The online privacy regulatory landscape is filled with rules and can be confusing — but it’s all in service of protecting your users’ personal data. If you’re considering building your business on Bubble, here’s a basic introduction to the General Data Protection Regulation (GDPR) and some tips on what it means for an app creator like you.
A friendly note from our legal team: This introduction to GDPR is educational and introductory, and it’s very much not intended to be legal advice. We recommend consulting your own legal professional for any specific questions you may have regarding the application of GDPR to your particular business, because details about your specific idea, app, or context could make a difference in how you approach regulatory topics. This post also won’t be able to cover all the fine details of GDPR.
What is GDPR?
GDPR is a major data protection and privacy regulation created and enforced by the European Commission (EC). It was first written in 2016 and went into effect in May 2018. GDPR regulates how personal data about individuals — which it calls “data subjects” — located in the European Union and European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway) can be collected and used. That includes the kinds of options websites must offer their users in relation to their personal data. After Brexit, GDPR was enacted into UK law (called the UK GDPR). Switzerland, while not a member of the EU or EEA, has its own national privacy law but recognizes the GDPR for certain purposes, like International Data Transfers in particular.
GDPR’s introduction was a milestone for protecting people’s personal data. It applies to more than 500 million individuals in the EU/EEA! When adopted in 2016, it was the most comprehensive and prescriptive privacy law in the world, and it has become the “floor” for most privacy laws enacted since.
Does GDPR apply to my company?
Yes, if:
There is personal data involved, meaning data that identifies a natural person (a data subject) or could be used to identify a natural person (so not when it’s purely anonymized data that couldn’t be traced back to a specific person);
The personal data relates to a natural person located in the EU/EEA; and
There’s a commercial use of data (so not when it’s purely personal use).
And either:
The company is based in the EU/EEA; or
The company is based outside the EU but offers goods or services to EU/EEA data subjects or monitors the behavior of EU/EEA data subjects.
What happens if my company doesn’t comply with GDPR?
GDPR gives national data protection agencies (called “supervisory authorities”) in each EU/EEA member state the ability to issue fines or require specific corrective actions for GDPR violations. For egregious violations, fines could range up to 4% of annual revenue or €20 million, whichever is greater. Fines for lesser violations can be as high as 2% of annual revenue or €10 million, again whichever is greater.
A few more key GDPR terms, defined
The deeper you dive into GDPR, the more terminology there is to learn Here are a few more key terms that you may see often.
Legal Basis. A core principal of GDPR principle is that personal data shouldn’t be collected and processed unless there is a specific legal basis for doing so. The most common bases are where a user has given a company permission to process their personal data, or when processing is necessary for the company to hold up their end of a contract with the user. The text of GDPR lists out all the allowed legal bases.
International Data Transfers. GDPR generally restricts transfers of personal data from the EU/EEA to outside countries unless the EC has found that that country’s laws provide “adequate” protections for personal data. (More on this below).
Data controller. This is an entity that, alone or with others, determines the “purposes and means” (aka the how and why) of processing of personal data. For example, if someone signs up for a service through a website, the owner of that website would likely be a controller.
Data processor. This is an entity that processes personal data on behalf of the controller. Continuing the example above, if the website uses another company’s tool to track analytics on their pages, that analytics company would likely be a processor.
Sub-processor. This is a processor for a processor. For example, if the analytics company used other services for its own analytics, or even something like G Suite or Slack, those would likely be sub-processors.
Data Processing Agreement (DPA). If a processor or sub-processor is engaged to process personal data, GDPR requires that the parties put a DPA in place to govern those parties’ relationship and how the personal data is processed.
Note: it’s possible for one company to be a controller in some cases while being a processor in other cases.
Major requirements of GDPR
The GDPR covers a lot — so what do companies handling personal data have to actually do? Here are some of the major requirements. (Please note that this is not an exhaustive list and is geared toward startups and small companies.)
Websites should provide notice (usually in a public Privacy Policy) of the types of personal data it collects, uses, and shares, and it must establish a legal basis to process the personal data. When GDPR took effect in May of 2018, you may remember how many websites started showing a “cookie consent” prompt, asking for your permission to create a cookie in your browser, because a cookie is a way of tracking personal data. These consent prompts were a way for these websites to obtain your official consent. (Note: Under GDPR, consent must be opt in, not opt out, meaning the user must give their express affirmative consent.)
Controllers are generally obligated to notify relevant supervisory authorities of personal data breaches within 72 hours. Affected data subjects may also need to be notified of a breach involving their personal data.
