Is Approov in compliance with GDPR and the CCPA?

Does the Mobile App Users’ data remain private? How is our end-users' data protected?

Approov does not process nor collect 'Personal Data', as defined by the General Data Protection Regulation (GDPR), nor personally identifiable information (PII), as defined by California Consumer Privacy Act (CCPA). The Approov Mobile Security platform only collects the IP address and device ID, and both of these fields are anonymized. 

GDPR is a regulation in the European Union that came into effect in May 2018. It governs the protection of personal data for individuals within the EU and the European Economic Area (EEA). Personal data is defined by the GDPR as any information relating to an identified or identifiable natural person, such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

The California Consumer Privacy Act (CCPA) is a privacy law in California that went into effect in January 2020. It gives California residents certain rights over their personal information, including the right to know what information is being collected about them, the right to delete that information, and the right to opt-out of the sale of their personal information. PII, or personally identifiable information, is defined by the CCPA as information that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as name, address, email address, social security number, driver's license number, passport number, and biometric data.

Under GDPR, if an IP address and device ID have been truly anonymized, meaning that the data controller has taken steps to ensure that the data can no longer be linked to an identified or identifiable natural person, then they are not be considered personal data under the regulation. Anonymized data falls outside the scope of the GDPR because it does not relate to an identified or identifiable person. Similarly, under the CCPA, if an IP address and device ID have been anonymized such that they cannot be linked to a particular consumer or household, then they are not considered personally identifiable information (PII) under the regulation.

Approov | CriticalBlue Limited have extensively assessed the protection of our data collection and storage methodologies in proportion to the impact of a breach of this data on an individual, and the controls in place adequately protect the data in line with the assessed risk.