Back to Glossary

GDPR Defined

GDPR, or the General Data Protection Regulation, is a comprehensive data protection law that governs the collection, processing, and storage of personal data of individuals within the European Union (EU) and the European Economic Area (EEA).

It places strict requirements on businesses and organizations, including those involved in mobile marketing and messaging, regarding obtaining user consent for data processing, providing transparent information about data practices, ensuring data security, and offering individuals rights over their personal data. 

Compliance with GDPR is essential for businesses engaging in mobile marketing and messaging to safeguard user privacy and avoid hefty fines for non-compliance.

How to Use it in a Sentence

The mobile marketing platform updated its privacy policy to ensure compliance with GDPR regulations, providing users with clearer information on data handling practices and seeking explicit consent for personalized messaging.

Common GDPR FAQs

In simple terms, GDPR is a set of rules designed to protect people's personal data. It gives individuals more control over their personal information and how it's used by companies and organizations.

Essentially, GDPR requires businesses to be more transparent about what data they collect, why they collect it, and how they use it. It also gives individuals the right to access their data, correct any inaccuracies, and even request its deletion in some cases. Overall, GDPR aims to ensure that people's privacy is respected and their data is handled responsibly.

The seven main principles of GDPR are:

1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently. This means that data processing must have a legal basis, be conducted in a way that respects individuals' rights, and be clearly communicated to them.

2. Purpose limitation: Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Data minimization: Only the minimum amount of personal data necessary for the specified purpose should be processed. This principle emphasizes limiting the collection and storage of personal data to what is strictly necessary.

4. Accuracy: Personal data must be accurate and kept up to date. Data controllers are responsible for taking reasonable steps to ensure the accuracy of the data they process and, where necessary, rectify or erase inaccurate or outdated information.

5. Storage limitation: Personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed. This principle encourages the deletion or anonymization of data when it is no longer needed.

6. Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.

7. Accountability: Data controllers are responsible for complying with the principles of GDPR and must be able to demonstrate compliance. This includes implementing appropriate measures, documenting data processing activities, and conducting data protection impact assessments when necessary.

Under GDPR, personal data refers to any information relating to an identified or identifiable natural person. This includes not only direct identifiers such as a person's name, address, phone number, and email address but also indirect identifiers such as IP addresses, device IDs, location data, and online identifiers like cookies or advertising IDs. Additionally, personal data encompasses sensitive information such as race, ethnicity, political opinions, religious beliefs, health data, and sexual orientation.

In the context of mobile marketing strategies, GDPR has significant implications for how advertisers collect, process, and use personal data. Advertisers must obtain explicit consent from users before collecting and processing their personal data for marketing purposes, including targeting ads, personalizing content, or tracking user behavior. This means that strategies such as behavioral targeting and personalized advertising require clear and informed consent from users.

Moreover, GDPR mandates that advertisers provide transparent information to users about how their personal data will be used, who it will be shared with, and for what purposes. This impacts mobile marketing strategies by necessitating the implementation of clear and accessible privacy policies, cookie notices, and consent mechanisms within mobile apps and websites.

Overall, GDPR requires mobile marketers to prioritize user privacy and data protection in their strategies, ensuring that personal data is collected and used responsibly, with the explicit consent of users. Adhering to GDPR principles not only helps ensure legal compliance but also builds trust with users, which can lead to stronger customer relationships and increased loyalty in the long run.

GDPR significantly affects the use of cookies and tracking technologies in mobile marketing campaigns by imposing strict requirements on how advertisers collect, process, and collect user data. Here's how GDPR impacts the use of cookies and tracking technologies:

Consent requirement

GDPR requires that users give explicit consent before cookies or similar tracking technologies are placed on their devices, unless these cookies are strictly necessary for the functioning of the website or app. Advertisers must obtain consent in a clear and transparent manner, providing users with information about the purpose of the cookies and giving them the option to opt-in or opt-out.

Transparency and disclosure

Advertisers must provide clear and accessible information to users about the types of cookies and tracking technologies used, their purposes, and the entities involved in data processing. This information should be communicated through cookie banners, privacy policies, and cookie notices, enabling users to make informed decisions about their data.

User control and rights

GDPR gives users greater control over their data by granting them rights such as the right to access their personal data, the right to rectify inaccuracies, and the right to request deletion of data. Advertisers must provide mechanisms for users to exercise these rights in relation to cookies and tracking technologies, such as providing options to manage cookie preferences or delete tracking data.

Data protection by design and default

GDPR mandates that advertisers implement privacy-enhancing measures, such as data minimization, pseudonymization, and encryption, to protect user data collected through cookies and tracking technologies. Advertisers should also regularly assess the risks associated with data processing and take steps to mitigate these risks.