Users are afforded certain rights relating to their own data. A user may have the right to access their own personal data, meaning they can ask you for a record of what personal data you have and what you’re using their personal data for. Moreover, the user can ask you for their data in a portable format (so that they can take it to another controller, for example). More commonly, users can also ask you to delete their personal data (called the “right of to be forgotten”). Unless certain exceptions apply, you’re generally required to respond to these requests within one month — although you might be able to take an extra two months in certain conditions.
GDPR includes the general principle of incorporating “privacy by design.” The exact definition is nebulous, but in general, a company that collects and processes personal data has to respect user privacy throughout its products and services and make “reasonable” technical decisions in pursuit of respecting privacy. Most important, they should only collect and process the minimum amount of personal data necessary to provide the product or service in question.
There could also be other requirements that apply in certain situations. For example, some companies working with personal data may need to appoint a Data Protection Officer. Also, if you collect “sensitive” personal data, like medical or health-related data, even more protections need to be put in place. In general, you should talk to your legal counsel to decide on your best course of action for complying with GDPR for your specific data practices.
A brief history of the rules around international data transfers
As mentioned above, GDPR generally restricts transfers of personal data from the EU/EEA to countries outside of the EU or EEA unless the EC has found that that country’s privacy laws provide “adequate” protections for personal data.
The EC has determined that US privacy laws do not provide “adequate” protections. So in 2016, the EC and US governments agreed to a program called the EU-US Privacy Shield, which served as a legal transfer mechanism for US companies to transfer EU/EEA personal data to the US. Individually, US companies would self-certify that they were following a variety of processes and procedures to demonstrate that they were treating EU/EEA personal data in a manner that complied with GDPR. More than 5,000 organizations enrolled in the Privacy Shield (including Bubble).
But on July 16, 2020, the European Court of Justice ruled that the Privacy Shield wasn’t actually a permissible transfer mechanism (the Schrems II decision), which meant that enrolled companies couldn’t rely on it in order to legally transfer personal data from the EU/EEA to the US. Instead, companies began relying on a set of approved contractual clauses, called the Standard Contractual Clauses, by which a processor in a non-adequate country outside the EU/EEA (including the US) agreed to implement GDPR-compliant protections and other steps for EU/EEA personal data. The DPA must include Standard Contractual Clauses if processing data requires a qualifying international data transfer.
In June 2021, the EC adopted updated Standard Contractual Clauses in response to the Schrems II decision. Post-Brexit, the UK also implemented its own data transfer mechanisms: a UK Transfer Agreement (for UK personal data only) and UK Transfer Addendum (where EU/EEA and UK personal data are both transferred within the same DPA and the Standard Contractual Clauses are used).
Then, in May 2022, the EC and US announced a new Trans-Atlantic Data Privacy Framework for personal data transfers to the US. President Biden signed an Executive Order to implement the new framework in October 2022, which included new binding safeguards to address all the objections raised by the Court of Justice of the EU in the Schrems II decision. The EC launched an “adequacy” decision process, which is currently underway as of the latest update on this post. However, assuming that the EC determines the Trans-Atlantic Data Privacy Framework meets its adequacy requirement, the adequacy decision and framework will likely come under immediate legal challenge.
International transfers of EU/EEA personal data remain a controversial issue and the requirements to authorize these transfers could continue to change.
GDPR + Bubble FAQs
Does GDPR apply to me when I’m building on Bubble?
The answer to this question depends on what kind of app you’re building, who your audience is, what stage of building you’re at, and maybe other factors too. In short, if your app collects personal data from users subject to GDPR, then you must take appropriate steps to comply with GDPR. (Remember: GDPR applies where personal data is being used in a commercial setting and either you or any of your users are located in the EU/EEA.)
So if you’re working on a purely personal project for your own use, GDPR may not apply. If you’re sure that you will have no users in the EU/EEA, GDPR may not apply. And if you aren’t collecting “personal data” at all, GDPR may not apply (but read more about about Bubble-set cookies below).
If your app is or will be subject to GDPR in the future, it’s up to you to determine what may be required and thoroughly review your privacy practices — preferably with the help of your legal counsel.
At Bubble, we take user data privacy seriously and provide you tools for “privacy by design” (some examples are described below); incorporating those early in your app development process can assist with GDPR compliance.
How does Bubble comply with GDPR?
At Bubble, we take user data privacy seriously. We’ve taken many steps to be compliant, with both our internal processes and client relationships. We also have tools to help you with “privacy by design”; incorporating those early in your app development process can assist with GDPR compliance.
Bubble may act as both a data controller and a data processor. For example, when you sign up for a Bubble account to create your own Bubble app, Bubble is the controller of your personal data. When you deploy your app and end users sign up for an account, you are the data controller, and Bubble acts as a data processor. (Bubble provides a standard DPA for its clients.)
