I've noticed that the default config of the Android Nav SDK periodically sends out Telemetry events back to Mapbox:
D/TelemetryClient: Sending POST to https://events.mapbox.com/events/v2...
The events have user locations and session IDs. Is that possible to disable this or somehow control the information that's being sent? With GDPR coming up soon, I can see this as being an issue for some of the clients who'd want to use the SDK.
Hey @kozyr, thanks for reaching out!
GDPR does not change our approach to location data - we’ve always considered it very sensitive, and we’ve always treated it that way (it’s why we’ve always required developers to provide a mechanism for their end users to opt-out of data sharing. The information collected by our SDKs contains anonymous data about the map and device location used to continuously update and improve your maps. We don’t use this data for advertisement purposes nor do we share it with any third-party. You can read about our approach in our Telemetry site: https://www.mapbox.com/telemetry/ or on our privacy policy https://www.mapbox.com/privacy/#start.
Developers take different approaches to how they disclose their data practices to end users - we don’t require a particular approach, but here’s an example of one of our customers that we’ve been impressed with in the clarity of their privacy policy disclosures https://www.woovapp.com/privacy/.
Let me know if you have any questions.
@zugaldia This approach goes against GDPR though - you're enabling the tracking and then asking the user to opt-out. GDPR says you should be asking the user to opt-in, and providing a way to opt-out only if they do opt-in.
As part of your events, you're receiving user IP and user locations - and user IP is personal data. Meaning then you either need to ask for opt-in, or every Mapbox map developer need to do that, and disclose Mapbox events to all EU customers.
@kozyr You are correct - developers are responsible for getting the expressive consent of their end users before accessing their users location. You can see the applicable language in our terms of service here:
For all mobile applications that use Mapbox Services, you must....Obtain your users’ affirmative express consent before you access their location....[and]...Disclose that location and usage data will be shared with Mapbox.
For me it seems like the telemetry policy is in breach of the GDPR when it comes to "concent must be freely given"? Please correct me if i am wrong.
"Telemetry service" is not needed for downloading the mapbox maps. It is only one of the parts for improving the service. If user does not accept the telemetry terms he/she can not use the mapbox maps service.
If i understand this correctly it is not following the rule that the "consent must be feely given". The user will feel he need to give the telemetry data to be able to use the mapbox map service. User may f.eks initially have downloaded a sosial media app. But is not able to use it before accepting the "telemetry policy". See section "Detriment" in link below
Consent must be freely given
Data subjects must be afforded real choice and control over data concerning them.Consent is not considered to be freely given if;
The data subject feels compelled to consent due to a real or perceived imbalance of power.
They believe they will face negative consequences if they don’t consent (Detriment).
Consent is bundled up as a non-negotiable part of the T’s & C’s (Conditionality).
They are unable to refuse or withdraw their consent.
Detriment
As a controller you need to ensure that data subjects can freely refuse to the processing of their data without fear of detriment. On top of this subjects must have the ability to withdraw consent without fear of the same. Withdrawing consent shouldn’t lead to any negative consequences or costs for the data subject involved. So, for example, if your customer is a member of your loyalty programme, he or she should be able to opt out of marketing communications from that programme, while still being able to benefit from all the great perks of the programme.
Conditionality
Under GDPR it is a big no-go for you, as a data controller, to intentionally disguise the purpose of personal data processing, or, bundle it in alongside the provision of a contract for which the data is not necessary for the performance of the service (ie whether you’re selling something which requires you to take the customer’s name / address / mobile number / email etc., you can’t add these details to your marketing database without letting the customer know). In short, consent and contract is not to be merged & blurred! Below is an example of what will no longer be permitted under GDPR as should the data subject refuse to consent to this processing activity they will be unable to sign up to the service.
Also the map service and the telemetry service is two different things as i see it and should be split up according to the "granularity" section when it comes to opt in. (The telemetry service is only for improving other services)
Granularity
A service may involve multiple processing operations for more than one purpose. In such cases, the data subject should be free to choose which purpose they accept. Consent must be given separately for each method of processing. So if you are looking to contact your customers with digital marketing communications and wish to share details with other companies within your group, you must provide opt-in options for each (see example below). It is also necessary to be specific as to who you will be sharing this data with and the type of communications they can expect to receive from you.
See the sections in link below : "Consent must be freely given", "Detriment", "Conditionality","Granularity"
https://dataconversion.ie/marketing-opt-ins-affected-gdpr/
Also same in GDPR original docs. ("Consent must be freely given")
https://gdpr-info.eu/art-7-gdpr/
For me it seems like the telemetry policy is in breach of the GDPR when it comes to “concent must be freely given”? Please correct me if i am wrong.
This is not correct. The developer is responsible for seeking the end user's express consent, both for the collection of data generally (if the app does that) and for the sharing of collected location data with Mapbox. If the end user declines to consent to _either_ of these issues, the maps would continue to work. We do not require that developers turn off our service if they are unable to get consent from their end users, we just require that they seek the consent and turn off telemetry if the end user does not grant it.
Hi @zugaldia ,
That is good news. Happy to be wrong in this case.
I tested with this code, but it will only be disabled the next time app is opened.
TelemetryEnabler.updateTelemetryState(TelemetryEnabler.State.DISABLED);
Do you have a recomended way to disable Telemetry ?
@zugaldia as a developer updating apps for GDPR compliance, I'm afraid the current state of the SDK is not GDPR compliant. Telemetry must be disabled until I request the user for consent to share data with third party services.
Apps including any kind of "anlytics", "ads", "crashlytics", (like Firebase, Admob...) etc, must after install (or update) show a GDPR notice to users asking consent to share personal data to third party services, we as developers have to store this consent, gdpr text, and date, and then activate if necessary Telemetry and other third party data consumers.
@Stavanger75 Looks like you were missing one more call. With v6.2.0 (currently in beta) we're introducing Telemetry.disableOnUserRequest() to simplify the process https://github.com/mapbox/mapbox-gl-native/pull/12024. Please do open a ticket on https://github.com/mapbox/mapbox-gl-native/issues if you see any issues using this API.
@pamartineza I believe that my note above still applies. The developer has the option to decide when to initialize the Mapbox SDK so that you have an opportunity to provide the appropriate notice to your users beforehand. For those cases where you don't get permission to access location updates from a specific user you can use the API mentioned before to disable telemetry collection.
@zugaldia I'm not sure if I understand the proposed flow:
First thing, show consent notice, then if I users doesn't provide consent, I have to initialize Mapbox SDK to be able to see maps, which in turn enables telemetry, and then disable telemetry?
@pamartineza that's correct - because of the thresholds included with the telemetry SDK (180 events or 180 seconds) that flows guarantees no information will leave the device if the user doesn't provide consent.
In parallel, we're looking at ways to make this process smoother and more performant. If you have any feedback or suggestions on how to improve it, please do open a ticket on https://github.com/mapbox/mapbox-gl-native/issues/new and tag me for follow up. Thanks!
@zugaldia thanks for the information.
@zugaldia a bit "hacky" but it should work
Most helpful comment
@zugaldia This approach goes against GDPR though - you're enabling the tracking and then asking the user to opt-out. GDPR says you should be asking the user to opt-in, and providing a way to opt-out only if they do opt-in.
As part of your events, you're receiving user IP and user locations - and user IP is personal data. Meaning then you either need to ask for opt-in, or every Mapbox map developer need to do that, and disclose Mapbox events to all EU customers.