Mechanism to capture explicit consent for GDPR?

New EU regulation coming in May 2018 requires explicit consent to be given to capture, use and store all personal data.


I am just about to post my first app on the store (educational game), and I am planning to capture a lot of in-app actions for analytic purposes. This could be considered personal data, as it is related back to a user ID - so I need to capture consent. If people agree to the use of their data, I am prepared to offer them a discount.


Does the purchase process for an app allow me to capture this consent during the transaction, or must I build something into the app itself.


Essentially what I am looking for is a mechanism which says:


Can I use your data?

- if yes, Price A, install as normal

- if no, Price B, turn off data logging (an option in the app)

- for both yes, and no, capture the answer against the customer's ID.


What is the best way to implement this?


Thanks for any advice.

Regards,

Monica

Replies

I think you would have to make it the otherway around. Basically make an app that captures the data you want and get the consent when the user starts using it, and then use IAP (in app purchase) to remove or limit the data collection. Be aware, that the IAP is somewhat tricky and you need etiher to program the validation of receipts in C (if they haven changed it, there some videos on that in the WWDC 2017) or use a third party tool like "recigen" which does that work for you.

Apple has provided the "Store Kit" to help you with the rest!

It is questionable whether consent given in order to receive a discount on IAP will be considered "freely given" under the GDPR.


"To assess whether consent is freely given, Article 7(4) GDPR plays an important role.

21

Article 7(4) GDPR indicates that, inter alia, the situation of "bundling" consent with acceptance of

terms or conditions, or "tying" the provision of a contract or a service to a request for consent to

process personal data that are not necessary for the performance of that contract or service, is

considered highly undesirable. If consent is given in this situation, it is presumed to be not freely

given (recital 43). Article 7(4) seeks to ensure that the purpose of personal data processing is not

disguised nor bundled with the provision of a contract of a service for which these personal data are

not necessary. In doing so, the GDPR ensures that the processing of personal data for which consent

is sought cannot become directly or indirectly the counter-performance of a contract. The two

lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged

and blurred."

You can implement your plan by selling the app for the smaller amount (A) but disabling certain features in the app. Then allow the user to enable those features for free, if they agree to the data tracking, or for (B-A) via IAP if they don't. The language you quote says the consent can not be "disguised nor bundled". That means you can't have a two page set of 'terms and conditions' to enable the extra features for free with an "I agree" at the bottom wherein buried in those terms and conditions is the data tracking consent. However, if you state simply "If you allow us to track your data you can get these features for free - for more information tap HERE" then you are not, IMHO, disguising nor bundling.