Overall, GDPR requires advertisers to prioritize user privacy and data protection when using cookies and tracking technologies in mobile marketing campaigns. By obtaining explicit consent, providing transparency and disclosure, enabling user control and rights, and implementing privacy-enhancing measures, advertisers can ensure compliance with GDPR while effectively engaging with users through targeted advertising and personalized content.

The consequences of non-compliance with GDPR for businesses engaged in mobile marketing can be severe and encompass various legal, financial, and reputational repercussions. Firstly, regulatory authorities have the power to impose hefty fines for violations of GDPR, which can amount to up to €20 million (equivalent to $22.5 million) or 4% of the company's global annual turnover, whichever is higher. These fines are not merely symbolic but are intended to serve as a deterrent against non-compliance, especially for egregious violations or repeat offenses.

Beyond financial penalties, non-compliance with GDPR can damage a business's reputation and erode consumer trust. In today's digital age, where data privacy is a growing concern for individuals, news of data breaches or privacy violations can spread rapidly through social media and news outlets, tarnishing the brand's image and leading to loss of customers and revenue. Moreover, negative publicity resulting from GDPR violations can have long-lasting repercussions on brand perception and competitiveness in the marketplace.

Furthermore, non-compliance with GDPR may also result in legal consequences, including lawsuits from affected individuals or class-action lawsuits initiated by consumer advocacy groups. These legal battles can drain resources, disrupt operations, and lead to prolonged litigation processes that further damage the business's finances and reputation. Additionally, GDPR violations may trigger investigations by regulatory authorities, resulting in audits, compliance orders, or other enforcement actions that impose additional burdens on the business.

Overall, the consequences of non-compliance with GDPR underscore the importance of prioritizing data privacy and compliance efforts in mobile marketing practices. By adhering to GDPR requirements, businesses can mitigate the risks of fines, reputational damage, and legal liabilities, while also building trust with consumers and fostering a culture of respect for privacy and data protection.

Mobile marketers can ensure compliance with GDPR regulations by implementing several key practices related to data processing, including data collection, storage, and usage. Firstly, they should conduct a thorough audit of their data processing activities to identify all instances of personal data collection and processing within their mobile marketing practices. This includes examining data collection methods such as cookies, tracking technologies, and user interactions with mobile apps and websites.

Secondly, mobile marketers should prioritize transparency and user consent in their data processing practices. This involves providing clear and accessible information to users about how their personal data will be collected, stored, and used for marketing purposes. Marketers should obtain explicit consent from users before collecting and processing their personal data, ensuring that consent is freely given, specific, informed, and unambiguous.

Thirdly, mobile marketers should implement data protection measures to safeguard personal data against unauthorized access, disclosure, or misuse. This includes implementing technical and organizational measures such as encryption, pseudonymization, access controls, and regular security assessments to ensure the security and integrity of personal data throughout its lifecycle.

Additionally, mobile marketers should regularly review and update their data processing practices to ensure ongoing compliance with GDPR regulations. This involves staying informed about changes to data protection laws and regulations, as well as evolving industry best practices and standards for data privacy and security.

By adopting these practices, mobile marketers can demonstrate their commitment to protecting user privacy and data protection, while also mitigating the risks of GDPR violations and associated consequences such as fines, reputational damage, and legal liabilities. Ultimately, compliance with GDPR regulations not only helps mobile marketers build trust with consumers but also fosters a culture of responsible data stewardship and ethical marketing practices in the mobile marketing industry.

As outlined in our GDPR compliance article, and to ensure full compliance with GDPR regulations, OneSignal has undertaken several measures:

  • We have obtained certification from the EU-US and Swiss-US Privacy Shield Frameworks, demonstrating our commitment to meeting the data protection standards required by GDPR.

  • Our Data Processing Agreements (DPAs) include specific provisions addressing GDPR requirements, ensuring that our data processing practices align with the regulation.

  • Both our Terms of Use and Privacy Policy comprehensively outline our data processing and security practices, including details on the personal data we collect, how we use and secure it, users' data control rights, and our responsibilities as a data processor.

  • We adhere to the principles of data minimization and storage limitations mandated by GDPR. Personal information and automated message data within our system are retained for a maximum of 30 days, after which it is promptly erased from our servers. Additionally, data from the dashboard is retained for the lifetime of the respective app.

Regarding data centers, our facilities are located within the EU, ensuring that data processing activities are conducted within GDPR-compliant jurisdictions. Moreover, we prioritize user consent by allowing clients to maintain control over consent data, which is not stored in our dashboard. Our approach to sharing SDK information is governed by strict guidelines outlined in our privacy policy. While we utilize SDK information to deliver various services, we only share it with third parties under specific circumstances, such as fulfilling orders, conducting business operations, or as required by law. Importantly, we do not share SDK information with third parties except those who process the data on our behalf, and we uphold these practices even after clients cease using our SDKs.