Working with Third Parties

No developer is an island. Even if you're working on a solo project, the chances are that you won't be building absolutely everything from the ground up yourself.

You might need to use a development platform to help you create a piece of software. You might want to generate revenue by displaying ads on your mobile app. Or you might want to gain insights into your users' activity by running third-party analytics on a website.

Illustration: Developer Working with Third Parties and the GDPR

For obvious reasons, it's crucial that you obey the law when undertaking these endeavors. But the "law of the land" isn't the only thing you have to consider.

Whenever you sign up to use another company's software or receive a third-party service, you agree to certain Terms and Conditions and License Agreements (EULA) to which you are legally bound.

In this chapter, we're going to look at some of the more common terms you're likely to agree to as a developer, and what you'll need to do to adhere to these.

In 2014, data security firm F-Secure set up a free WiFi hotspot in central London. By simply agreeing to F-Secure's Terms and Conditions, anyone could use it. The catch? Buried in the F-Secure's terms was a so-called "Herod clause," which required users to transfer ownership of their first-born child in exchange for logging on. Six people agreed to this. Unsurprisingly, F-Secure never tried to enforce the agreement.

You've probably entered into hundreds of Terms and Conditions agreements in your life. This is the text that you hurriedly scroll through when signing up to a service, or impatiently swipe past when installing an app on your phone.

These are contracts, and you're legally bound by all of them. As a consumer, it rarely matters all that much. But as a business, you need to be very careful.

Working with Other Companies Under the GDPR

The GDPR doesn't exist to stifle business activity (although you'd be forgiven for sometimes feeling that it does). You're allowed to work with other companies to process personal data. Under certain conditions, you don't even need your users' consent to do this.

But you do need to be absolutely transparent about it, and you are accountable for selecting legally-compliant third parties to work with. Transparency and accountability, as we know, are two very important principles under the GDPR.

The law provides a base level of protection for individuals, and you mustn't ever fall below this. But other companies might also have other expectations that their partner businesses must fulfill.

Standards imposed on your company by third parties cannot fall below the minimum level of protection provided by law. But they may well rise above it. And it may also be the case that their standards fall below your expectations, or mean that you cannot keep your promises to your customers about how you'll protect their personal data.

This is why it's crucial that you know what you're signing up to when you work with a third party.


The global market for digital marketing is reportedly worth $307 billion. The real value in this market, and the advantage that the format holds over traditional advertising, is in the targeting and personalization that can be achieved by processing personal data.


With its high market share of the search engine industry, online advertising market, and sale of smartphones running Google's Android OS, it's likely that your company will be doing business with Google in some capacity.

Google has a bewildering number of terms, policies, and guidelines - not to mention products - that all overlap and intermingle. We're going to sort through some of these documents to help you understand the implications of using certain Google services.

If you're using one of Google's products or services to process the personal data of EU citizens, you must agree with Google's EU User Consent Policy. It applies to Google products such as the following:

  • All Google Ads products (e.g. AdSense, AdMob, AdWords) and ad campaign measurement products
  • Google Maps APIs
  • YouTube API Services
  • G+ Buttons
  • Blogger

The EU User Consent Policy requires that you provide clear information to, and earn consent from, your users in the European Economic Area (EEA).

Here's an excerpt from the policy:

Google EU User Consent Policy: Consent requirements

Previously we discussed how important it is to earn consent for cookies. Cookies are what enable Google to personalize and measure your ads.

The policy ostensibly only requires that you earn consent for personalized ads. However, note this section from a Google help document about the EU User Consent Policy:

Google Help with User Consent Policy: What if I don’t want end users personal data for personalisation of ads section

It's possible to turn off ad personalization, but you're still required to earn user consent for non-personalized ads.

Why? Well, even Google's non-personalized ads use frequency-capping and campaign measurement cookies; and as we know, these require consent under the ePrivacy Act.

Google acknowledges this:

Google Help with User Consent Policy: Why do we need consent to ads measurement section

The implications of this policy are clear. If you use a Google product to process the personal data of people in the EEA, you'll need to:

  • Fully disclose your practices via a Privacy Policy
  • Seek consent for both personalized and/or non-personalized ads

We look in detail at how you can implement Google's consent requirements in Chapter 6.

