This content is meant to be a basic introduction to GDPR for Bubble users, up-to-date as of early November 2020.
The online privacy regulatory landscape is filled with many rules to follow and can be confusing - but it’s all towards the good cause of protecting your user data. If you are considering building your business on Bubble, we wanted to provide a basic introduction to GDPR and some tips on what it means to an app creator like you.
Legal disclaimer: This is meant to be educational content to help give you a start on these regulatory matters, and is strictly not meant to be legal advice. We recommend that you consult with your own legal professional for any specific questions you may have regarding the application of GDPR to your particular business. Details about your specific idea, app or context could make a difference in how you approach regulatory topics. Moreover, this is meant to be an introductory-level guide, and will not cover all the fine details.
What is GDPR? General Overview
The General Data Protection Regulation is a significant data protection and privacy regulation created and enforced by the European Union. It was first written in 2016 and went into effect in May 2018. GDPR explains how data about users can be collected and used, including the kinds of options websites must offer their users in relation to user data.
GDPR’s introduction was one of the most significant events in tech regulation history. One reason why is that it may apply in situations where the tech company is based in the EU or, in some cases, when some of a company’s users are based in the EU. Because most websites are visited by people from all around the world, even sites and companies based outside of the EU could have obligations based on GDPR as well.
Does GDPR apply to my tech company?
It is worth noting that GDPR does not apply to every tech company. GDPR generally applies when:
- There is “personal data” involved, meaning data that identifies a person or could be used to identify a person (i.e. not when it’s purely anonymized data that couldn’t be traced back to a specific person)
- There’s a commercial use of data (i.e. not when it’s purely personal use)
- A company is based in the EU; or
- A company is based outside the EU but the company offers goods or services to EU data subjects or monitors the behavior of EU data subjects
What happens if I don’t comply with GDPR?
GDPR also gave the EU the ability to issue fines for violations. For egregious violations from large companies, fines could range up to 4% of revenue!
Key Terms in GDPR and What They Mean
There is a lot of terminology to learn if you want to get into the details of GDPR. These are a few key terms that you may see frequently in relation to GDPR.
What is a legal basis? A core GDPR principle is that personal data shouldn’t be processed unless there is a legal basis for doing so. Some examples of legal bases include where a user has given you consent to process their data or when the processing is necessary for the performance of a contract. The text of GDPR enumerates the allowed legal bases.
Transferring Data: GDPR generally restricts transfers of data from the EU to countries outside of the EU unless certain assurances are made that the data is adequately and appropriately protected. There are a few different transfer mechanisms that allow EU data to legally leave the EU, such as to US servers.
A data controller is an entity which, alone or with others, determines the purposes and means (how and why) of the processing of personal data. For example, the website a user actually signs up with would likely be a controller.
A data processor is an entity which processes personal data on behalf of the controller. From the earlier example, if the website uses another company’s tool to track analytics on their pages, that analytics company would likely be a processor in this case.
A sub-processor is a processor for a processor. For example, if the analytics company itself used other services for its own analytics or something like G Suite or Slack, those would likely be sub-processors.
Note: it’s possible for one company to be a controller in some cases while being a processor in other cases. Companies that serve as processors should have a Data Processing Agreement (DPA) to govern the relationships with controllers or processors and how data is processed.
Major Requirements of GDPR
GDPR covers a lot - so what do companies handling personal data have to actually do? Below is a list of some of the major requirements of GDPR; please note that this is not an exhaustive list and is geared generally towards startups and small companies.
- Websites should provide notice of the types of personal data it collects, uses and shares and must establish a legal basis to process data. When GDPR took effect in May of 2018, you may notice that many websites now show a “cookie consent prompt” when you first visit, asking for your permission to create a cookie in your browser. Because a cookie is a way of tracking personal data, these consent forms were a way for these websites to obtain your consent. Note: consent should not be on an opt-out basis, meaning the user must give expressive affirmative consent.
- Websites are generally obligated to notify relevant supervisory authorities of personal data breaches within 72 hours.
- Users are afforded certain rights relating to their own data. A user may have the right to access their own data, meaning they can ask you for a record of what personal data you have from them and what you’re using the data for. Moreover, the user can ask you for their data in a portable format (for example, so that they can take it to another controller). Perhaps a more common occurrence is that users can also ask you to delete their personal data, which, unless certain exceptions apply, you must comply with “without undue delay”.
- There is the general principle of incorporating “privacy by design”. The exact definition of this is nebulous, but in general, a web service should respect user privacy throughout its product and make reasonable technical decisions in pursuit of respecting privacy.
There are additional requirements that will apply in certain situations - for example, some companies working with personal data may need to appoint a Data Protection Officer. In general, you should consult your legal counsel to determine your best course of action for complying with GDPR.
Recent events with GDPR: Privacy Shield
Since 2016, the EU and US governments have run a program called the EU-US Privacy Shield, which served as a possible legal transfer mechanism for US companies to transfer EU data to the US. This program involved US companies self-certifying that they followed a variety of processes and procedures meant to demonstrate that they would treat EU data in a manner that complies with the requirements of GDPR. Over 5,000 organizations enrolled in the Privacy Shield.
On July 16, 2020, the European Court of Justice (ECJ) ruled that Privacy Shield was not a permissible transfer mechanism, which meant that enrolled companies could not rely on Privacy Shield as a basis for transferring data from the EU to the US.
However, the court ruling explicitly did not strike down other mechanisms for transferring data to the US. For example, the ruling maintained the validity of the Standard Contractual Clauses, used by many other US companies, which are a standard set of contractual provisions (usually included or referenced in a company’s DPA) that govern how personal data would be treated by data processors.
