justifiable basis for the EU personal data you send to Flurry for processing. Please consult your legal representative for guidance on your responsibilities.

  • Fufill the requests of your end users with respect to Data Subject Rights. As a Processor, Flurry provides tools that enable you to fulfill thsese requests with respect to the data sent by your app to Flurry. There are two options for this:

    • For those that wish to provide a DSR interface for their users, Flurry has a collection of APIs that allow for you to exercise DSRs you receive from your end users. Details are available here.
    • If you want to leverage a pre-built solution, Flurry has a Privacy Dashboard service that will allow your users to exercize DSRs directly on a site hosted by Flurry’s parent company, Oath. You can read more about this here.

Important Dates

The following dates represent important milestones for Flurry Analytics support for GDPR.

April 25, 2018 - On this date, the following items will be available:

  • The Flurry Analytics Data Subject Rights APIs
  • The updated Flurry Analytics Terms of service

May 25, 2018 - On this date, GDPR goes into effect and your responsibilities are required to be fulfilled.

FAQ

Q: Do I need to update the Flurry SDK in my app for this?

A: In a processor role, Flurry assumes that the personal data that is sent to us has all the proper legal bases for its use in an Analytics capacity. What this means is that any Flurry SDK can be used to send personal data to Flurry as long as you have gained the proper legal basis to do so, whether via consent from the user, or another basis.

Q: How does Flurry help me service EU citizen Data Subject Rights (DSRs)?

A: Please see the section above You as a Controller.

Q: When will the DSR APIs be availble?

A: The Flurry Analytics DSR APIs will be ready for use on April 25, 2018.

Q: Do I have to build a service that allows my users to exercise DSRs?

A: Flurry will be providing, free of charge, a Privacy Dashboard service for any app developers in need of such a service. Details are available here.

Q: Will there be updated Terms of Service (TOS) for Flurry?

A: Yes. These updated terms are under review.

Q: When will the updated TOS be availble for review?

A: The updated Flurry Analytics TOS will be ready for review on April 25, 2018.

Q: Does Flurry have a Data Processing Agreement (DPA)?

A: The updated Flurry Analytics Terms of Service will serve as the DPA between Flurry and its users.

Q: Does the Flurry SDK collect what GDPR defines as “personal information”?

A: Yes. In order to provide unique count analytics such as DAU, DAD, MAU, MAD and features such as Retention, Funnels, Crash, and others, Flurry Analytics collects device identifiers that are considered “personal information” under GDPR. This is a standard practice in the marketplace and is required in order to provide these analytics.

Q: Will Flurry Analytics provide a “privacy concern free” version?

A: Not at this time. In reviewing the value of such a service, we determined that the value to you, Flurry Analytic’s customer, would be too low to justify the effort. Such an analytics system could only count things like sessions or events and could provide no analytics such as Unique Counts (e.g. DAU, DAD, MAU, MAD) nor features such as Crash, Funnels, Retention, and other valuable features.

Q: If one of my users exercises a Delete or Object DSR, will it change my metrics?

A: In some cases, yes. For data that has been summarized already (e.g. Sessions, DAU, DAD, etc.), the counts will be unaffected. For features that are calculated on the fly, such as the items in Explorer, the values will change. We expect that the overall volume of Delete, Object, and Restrict DSRs to be low and therefor the impact to your metrics to be negligible.

Q: If one of my users declines the Opt-In, how will that affect my data?

A: For any end-user that declines the opt-in, you may not start the Flurry session on the device. For this reason, this device’s data will not be reflected in your metrics.

Further Questions

If you have any questions regarding Flurry Analytics and GDPR, please contact support@flurry.com.

Please Note: This is a living document. New details will be added as they become available.