News & Events

Last update: June 2021


OpenBack Data Privacy Controls – Ensure GDPR-K, COPPA and HIPAA Compliance

The key differentiator that sets OpenBack apart from other push notification platforms in the mobile engagement industry is our approach of on-device technology, aka mobile edge computing to leverage device-side data, without needing to send it to a third-party cloud server for processing.  This is our default approach, and as we have explored in the past, this opens the door to a variety of exciting, new ways of using push notifications to engage users.  Most importantly, OpenBack’s device-side approach allow a range of additional settings, configured anytime in your account to ensure your mobile app will be compliant with data privacy regulations by default.  Fundamentally, the fact that users’ data never has to leave the device, and remains in the user’s possession at all times, means that apps using the OpenBack compliance settings are HIPAA, COPPA, GDPR/GDP-K and CCPA friendly.

Below, we’ll take a closer look at OpenBack’s data privacy compliance mode, and what this entails.

Download our Data Security Whitepaper to learn more about OpenBack’s innovative approach to data privacy:

micro-segment push notification reliable deliverability

What Does OpenBack Data Privacy Settings for Compliance Include?

Each of the data privacy protection laws mentioned above – as well as other regional ones – differs slightly in terms of what kind of data it protects, and whose, and from what. However, by cutting the processing of user data via iOS or Android cloud platforms and servers out of the equation (as seen in the above image), OpenBack’s advance settings can remove any risk of illegal or non-consensual (for COPPA or GDPR-K) data processing, because all data processing occurs 100% on-device.

However, the compliance settings involves other features to support our customers’ compliance with regulations as well. The OpenBack dashboard has a setting option that limits the return of user data to only non-personal data/PII data. And that is only when required by the client, or not covered in the client’s terms and conditions for their mobile apps. OpenBack also supports requests from our clients to hold user-specific data, if the client is using OpenBack to process this data.

OpenBack is also fully compliant with an app user’s Right to Be Forgotten, and we support immediate deletion of all specific user data upon request. This request can be made by an API device-side on the SDK which flows back through OpenBack systems, from a backend API call or even manually by raising a Helpdesk ticket if the request volumes are low and automating things don’t make sense.  This will instantly clear the user data in question on the device/SDK, as well as on the backend (the OBE, the OpenBack Processing Engine).

Finally, for regulations that require user data to stay within certain countries or regions, OpenBack supports storage of data within our US or EU data centers. Otherwise, OpenBack acts as the data processor on behalf of our clients.

openback data privacy compliance mode
OpenBack dashboard screenshot

How to Implement Data Privacy Settings on Our Dashboard

Using the data privacy settings is easy and intuitive, simply login to the OpenBack dashboard and select “Apps” from the lefthand sidebar. Then, click on “App Setup,” the third tab at the top of your screen. This will show you various settings you can customize for each of your apps.

Under the heading “Data Privacy Settings,” you can then toggle between different privacy settings for the app in question. This controls what type of data is sent back tot he OpenBack platform. The option to track Message Outcomes is our default setting, where the only data you track from your push notifications are how the user engages with them: whether the notification delivered, whether the user clicked/dismissed, and whether the notification resulted in a goal completion. These are crucial metrics, which can help in optimizing your push campaign in the long-term, and are not considered sensitive Personal Identifying Information (PII). Otherwise, you can to track Message Outcomes & User Data, or you can opt for No Data Collected.

It’s important to note, if you enable Consent Compliance, whether for COPPA, GDPR, HIPAA, etc., your messages will only deliver to the end user once the app sets “ConsentCompliance” to “true” on the mobile SDK. If ConsentCompliance is on and the SDK hasnt been set as True, no messages are delivered to that user, and the individual message file will not be collected either, so if you have sent a message to just that user they will never get it. The setting for tracking “Message Outcomes & User Data” means that data such as Segment data like attributes, events, custom segments, and the dashboard list of segments like operator, language, last open, etc. for that user are collected and are then available in the backend via API etc.

No Data Collected Option

If you select No Data Collected, then no data gets sent back to the SDK backend.  The unique ID for that install is generated by the SDK on-device, and the App Code which is created in the dashboard to link the app to your account is added during the SDK integration, so the app knows where to collect the right messages for your app. On the dashboard, the metrics charts will then get an overlay explaining they are not showing given Data Collections Settings, aside from the Installs and Active Devices metrics. It will also show a warning shown if some apps have this off, some have it on.

Moreover, once you select the No Data Collected mode, an extra option for “Anonymous Push Token Collection” will be shown with On/Off. If you select Off, the SDK won’t collect push tokens. If you select On, the push tokens go into an anonymous database just for that app and are not linked in anyway to any other information including userIDs, IPs or anything else at all. The push tokens are anonymously stored separately to the user either way.  Even if Off is selected, and the Firebase/APNS cloud is set up, the push tokens still won’t be collected. (For a more in-depth explanation, you can access the Help Pane on the OpenBack dashboard.) but your users will still receive notifications as OpenBack’s on-device technology can still deliver notifications as normal, it just means that you will have to wait for the app to sync and collect the latest messages which it will do according to the sync settings also in the app settings menu, every 12 hours by default.

Data privacy regulations are constantly evolving as our understanding of data privacy changes. Any mobile app with a user base of minors (younger than 16) regardless of whose phone it is, or that deals in healthcare or biometric data, or even just have some users that are based in Europe must do its due diligence with regards to data protection regulations. And especially for kids’ apps, it’s important for mobile apps to make sure they stay on the right side of the law at all times when it come to secure and ethical use of user data.

OpenBack is in a unique position to be able to offer complete data privacy controls for default regulation compliance, thanks to our innovative hybrid platform that operates device-side first, and so data privacy first. As the mobile engagement industry shifts away from processing data in massive cloud servers and towards local, on-device data processing with edge computing, it follows that the security of the end user will become the top priority.

To learn more about how OpenBack’s innovative approach to data privacy, get in touch with one of our experts.


Translate »