OneSignal changes the push notification product due to the GDPR; clients need to ask consent

OneSignal sent a message to its users that is updating the legal terms, the push and email products, to limit access to and what data is stored from EU users, due to GDPR. The major change for publishers or website/app owners is that they are responsible for the consent:

“For clients who use OneSignal in their apps or websites and who have EU users or are based in the EU, you are responsible for ensuring that you have a valid legal basis (e.g., consent, legitimate interest) for the personal data that is being sent to OneSignal. We recommend working with your legal counsel for guidance on your specific responsibilities. We are happy to work alongside you and your legal team to ensure compliance while using our services.”

OneSignal says that “is committed to helping clients to be GDPR compliant when using the Web Push, Mobile Push, and E-mail products.” One Signal created an email address for questions, and in addition to the product changes, OneSignal has taken steps to ensure that all data sent to OneSignal is stored securely (auditing the software we use for security vulnerabilities; ensuring we’re using up-to-date versions; improving network security in out datacenter; and ensuring we maintain and follow security best practices internally to ensure that we prevent unauthorized access to our servers.)

Here the product changes:

  1. Providing the option to not store end-user IP addresses, and by default, not storing the IP addresses of end-users from countries within the EU.
  2. For all clients, beginning on May 21st, 2018, OneSignal will discontinue building data models with data nor will OneSignal monetize any EU user data with OneSignal business and analytics partners. For the Enterprise clients, OneSignal has introduced a Data Processor Agreement (DPA) which formally designates OneSignal as a Processor for all data.
  3. Releasing updated versions of OneSignal SDKs to make it easier for the clients to prevent user data from being sent to OneSignal until a user explicitly consents.
  4. Adding support to OneSignal API for the deletion of user data. Additionally, OneSignal is reducing the data retention period of deleted data to 72 hours.
  5. Updating OneSignal user data exporting capabilities to make it easier to search for and export user data from OneSignal. This will help OneSingal clients meet individual user requests for restriction, erasure, and data portability.
  6. Preparing a guide on how to use OneSignal for push notifications without sending personal user data.