This post is more of a conceptual brainstorm about GDPR and still being able to acquire useful analytics data.
If I were to sum up the GDPR, I basically take it to mean that you cannot store/track data about your user without their consent, AND they have the right to be forgotten… i.e. they should be in control of their own data. This basically means don’t track usage events using a user identifier (on iOS the venerable identifierForVendor property), as this would constitute gathering data about a person that can be inferred via this identifier.
If you can convince your user to opt-in, then great. Business as usual just with some provisions to be able to delete any data they no longer want you to have/use. But is there a way to still gather information about App usage without someone’s consent while still obfuscating who actually did the things you’re trying to track? My understanding is that you can gather all the data you want so long as it’s not possible to trace that back to the user itself.
My thoughts are that if you as an analytics person are able to relax your requirements somewhat, I think it could be possible. If you as an analytics person don’t need real-time updates on how your users have been using your app, but still want all the same insights, I think it’s still achievable…. if you have patience.
I think the solution is to keep all usage tracking on the device itself, then say once a month you upload it all in one go to some custom API endpoint that would parse all that data into usage stats, all without some user identifier. The semantics of that are “There is a user – we don’t know who – who used the app in the following ways last month.” Then you can see funnels. Then you can see retention. Then you can see all of those things over a time frame that is useful.
Currently, if we uploaded each and every event as they happened, you’d have no way to connect all those events to a user. If you upload all of those in one go, with timestamps, you can still process all this data and get a picture of what a user does in a specific amount of time without caring about who it was, specifically.