It's worth noting that "Google Ads" refers to a number of different Google products, and that there are different terms and policies applicable depending on which country you're operating from.

Don't forget, though - no matter where you're based, Google's policies will require you to treat your processing of EU users' personal data according to EU law.

As we've mentioned, Google Ads customers who run ads in the EU are bound by the EU User Consent Policy. This is applicable to developers all over the world.

Because of the nature of the data transfers that take place between you and Google when using Google Ads, you're also bound by the Google Ads Controller-Controller Data Protection Terms.

By signing up to these terms, you're agreeing to only transfer your users' personal data to Google once you've earned your users' consent.

Web Analytics

As we've seen, using analytics requires full disclosure and the earning of user consent under the ePrivacy Directive.

This is because although the use of analytics software is relatively low-risk, particularly in the case of first-party analytics, it is not "strictly necessary" for providing a service, nor does it merely facilitate communication over a network.

Google Analytics

Google Analytics requires full compliance with EU law, as is clear from the Google Analytics Terms of Service:

Google Analytics Terms of Service: Privacy clause - Efforts to provide information and obtain consent section highlighted

Providing your users with "clear and comprehensive information" means producing a legally-compliant Privacy Policy. This policy must include, among other things, how long the cookies involved in Google Analytics are set for.

Here's some information from Google about the retention periods associated with each analytics cookie:

Google Analytics Cookie Usage on Websites chart

Facebook Analytics

Facebook offers analytics insights and conversion tracking via the Facebook Pixel. This is a web beacon. Web beacons are considered to be online identifiers under EU law, and so must be treated in the same way as tracking cookies.

The Facebook Business Tools Terms requires the following from users of its pixel:

Facebook Business Tools Terms: Special Provisions Concerning the Use of Certain Business Tools

Development Tools

Front-end and back-end development tools are crucial for software and app developers. But no provider of such services will want them to be used for illegal or unlawful purposes. Therefore, you must agree to strict terms when choosing to use such tools.

Google Firebase

The Firebase platform comprises various products, governed by a number of different agreements and policies. Google's guidance on Privacy and Security in Firebase explains that Google is the data processor in respect of most data processing activities in Firebase:

Google Firebase Privacy and Security: Data protection clause excerpt

Google asks developers using the platform to consider the following questions in the context of the GDPR:

Google developer questions about the GDPR

Use of many Firebase tools (e.g. Firebase Crash Reporting. Performance Monitoring and In-App Messaging) is governed by the Google APIs Terms of Service. This agreement includes the requirement that you make your users' personal data accessible to them, so that they may exercise their right to data portability:

Google APIs Terms of Service: Data Portability clause

We look in detail at how you can meet your obligations to facilitate your users' data subject rights in the next chapter.

Android SDK

If you're developing a mobile app using the Android Software Development Kit (SDK), there are a lot of terms and policies you'll need to comply with.

The Android Software Development Kit License Agreement contains the following clause:

Android Software Development Kit License Agreement: Use of the SDK clause - Protect privacy section

This requires the app developer to provide legally valid privacy protection and transparent information to its users.

If your app uses Android APIs such as the Play In-app Billing Library or Android Support Library, you're also bound by the following clause:

Android Software Development Kit License Agreement: Use of the SDK clause - Consent section

This requires the app developer to integrate the appropriate consent and permission request functions when developing their app. Android provides the Consent SDK, an open source library of utility functions that can be helpful in requesting consent for ads.


Whereas the monetization of personal data is an integral part of Google's business model, Apple has built a reputation for respecting its users' privacy. Apple developers are provided with extensive guidance on how to minimize and secure the personal data collected by their apps.

For example, the documentation provided by Apple for users of its front-end development framework UIKit makes the following recommendation:

Apple Developer UIKit: Protecting Users Privacy - Use the Minimum Amount of Data Required section

This should remind you of the GDPR's principle of data minimization.