Bubble was and remains enrolled in the EU-US Privacy Shield. And after the ECJ ruling, Bubble also incorporated the Standard Contractual Clauses into our client DPA.
Great, so that means all Bubble apps are GDPR-compliant, right?
Unfortunately, no.
Just because Bubble has taken actions to comply with GDPR does not automatically mean that all Bubble apps are GDPR-compliant.
Here’s an extreme example: Let’s say someone creates a Bubble app that doesn’t notify users about the personal data it collects and doesn’t have a legal basis for processing that data (like user consent). Instead, it immediately collects and broadcasts that data publicly. That would clearly not be GDPR-compliant!
In reality, Bubble is likely a data processor for your company — potentially one of many you could decide to use. Even if Bubble and your other processors have taken steps to comply with GDPR, you still need to do the work to make your Bubble app compliant with GDPR requirements.
A common question we get at Bubble is “If you just did X, wouldn’t that make all Bubble apps GDPR-compliant?” For example, would Bubble having a data center in an EU or EEA member state automatically make Bubble and Bubble apps GDPR-compliant? The short answer, to the best of our knowledge, is no — storing personal data in an EU data center isn’t necessary or sufficient for GDPR compliance. Neither is signing up for Bubble’s dedicated plan and asking for your own Bubble servers to be spun up in the EU/EEA.
Then how does Bubble help me with GDPR?
We know that your users’ personal data privacy is one of your key concerns, so we have several features to help with GDPR compliance. For example:
By default, your Bubble app will set cookies on visitors; this enables a richer temporary user experience. But EU regulation technically says that you should only use non-essential cookies (like advertising and analytics cookies) after you’ve gotten a user’s consent. So all Bubble apps also include a “do not set cookies on new visitors by default” setting (Settings > General). After enabling it, you’ll be able to use new workflow actions to opt a user in or out of Bubble's cookies.
(Two other important things to note about cookies: First, using cookies for logged-out or temporary users does not automatically make your Bubble app non-compliant with GDPR — it comes down to what your app is actually doing, and how it does it, regarding personal data. Second, some cookies are necessary for Bubble to let end users log in and stay logged in to your app. These are essential cookies, which can’t be disabled.)Pay attention to your app’s privacy rules. These are defined alongside your data to specify who should be able to take certain actions on certain data (like viewing it), including any personal data. It’s typically good practice to create privacy rules that only allow users to see the data they should have access to. (This is part of the “privacy by design” principle.)
Bubble offers components that empower you to give your end users control over their personal data. For example, you can build a data portability feature with the workflow action that exports data as a CSV. In addition, the workflow action to “delete a thing” can be used to delete a user record — which may be handy if users request that you delete their personal data.
Pay attention to the plugins you choose to use on your app. Some plugins (and custom code) might be associated with their own cookies, potentially triggering EU requirements described above.
Remember to consult your legal counsel about other actions you might want to consider in pursuit of GDPR compliance (like publishing your Privacy Policy or other steps)!
What about other major data privacy laws?
Outside of GDPR, other countries and certain US states have also enacted privacy laws. For example, Brazil’s General Data Protection Law (LGPD), which went into effect in September 2020, closely follows the GDPR. And as mentioned, after leaving the European Union in January 2020, the UK also implemented the GDPR into its national laws (the UK GDPR).
In the US, unless you’re dealing with health-related or financial personal data, there is no national privacy law generally applicable to consumers. (Congress has considered several proposed bills, but to date, none have passed or been signed into law.) That said, several states have implemented privacy laws for their residents. California was the first with the California Consumer Privacy Act (CCPA) in 2018, which was recently updated by the California Privacy Rights Act (CPRA). To date, Colorado, Connecticut, Iowa, Utah, and Virginia have also enacted their own privacy laws, and other states may soon follow. These laws include some similarities with the GDPR, like recognizing certain privacy rights for individuals, but there are also some significant differences, like not requiring a separate DPA if you use another entity to process personal data.
Note: If your company collects and processes personal data from individuals in multiple jurisdictions, you may need to comply with differing privacy requirements. You should consult your legal counsel about whether / how these other privacy laws may apply to you and what actions you might want to take.
We hope this helps you begin to understand the regulatory landscape around users’ personal data. But remember: You aren’t doing this alone! Other Bubblers have grappled with GDPR and other privacy laws too — so if you have more general questions, don’t forget to check out our forum.
As always, more detailed questions about how GDPR may apply to your company and its data practices should be directed to — you guessed it — your legal counsel.