Under GDPR your customers enjoy a number of rights including the right to be informed. In this article we will explain how Xtremepush can assist you in being compliant in regard to this right.  

Background

In general this right means that a customer has a right to know how their personal data will be used. Typically, this will be through a Privacy Notice. This Privacy Notice should be provided free of charge, be transparent and be easy for the customer to access. For any data provided by the customer, the Privacy Notice should include:

• Contact details for the data controller and dataprotection officer

• Legal basis and purpose for processing

• Data retention period

• A reference to the rights the customer has

  such as the right to erasure, right to restrict processing etc.

Such a privacy notice should be made available when someone becomes a customer with updates provided periodically. The privacy notice should also be available at any time to download.

When using Xtremepush you may collect data to enable engagement on Marketing Channels. Many of these channels and data sources contain system based opt-ins that check for user consent that are handled at the OS or browser level, others such as email and SMS will require you to collect data with consent before passing both to the Xtremepush platform.

Details on how opt-ins work for channel and data sources in the Xtremepush product suite below.

Where you are depending on system based prompts and settings to allow users to opt in for and manage certain capabilities, it is a good idea to put information on how users can use those in supporting docs to your privacy policy.

Channel Opt-ins

Outbound Channels

Push Notifications

The Majority of push notifications come with an associated system prompt, where there is a system based prompt it is not possible to send a notification without an explicit opt-in. Details on all of these opt-in mechanisms below.

Web Push Notifications

Details on system opt-in and preference management mechanics for push notifications on supported browsers below. When using xtremepush for notifications you can control when this dialog to opt in users appears and you can place an additional value exchange in front of the prompt to further explain use of notifications:

• Control Prompt: https://support.xtremepush.com/hc/en-us/articles/207298369-Web-Push-Permissions-Prompt-Settings 
• Add a value exchange: https://support.xtremepush.com/hc/en-us/articles/115004829625-How-can-I-easily-make-a-Web-Push-value-exchange-pop-up-dialog- 

Safari

On Safari you receive a system prompt to "Allow" or "Don't Allow" Push Notifications from a website. 

 

If you opt in and want to manage settings later on Mac in Safari you can go to - Safari > Preferences > Websites and select Notifications. You will see the below:

 

From here you can select a site and deny notification permissions or remove it all together. In addition to this you can also go to OS settings and tweak notification preferences. Got to  > System Preferences > Notifications and you will see below.

 

From here you can pick a site with notification permissions and tweak how they display.

Chrome

On Chrome desktop and mobile you receive a system prompt to "Allow" or "Block" Push Notifications from a website. 

If you opt in and want to manage settings later in Chrome you can go to - Chrome > Preferences > Content Settings and select Notifications. You will see the below:

 

From here you can select a site and block notification permissions or remove it all together.

Firefox

On Firefox you receive a system prompt to "Allow Notifications", delay the decision with "Not Now" or "Never Allow" Push Notifications from a website. 

If you opt in and want to manage settings later in Firefox you can go to - Firefox  > Preferences and Search for "Notifications" and select Notifications settings. You will see the below:

From here you can select a site and block notification permissions or remove it all together.

Mobile Push Notifications

iOS Push

On iOS before push notification services can be used by the App, users are asked if they allow notifications through an OS system prompt as shown below. The App name appears in inverted commas and the notification usage explanation is standard system text with buttons for OK/Don’t Allow.

When using xtremepush for notifications you can control when this dialog to opt in users appears and you can place an additional value exchange in front of the prompt to further explain use of notifications:

• https://support.xtremepush.com/hc/en-us/articles/209158229-Controlling-when-notification-permissions-dialog-is-shown-iOS-  

After the user has opted-in regardless of any additional preference logic you may want to implement in your app notifications received on iOS can be controlled from the notification center in the settings section of the device. iOS users have a great deal of control when it comes to enabling or disabling push notifications, as they can be turned off or on by the user at any time. Additionally, before iOS apps can send push notifications to a specific user, they must ask and receive permission from that user.

Steps 1, 2, and 3 below show how an iOS user can easily adjust their push notification settings.

Step 3 also highlights how iOS users can adjust the alert style of their notification when the phone is locked, for example

• None: No alert will appear on the locked screen.
• They can select different behaviors re banner to appear at the top of their screen or an alert to appear in the centre of their screen.

 

          

           Step 1:  Enter Settings               Step 2:  Go to Notifications and select the app     Step 3: Turn on/off the notifications

 

NOTE: the exact location and range of options in settings will vary depending on the version of iOS being used for example on iOS 11 options related to badges changed see below different form options seen in an earlier version above.

 

 

Android Push

Currently on Android Push notifications are a default capability for mobile apps i.e. they do not require a system opt-in prompt. Other capabilities like location, camera etc. have a system dialog appear before they can be used for apps that target Android 6+. You can see this demarcation clearly in App settings where capabilities like location are managed under permissions while notifications have their own section.

 

         

 

NOTE: the above example is from an Android 7 device. The exact format may change depending on the Handset manufacturer and Android OS version. For example on older versions of Android there is no permissions section in app settings and Notifications is a simple tick box with no fine grained controls.

 

Other Outbound Channels - Email, SMS

For other outbound channels such as Email or SMS where you collect a credential such as email or mobile number that enables an outbound communication method you have responsibility to collect that data in a compliant manner. These channels do not come with default system prompts for opting users in so you will have built a custom method or used a third party method for collecting these credentials. You will then be passing data for subscribers on to the xtremepush platform.

