In first article I defined some base information and plans.
In this article we will try to understand first part of legal requirements for publishing app - cookies and personal data.
I'm not a lawyer, this article is my own grasp of which is needed. If you find any factical (or other) mistakes, please let me know in comments.
You can find info on many sites (such as here or here), but in general, these are the rules:
For most cookies uses, you need your users to opt-in - meaning give their consent to using cookies. It might be a checkbox in register form, or pop-up window they need to accept.
You also have to list what kinds of cookies you use, and enable users to disable those not critical for using the app (necessary and functional cookies).
Also, users need to have the option to revoke their consent later, and it should be obvious to them how to do that.
My usage of cookies qualifies them as necessary cookies.
I don’t use any third-site services and cookies (such as Google Analytics).
My cookies are exemption from the consent requirement. I have to inform users about using cookies, but I don’t need their consent.
As I only need a simple banner informing users about using cookies, I can make some myself, or use some generator. I used this one.
General Data Protection Regulation (GDPR) is an EU-wide set of rules for managing personal data.
Here are some of the definitions we will need:
According to the Regulation of 679/2016n:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
What personal data do I collect?
I collect data which identify person, like:
- name (first and last)
- email address (which classifies as online identifier)
- Google ID (if logged in via Google OAuth)
However, the definition of personal data from above says that any information relating to an identifiable person is personal data. Which means that any data that is connected to persons info (through foreign key etc) is personal data. For my app, it means everything user creates (e.g. recipes) or I collect about them (e.g. last login time)
I collect this data when users create them (account, recipes,..).
I collect some data about app usage (last login, login count, recipe page show count).
I don’t give the data to any other person or business.
So I will try to just pinpoint some main rules needed in my app:
Well, as users can see all their data in the app at the moment, it shouldn’t be a problem. However there are some information I keep that isn't shown on the user profile. For example - last login date, number of logins, how many times a certain page was seen,.. Those are information I use for improving usage of my app (having info about the number of active users) and for features like suggested recipes (based on most looked at).
If user requests this information, I am able to get them from database manually (GDPR states I have a month to fulfill this request, so it’s entirely possible), but in the case of more request I would probably add some automated way for users to get their data.
What does that mean?
According to article 18, I have to stop processing their data if they request it based on claim that:
- data is inaccurate || processing is unlawful || app doesn’t need the data
I don’t see that happening in my app, but still I need to give them info about how to request this.
Also according to how ‘processing restriction’ is defined, I need to be able to mark these data. I don’t do that now automatically, but if I receive such a request, I can implement this (by adding parameter or flag to user).
Important thing here is that any information I give users or publicly about data collection and processing must be easily accessible and easy to understand. Therefore it should be in languages my app is available in - currently only Czech, possibly in English in the future. That would mean adding all law documents in English as well.
Also important role - users can request deletion of their data if their personal data is no longer needed for the purpose for which it was originally collected.
In case of my app, it means mainly option to delete their account and all personal data associated with it.
One possible way is to implement this to user profile editing (as seen in many big apps). However, as my app is small and with little users, I am okay with just adding info that they can contact me with this request, as with the others.
According to this article I must ensure integrity and availability of data processing system. This is a bit hard to understand, but we will look more into this in section about security. One important part of this rule is that I have a responsibility to test and evaluate security of my app. It might mean doing a security audit, but it’s probably okay to just do my best to secure data and built secure app.