GDPR & CCPA Readiness with AppsFlyer | AppsFlyer

AppsFlyer Readiness forGDPR &

As the industry’s leading mobile attribution and analytics platform, AppsFlyer is committed to providing its customers full transparency and control over their users’ personal data, empowering them in their pathway to GDPR and CCPA compliance.

What it Means
What are the GDPR and CCPA and how do they affect AppsFlyer customers?


On May 25, 2018, The European Union began the enforcement of a new data privacy law called the General Data Protection Regulation (GDPR) replacing the previous Data Protection Directive. A primary aim of the GDPR is to provide people in the EU greater control over their personal data and data which is collected about them.

EU圏の人々の個人データを収集(またはデータ収集会社の代わりに処理)する企業は 、企業がEU圏に物理的に存在しない場合でも、GDPRの対象となります。つまり、AppsFlerのお客様を含めて、グローバルまたはオンラインにプレゼンスのある大半のビジネスが影響を受けることになります。



The California Consumer Privacy Act (CCPA) is a state law that will become operational January 1, 2020. The CCPA is intended to provide individuals (in this case California residents) with increased control over their data and privacy while imposing increased obligations on businesses.

The CCPA applies to any for-profit organization that meets certain conditions and does business in California. “Doing business in California” should be interpreted broadly to include anyone who collects or sells personal information of California residents. This regulation applies to many of AppsFlyer’s customers.


The CCPA takes effect January 2020. Are you prepared?

Our Commitment to You


AppsFlyer is committed to and has invested significant and strategic resourcesimplementing rigorous technical measures and working with leading third party consultantsto provide diligent GDPR and CCPA compliance across our solutions and teams.


At AppsFlyer, we are committed to stringent data confidentiality, privacy and security.
Rated compliant by top industry regulators:


AppsFlyerのデータ転送の実務は、EU-U.S. プライバシーシールドフレームワークによって認証されています。欧州および米国のクライアントは、欧州と米国の間で合法的にデータを転送するためにプライバシーシールドフレームワークに頼ることができます。


To help advertisers (controllers) to adhere to the GDPR and CCPA obligations towards their end-users requests, AppsFlyer has built new APIs to manage users’ (data subjects’) requests for:

  • 削除権(忘れられる権利)
  • アクセス権
  • データポータビリティの権利
  • 訂正の権利

データプロテクション by デザイン


  • 個人データは、ユーザーの同意が得られた場合にのみ収集されます。
  • 匿名化および暗号化された個人データオプション
  • 個人データの販売または再仲介なし
  • Mobile/ Web SDK opt-out/opt-in options
  • Honoring do-not-measure privacy choices


OpenGDPR is a universal, secure, and common framework for compliance with GDPR mandated data subject rights. The OpenGDPR framework presents a public API specification along with a recommended set of best practices for implementing and maintaining a connected and compliant stack. By adopting OpenGDPR, brands can reliably address data subject requests across their partner ecosystems, in near real-time. Adhering to the GDPR and CCPA Right of Deletion, OpenGDPR helps organizations globally take another step toward compliance.

 Best Practices
Recommendations for compliance preparation

Mobile app developers and advertisers utilize unique, personal identifiers to measure and understand their performance, optimize their app’s effectiveness and marketing. To ensure that you are complying with the personal data security requirements, here is a list of 7 key recommended measures to take towards GDPR and CCPA readiness:

  1. AppsFlyerのような一流の業界標準に準拠した、確立された第三者ツールを使用すること。
  2. すべてのデータの収集、処理、保管、かつ、データ処理のライフサイクルをマップして文書化する。適切なセキュリティがあらゆる段階で採用されていることを確認すること。
  3. ユーザーの個人データの収集と使用に関して、情報提供を受けた上での明白なデータ主体の同意を得ること。
  4. あなたのアプリはアクセスするすべてのデータを本当に必要としていますか?エンドユーザーに提供されるサービスの目的に絶対に必要なものだけを使用するように努めること。
  5. 同意の取り消しを含むユーザーの要求を管理し、対応すること。
  6. あなたのテクノロジー内の潜在的な弱いリンクを特定すること。
  7. Determine whether your privacy policy is up to date containing all disclosures required under the CCPA 

Clear answers to your GDPR & CCPA questions


Does the GDPR apply if we are not an EU based company?
Even non-EU based companies are subject to the GDPR if they offer goods or services in the EU or otherwise monitor the behavior of individuals in the EU.
What information does the GDPR apply to?
The GDPR applies to Personal Data. However, Personal Data is broadly defined and includes identifiers such as IP address, cookies, and device IDs.  Therefore, under such definition data collected by you through your use of AppsFlyer may be deemed Personal Data under the GDPR.
Does it matter where the data is stored?
No. The GDPR provides clear rules and frameworks under which personal data may be transferred and processed outside the EU.  For example data may be transferred to countries deemed by the European Commission as having adequate privacy laws.  Furthermore, data may be transferred under certain frameworks approved by the European Commission, such as the US-EU and Swiss-US Privacy Shield frameworks and Standard Model Contracts.
Does AppsFlyer have a Data Processing Agreement to cover GDPR requirements?
Yes, you may view our DPA here.
Even non-EU based companies will be subject to the GDPR if they offer goods or services in the EU or otherwise monitor the behavior of individuals in the EU.


Does the CCPA apply if we are not a California or US-based company?
Most likely, yes. The “California” part refers to the end user, not the business. CCPA will apply to your organization if it is for-profit and collects/sells information of California residents, determines the purposes and means of the processing of consumers’ personal information and satisfies one or more of the following thresholds:
– has annual gross revenues in excess of $25m
– buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices
– derives 50% or more of its annual revenues from selling consumers’ personal information
What information does the CCPA apply to?
Personal information of Consumers (i.e. California residents), where the term “personal information” is defined broadly. Some examples for personal information are specified, and these include IP addresses, email addresses, geolocation data, browsing and search history, to name a few. Therefore, data you collect through your use of AppsFlyer may be deemed Personal Data under the CCPA.
If we comply with the GDPR are we ready for the CCPA?
You’re part way there. While there are some similarities and overlaps between the two laws, they are still very different and require different operational implementations. Areas where you may leverage your GDPR readiness include:
– Data mapping
– Processes to receive and handle data subject requests
– Methods to delete personal information
– Methods to provide access to personal information in readily usable formats
– Technical and organizational measures used to protect personal information
– Privacy notices

General Privacy Questions

How does AppsFlyer handle the data it receives when customers use the AppsFlyer service?
AppsFlyer is committed to providing customers and end users with complete transparency in relation to its privacy practices and to protecting customer data.   AppsFlyer uses the data it receives to provide its services to its customers as more completely described in our Services Privacy Policy.  Furthermore, we implement stringent security and organizational measures including those described here to protect your data.
How does AppsFlyer help its customers with compliance?
To help our customers ensure compliance with the CCPA, AppsFlyer is committed to: 1. Acting only as a service provider for our customers and processing the data only for the stated business purposes 2. Never selling or disclosing any personal information received from our customers 3. Being fully transparent with our customers 4. Supporting customer opt-in and opt-out requirements 5. Ensuring appropriate agreements are in place with our customers 6. Having appropriate technical and organizational measures in place to protect our customer data

A word from our lawyers: Nothing stated here is legal advice. It is provided only for your informational and convenience purposes. You should work closely with legal and other professional advisors to determine exactly how the GDPR, CCPA or any other laws may or may not apply to you.