When you pass on this data to xtremepush as described in the user profiles guide we can only act on data given. For example if what you are sending tells us that you have permission to send an email then the platform will allow for email to be sent to a user.

• User Profile Guide: https://support.xtremepush.com/hc/en-us/articles/360000850789-User-Profiles-Quick-Start-Guide 

In addition to obtaining the data correctly, it should also be maintained correctly for example if users can unsubscribe from email by a mechanism not provided by xtremepush then this unsubscribe source must be synced with the xtremepush platform via API so the records on xtremepush are in sync with your customer's preferences. And the data should only be for the purpose for which it was collected.

 

On Site/In App Channels

 The On Site or In App Channels i.e. In On Site / In App messages or inboxes have no outbound reach when users are not on your site. They are a feature of your site/App that users only interact with when using you site/App.  As such explicit opt-ins are not required for these channels. However any data used to trigger, target, or personalise the content on these features should be obtained in a compliant manner and be covered in your privacy policy.

Data Opt-ins

Data Collected and passed to Xtremepush should be obtained in a compliant manner. Collection of Personal Data and use of same should be covered in your privacy notice. And you should not pass any data to Xtremepush that you do not have the right to collect.

You can find details on the mechanisms for passing data to the Xtremepush platform in the User Profile and Device Profile sections of the docs. You should read these sections carefully to understand what data may be passed and how in different scenarios, for example if you have added the mobile SDK to an app and enabled certain functionality.

Certain data related capabilities have system based prompts and settings to allow users to opt in for and manage them, it is a good idea to put information on how users can use those in supporting docs to your privacy policy. Details on these below.

Location Data

If you use the location services available as part of the mobile SDKs then when you enable it your users will be prompted on their mobile device. You can control when this dialog to opt in users appears and you can place an additional value exchange in front of the prompt to further explain use of notifications:

• iOS: https://support.xtremepush.com/hc/en-us/articles/205669522-iOS-Location-Services
• Android: https://support.xtremepush.com/hc/en-us/articles/205816971-Android-Location-Services- 

How opt-ins behave for location capabilities on the two major Mobile Operating Systems - iOS and Android is outlined below. These are hard opt-ins dictated at the OS level that cannot be overridden by a brand who have a mobile App available for those operating systems or by a service provider such as Xtremepush who may provide services for use in the app.

iOS Location

On iOS before location services can be used by the App, users are asked if they consent to location information being accessed through an OS system prompt shown below. The brand must explain why the App uses Location Services this text is included in the configuration of the App before it is placed in the App store. The App name appears in inverted commas and the location usage explanation appears between the system text and buttons for Allow/Don’t Allow.

NOTE: the exact format of the dialog may vary depending on OS version and types of location access required. Access option include always or while the app is being used. Example with explanation and both types below.

 

After the user has opted-in location access on iOS is controlled from the app center in the settings section of the device. iOS users have full control when it comes to enabling or disabling location access, and it can be turned off or on by the user at any time. You can see below that when you find an app in settings location is one of the options in an individual app’s settings. From here the user can turn location access off or choose between always or while the app is being used options as appropriate. The explanation for why location access is required also appears below the options in the location settings.

 

         

 

Android Location

(Android 6.0 and Up)

On Android where the App targets a newer version of the OS (6+)  before location services can be used by the App, users are asked if they consent to location information being accessed through an OS system prompt shown below. The App name appears in inverted commas and the location usage explanation appears bold in the system text above buttons for Allow/Deny.

(Older Versions of Android)

If an App targets an older version of the OS there is no location prompt. On older versions of Android when installing the App first you will see a dialog that shows required App permissions, these must be accepted by the user to install the app. If required by the App location access appears in here as shown in the example below:

The above should not be an issues as you should not be targeting such an old version of Android see excerpt from Android Announcement on this: 

In the second half of 2018, Play will require that new apps and app updates target a recent Android API level. This will be required for new apps in August 2018, and for updates to existing apps in November 2018. This is to ensure apps are built on the latest APIs optimized for security and performance.

https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html 

After the user has opted-in location access on Android is controlled from the app center in the settings section of the device. Android users have full control when it comes to enabling or disabling location access, and it can be turned off or on by the user at any time. You can see below that when you find an app in settings location is one of the options in an individual app’s permissions settings. From here the user can turn location access off or on.

          

 

Advertising IDs

If you use the Install attribution services available as part of the mobile SDKs then when you enable it you will be collecting Advertising Identifiers. Users can manage settings related to these IDs on their device and it is good practice to provide them with information on how to do that as part of supporting docs to go with your privacy notice.

 

 

iOS

iOS users are each assigned a specific anonymous identifier by the device for use in advertising - the IDFA. This iOS function cannot be turned off, but users can reset it and create a new, random IDFA at any time.

From the Home screen, navigate to : Settings > Privacy > Advertising

To limit ad tracking, tap the Limit Ad Tracking switch to turn on or off .

To reset advertising identifiers, tap Reset Advertising Identifier then tap Reset Identifier.

         

 

Android

Android users are each assigned a specific anonymous identifier by the device for use in advertising. This Android function cannot be turned off, but users can reset it and create a new, random Google advertising ID at any time.

Open the menu on your phone by tapping on the menu icon which will display your apps list. Then find and select Google Settings. It may also be found in settings under Google.

      

On the next screen you can tap on "Ads", then select "Reset advertising ID". A pop up will come onto your screen then you tap on "OK" to consent to creating a new Google Advertising ID. Once you tap "OK" you will generate a new Google Advertising ID which will be displayed on the bottom of your screen.

You can also limit ad tracking, by tapping the Opt-out of interest-based ads option.