And here's how Apple's Human Interface Guidelines explain the principle of purpose limitation:

Apple Human Interface Guideline: Accessing Private Data - Request permission only when your app clearly needs access to the data or resource section


Use of platforms such as Microsoft Azure and Microsoft Visual Studio is governed by the Microsoft Developer Agreement, which requires strict adherence to privacy law. Here's an excerpt from the agreement:

Microsoft Developer Agreement: Security and Privacy clause - Consent section

Microsoft requires developers to:

  • Obtain all necessary consents from their users
  • Only transfer personal data to Microsoft after having obtained this consent
  • Maintain a legally-compliant Privacy Policy and make it available from within their app
  • Comply with the law around data retention periods

Distribution Channels

If you want people to actually download or buy your app once you've finished developing it, you'll almost certainly want to get it hosted on one or more of the major app marketplaces.

These online stores will only distribute apps that comply with privacy law, as we can see by taking a look at their terms.

Google Play

Google Play logo

If you want to distribute your Android app via Google Play, you'll need to agree to the Google Play Developer Distribution Agreement. This places a considerable number of demands on you as an app developer and/or publisher.

Here's an excerpt from the agreement:

Google Play Developer Distribution Agreement: Agree to protect privacy and legal rights clause intro

This is a requirement for general legal compliance, plus a specific demand that you produce a Privacy Policy.

Here's the next part of this section:

Google Play Developer Distribution Agreement: Agree to protect privacy and legal rights clause intro - Limited use and purposes section

You're required to only process personal data in connection with a specified purpose, and only to store personal data for as long as necessary. The GDPR makes these same demands at Article 5, by imposing the principles of purpose limitation and storage limitation.

Any suggestion that your app does not comply with the law can lead to a "Legal Takedown," as explained in Section 8.2 of this agreement:

Google Play Developer Distribution Agreement: Legal takedowns clause

Even an allegation of unlawful data processing can lead to you losing your spot in Google Play and being required to refund everyone who has purchased your app in the last year.

This might sound unfair, but remember that this is what you're agreeing to when you sign up to distribute your app via Google Play.

Apple App Store

Apple App Store logo

Apple makes some very specific demands about the apps it distributes through its platform. For example, here are the minimum requirements from the App Store Review Guidelines regarding each app's Privacy Policy:

Apple App Store Review Guidelines: Data Collection and Storage section - Privacy Policy Link required section highlighted

And the following section effectively prohibits the practice of "profiling," even where data is supposedly anonymized or used in aggregate:

Apple App Store Review Guidelines: Data Use and Sharing section - User profile section

Windows Store

Microsoft Windows Store logo

In addition to the usual requirements for maintaining a Privacy Policy, the Microsoft Store Policies has specific rules about the sharing of your users' personal data:

Microsoft Store Policies sections 10 5 2 and 10 5 3

You may only share data with third parties with your users' consent. This is a higher standard of privacy than that mandated by the GDPR, under which personal data may be sometimes shared with third parties on legal bases other than consent.

Cloud Services

If using cloud services to store or otherwise process your users' personal data, you must, of course, be completely transparent about this. And you must also take care to choose a cloud services provider that can guarantee compliance with the GDPR.

Google Workspace

Google Workspace logo

Google's Workspace range of cloud-based tools allows customers to delegate admin access to one or more people within their company. Administrators have a large degree of access and control over user personal data.

This is set out in this section of the Google Workspace Terms of Service, which requires you to earn your users' consent for this:

Google Workspace Terms of Service: Administration of Services - Consents section


Dropbox logo

Use of Dropbox as a business customer is governed by the Dropbox Services Agreement. Dropbox requires customers and users to comply with various privacy laws. Here's the relevant section of the agreement:

Dropbox Services Agreement: Compliance clause

Key Takeaways from this Chapter

If you learn one thing from this chapter, let it be this - Make sure you read the Terms and Conditions when you enter into any arrangement with a third party.

This is important for two main reasons:

  • They will expect you to adhere to the law, and may have specific additional requirements.
  • You must also ensure that they are legally-compliant, in-line with the GDPR's principle of accountability.