The court ruling was a somewhat unexpected event, and the regulatory landscape around data transfer out of the EU could still change further.
GDPR + Bubble
Does GDPR apply to me when I’m building on Bubble?
The answer to this question depends on what kind of app you’re building, who your audience of users is, what stage of building you’re at, and perhaps other factors.
Remember: GDPR may apply in situations where personal data is being used in a commercial setting and either you or certain of your users are located in the EU. So, if you’re working on a purely personal project for your own use, GDPR may not apply. If you’re sure that you will have no users in the EU, GDPR may not apply. And if you aren’t collecting “personal data”, GDPR may not apply (though see the below notes about Bubble-set cookies).
Assuming your app is or will be subject to GDPR at some point, it’s up to you when to determine what may be required and to do a thorough review of your privacy practices - likely with the help of your legal counsel! At Bubble, we take user data privacy seriously and provide you tools for “privacy by design”; incorporating those early in your app development process can assist with GDPR compliance.
Ultimately, you should consult with your legal counsel when thinking about your privacy practices in relation to GDPR.
How does Bubble comply with GDPR?
Bubble has taken a variety of actions to be compliant with GDPR, many of which were announced in March 2018.
Note that Bubble may act as both a data controller and a data processor. For example, when you sign up for a Bubble account to create your own Bubble app, Bubble is the controller of the personal data associated with your account. When you deploy your app and end-users sign up for an account on your app, you are the data controller and Bubble acts as a data processor. Relatedly, Bubble offers a DPA.
Bubble was and is enrolled in Privacy Shield. However, after the ECJ ruling invalidating Privacy Shield as a legal transfer mechanism, Bubble incorporated the Standard Contractual Clauses in our DPA.
Great - so that means all Bubble apps are GDPR-compliant, right?
Just because Bubble has taken actions to comply with GDPR, that does not automatically mean that all Bubble apps are GDPR-compliant.
Extreme Example: You have a Bubble app that doesn’t provide notice of the personal data it collects and doesn’t have a legal basis for processing such data, but immediately collects and broadcasts that data publicly. That would clearly not be GDPR-compliant!
In reality, Bubble is likely a data processor to your company - potentially one of many you decide to use. Therefore, even if Bubble and your other processors have taken steps to comply with GDPR (for example, Bubble has put agreements into place with our processors, i.e. your sub-processors, in the form of DPAs), you still need to do the work to make your Bubble app compliant with GDPR practices.
A common question we get at Bubble is “If you just did X, wouldn’t that make you GDPR-compliant?” For example, users ask if Bubble having an EU data center would alone automatically make Bubble and Bubble apps GDPR-compliant. The short answer, to the best of our knowledge, is no - storing data in an EU data center is neither a necessary nor sufficient action to take to be in compliance with GDPR. Similarly, signing up for Bubble’s dedicated plan and asking for your own Bubble servers to be spun up in the EU is neither necessary nor sufficient for compliance with GDPR.
Then how does Bubble help its users with GDPR?
Bubble knows that data privacy and regulation is a key concern for many users, so we’ve worked on a number of features to assist with GDPR compliance.
1) There is a setting that all apps have (in Settings > General) - “Do not set cookies on new visitors by default”. It’s important to note that by default, Bubble apps will set cookies on any visitors - this enables a richer temporary user experience. However, note that EU regulation technically says that you should only use non-essential cookies (such as advertising and analytics cookies) on a user after you get their consent, so this setting can be enabled. After enabling the setting, you will be able to use new workflow actions to opt-in or opt-out a user for Bubble's cookies.
(There are two things to note about cookies. First, cookie-ing logged-out or temporary users does not automatically make your Bubble app non-compliant with GDPR - it comes down to what exactly your app is doing and how it does it. Second, some cookies are necessary for Bubble to handle end-users logging into an app and staying logged in, so it is not possible to completely disable essential cookies on your app.)
2) Pay attention to your app’s Privacy rules. These are rules defined alongside your data to specify who should be able to do certain actions (including view) on certain data. It is generally a good practice to create Privacy rules so that users can only see the data they should have access to; this is part of the “privacy by design” principle.
3) Bubble has components to allow you to give your end-users control over their data. You can build a data portability feature, for example, with the workflow action to export data as a CSV. In addition, the workflow action to “Delete a thing” can be used to delete a User record - which may be handy for data deletion requests.
4) Pay attention to the plugins you choose to use on your app. Some plugins (and custom code) might be associated with their own cookies.
Note also that there is a “Cookie Consent (EU)” plugin made by Bubble and available in the plugin gallery for free to all apps (behind the scenes, this leverages Osano, an open source cookie consent popup tool). Using this plugin will allow you to show a custom message to inform visitors about your site's cookie situation, but the current version does not ask for or handle consent.
What about other major data privacy regulations (CCPA, LGPD)?
The California Consumer Privacy Act (CCPA) went into effect in January 2020 and Brazil’s General Data Protection Law (LGPD) recently went into effect as well. Both are significant data privacy regulations in their own right with some similarities but also some key differences when compared to GDPR.
You should consult your legal counsel about whether / how these other regulations apply to you and what actions you might want to take.
We hope this is a useful guide for helping you begin to understand the regulatory landscape around user data. And remember, you aren’t doing this alone! Other Bubblers have grappled with GDPR and other regulations, so if you have more general questions, feel free to check out our Forum.
As always, more detailed questions should be directed to - you guessed it - your legal counsel.
- November 16, 2020: Updating section "Then how does Bubble help its users with GDPR?" to correct a previous mistake about the Cookie Consent (EU) plugin.