9

Let's say we have a mobile app, where every user is associated with app-generated unique user id (ex. 57d2ef8b391277001aad7784).

  • Having the uuid itself that's not possible to identify a user.
  • Having the uuid and access to the app backend infrastructure that becomes possible (by querying users by uuid).
  • During sign-up to our service every user accepts Privacy Policy and allows us to store personal information on our backend infrastructure.

What're legal aspects of usage Crashlytics.setUserIdentifier method in such case? Is it safe to use considering GDPR changes?

I believe the answer depends on the jurisdiction user belongs to. I'd like to find a rock-solid legal answer at least for the US, the EU (GDPR), and Russia (152-FL).

Jason Aller
  • 1,608
  • 3
  • 21
  • 34
AlexKorovyansky
  • 191
  • 3

1 Answers1

3

[I'm not so well-versed on US and Russian law, thus I will limit my answer to EU law.]

Your specific use of a user identifier, as I understood from your question, can be classified as personal data, so in your case, the GDPR seems to apply.

This means that you need to have a) legitimate purposes to process that personal data (e.g. crash reporting) and b) a legal justification for each purpose of processing: it could be based on consent or another legitimate purpose (inc. your own legitimate interests). Consent might not be the best option for you, but it's up to you to decide.

In any case, you need to assess the risks to the data subjects (your users) before you decide. How likely is it that you will get breached, and what potential harm will that cause to your users?

These are some guidelines; my recommendation is that you read the law and the guidelines by the Article 29 Working Group and European Data Protection Board, or hire some good experts on this. There is no easy answer, or one size fits all solution.

The GDPR isn't so hard to understand or implement, but it does require some change in mindset. With the new law, processing personal data carries a higher risk of penalties, so you should do it only when it's absolutely necessary, and with respect to the rights of your users.

Nick Toumpelis
  • 131
  • 3