GDPR & CCPA Readiness with AppsFlyer | AppsFlyer

AppsFlyer Readiness forGDPR &

As the industry’s leading mobile attribution and analytics platform, AppsFlyer is committed to providing its customers full transparency and control over their users’ personal data, empowering them in their pathway to GDPR and CCPA compliance.

What it Means
What are the GDPR and CCPA and how do they affect AppsFlyer customers?


On May 25, 2018, The European Union began the enforcement of a new data privacy law called the General Data Protection Regulation (GDPR) replacing the previous Data Protection Directive. A primary aim of the GDPR is to provide people in the EU greater control over their personal data and data which is collected about them.

Any company that collects (or processes on behalf of the company that collects) personal data of persons in the EU falls under the scope of the GDPR, even if the company has no physical presence in the European Union. This means that most businesses with a global or online presence, including AppsFlyer’s customers are affected.

Learn More


The California Consumer Privacy Act (CCPA) is a state law that will become operational January 1, 2020. The CCPA is intended to provide individuals (in this case California residents) with increased control over their data and privacy while imposing increased obligations on businesses.

The CCPA applies to any for-profit organization that meets certain conditions and does business in California. “Doing business in California” should be interpreted broadly to include anyone who collects or sells personal information of California residents. This regulation applies to many of AppsFlyer’s customers.

Learn More

The CCPA took effect January 1st 2020. Is your business compliant?

Our Commitment to You

At AppsFlyer, data privacy and security are at our core. Our state-of-the-art real-time infrastructure, advanced security and data protection, independent certifications and global regulatory compliance have earned the trust of the world’s leading brands.

AppsFlyer is committed to and has invested significant and strategic resourcesimplementing rigorous technical measures and working with leading third party consultantsto provide diligent GDPR and CCPA compliance across our solutions and teams.

Data Security and Privacy Compliance

At AppsFlyer, we are committed to stringent data confidentiality, privacy and security.
Rated compliant by top industry regulators:

Data Transfer Practices/Transparency

AppsFlyer’s data transfer practices are certified under the EU-U.S. Privacy Shield Framework. EU and US clients can rely on the Privacy Shield Framework to transfer data lawfully between the EU and the US and vice versa.

Data Subject Request Management

To help advertisers (controllers) to adhere to the GDPR and CCPA obligations towards their end-users requests, AppsFlyer has built new APIs to manage users’ (data subjects’) requests for:

  • The right to erasure (a.k.a. the right to be forgotten)
  • The right to access
  • The right to data portability
  • The right to rectification

Data Protection by Design

AppsFlyer has implemented appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the service are processed, strictly in accordance with our customers’ instructions and configuration.

  • Personal Data is collected only when we obtain assurances of user consent
  • Anonymized and encrypted personal data options
  • No selling or re-brokering of personal data
  • Mobile/ Web SDK opt-out/opt-in options
  • Honoring do-not-measure privacy choices

Maintain a Connected and Compliant Digital Stack

OpenGDPR is a universal, secure, and common framework for compliance with GDPR mandated data subject rights. The OpenGDPR framework presents a public API specification along with a recommended set of best practices for implementing and maintaining a connected and compliant stack. By adopting OpenGDPR, brands can reliably address data subject requests across their partner ecosystems, in near real-time. Adhering to the GDPR and CCPA Right of Deletion, OpenGDPR helps organizations globally take another step toward compliance.

 Best Practices
Recommendations for compliance preparation

Mobile app developers and advertisers utilize unique, personal identifiers to measure and understand their performance, optimize their app’s effectiveness and marketing. To ensure that you are complying with the personal data security requirements, here is a list of 7 key recommended measures to take towards GDPR and CCPA readiness:

  1. Use established third party tools that follow the top industry standards, like AppsFlyer.
  2. Map out and document all data collection, processing and storage, as well as the data processing lifecycle. Ensure adequate security is employed at every stage.
  3. Obtain informed and unambiguous user consent for the collection and use of personal data for the specific purposes for which you are collecting this data.
  4. Does your app really need all the data it accesses? Strive to use only what is absolutely necessary for the purposes of the service provided to your end users.
  5. Manage and respond to users’ requests, including consent withdrawal.
  6. Identify potential weak links within your technology.
  7. Determine whether your privacy policy is up to date containing all disclosures required under the CCPA 

Clear answers to your GDPR & CCPA questions


Does the GDPR apply if we are not an EU based company?
Even non-EU based companies are subject to the GDPR if they offer goods or services in the EU or otherwise monitor the behavior of individuals in the EU.
What information does the GDPR apply to?
The GDPR applies to Personal Data. However, Personal Data is broadly defined and includes identifiers such as IP address, cookies, and device IDs.  Therefore, under such definition data collected by you through your use of AppsFlyer may be deemed Personal Data under the GDPR.
Does it matter where the data is stored?
No. The GDPR provides clear rules and frameworks under which personal data may be transferred and processed outside the EU.  For example data may be transferred to countries deemed by the European Commission as having adequate privacy laws.  Furthermore, data may be transferred under certain frameworks approved by the European Commission, such as the US-EU and Swiss-US Privacy Shield frameworks and Standard Model Contracts.
Does AppsFlyer have a Data Processing Agreement to cover GDPR requirements?
Yes, you may view our DPA here.
Even non-EU based companies will be subject to the GDPR if they offer goods or services in the EU or otherwise monitor the behavior of individuals in the EU.


Does the CCPA apply if we are not a California or US-based company?
Most likely, yes. The “California” part refers to the end user, not the business. CCPA will apply to your organization if it is for-profit and collects/sells information of California residents, determines the purposes and means of the processing of consumers’ personal information and satisfies one or more of the following thresholds:
– has annual gross revenues in excess of $25m
– buys, receives, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices
– derives 50% or more of its annual revenues from selling consumers’ personal information
What information does the CCPA apply to?
Personal information of Consumers (i.e. California residents), where the term “personal information” is defined broadly. Some examples for personal information are specified, and these include IP addresses, email addresses, geolocation data, browsing and search history, to name a few. Therefore, data you collect through your use of AppsFlyer may be deemed Personal Data under the CCPA.
If we comply with the GDPR are we ready for the CCPA?
You’re part way there. While there are some similarities and overlaps between the two laws, they are still very different and require different operational implementations. Areas where you may leverage your GDPR readiness include:
– Data mapping
– Processes to receive and handle data subject requests
– Methods to delete personal information
– Methods to provide access to personal information in readily usable formats
– Technical and organizational measures used to protect personal information
– Privacy notices

General Privacy Questions

How does AppsFlyer handle the data it receives when customers use the AppsFlyer service?
AppsFlyer is committed to providing customers and end users with complete transparency in relation to its privacy practices and to protecting customer data.   AppsFlyer uses the data it receives to provide its services to its customers as more completely described in our Services Privacy Policy.  Furthermore, we implement stringent security and organizational measures including those described here to protect your data.
How does AppsFlyer help its customers with compliance?
To help our customers ensure compliance with the CCPA, AppsFlyer is committed to: 1. Acting only as a service provider for our customers and processing the data only for the stated business purposes 2. Never selling or disclosing any personal information received from our customers 3. Being fully transparent with our customers 4. Supporting customer opt-in and opt-out requirements 5. Ensuring appropriate agreements are in place with our customers 6. Having appropriate technical and organizational measures in place to protect our customer data

A word from our lawyers: Nothing stated here is legal advice. It is provided only for your informational and convenience purposes. You should work closely with legal and other professional advisors to determine exactly how the GDPR, CCPA or any other laws may or may not apply to you.