Is Bubble.io GDPR compliant?

Is Bubble.io GDPR compliant?

I know that you want to know whether Bubble.io is GDPR compliant, but the point is that there are actually THREE QUESTIONS here. Not one, but three. But no need to panic - we'll answer all of them one by one. Below, you'll see the list of short answers, then a basic primer on GDPR, and then a list of the detailed answers.

Is Bubble.io GDPR compliant: short answers to 3 questions

‍GDPR is a rulebook that explains how you should handle personal data that you receive from your users. It's a law from the EU, but it applies to anybody selling to EU residents. Aka, everybody and their uncle. Shall we?

Question 1: Is Bubble.io GDPR compliant in relation to EU-US data transfers?

Yes.

Bubble.io has a special agreement that regulates EU-US and US-EU transfers. Question 1 is no more.

Question 2: How do I know that Bubble.io works only with GDPR compliant providers?

Again, Bubble.io has the agreements with their own "sub-processors" that govern their relations. Bubble.io is a major no-code provider and they'll never want to knowingly breach the GDPR rules. Who they work with is on them, not on you. You are not omnipotent. Question 2 has been dealt with swiftly too.

Question 3: How do I know that my Bubble.io-based app is GDPR compliant?

Here, it's all on you. Scary, but lucrative, right? You are the developer, and it's your duty to make sure that your app is fully GDPR compliant.

To make your life easier, we've set up a checklist that you'll find in the long version below. It covers cookies, privacy policy, plugins and unintended data exposure.

To conclude this short version, let's emphasize the following points:

• Questions 1 and 2 aren't your responsibility zone.
• The answer to them is "yes, sir", and you don't have to do anything about them.
• Question 3 is fully on you, and you have to do everything about it.

Ready to learn a bit more about GDPR?

Primer on GDPR compliance

As the interweb matures, regulators seek to bring more order. In the light of Facebook and others abusing our personal data, the laws have been passed to govern how companies should process the personal data.

The EU passed GDPR (General Data Protection Regulation) which is a lengthy document that seeks to set up a comprehensive framework on personal data processing.

GDPR applies to all companies on this planet (and others too - okay, Elon), as everybody sells globally.

If you fail to comply, your company will be exposed to hefty fines. So, you need to stay compliant at all times!

It doesn't matter whether you build on Bubble.io, another no-code solution or go native code. It's the form, what matters is the substance. You need to comply with the rules we specify in the checklist, and you'll be good to go.

Of course, you should be aware that this article is the result of our researching, and you should consult your legal team in case of any uncertainty or concern. This article should not be construed as legal advice.

The three terms that you'll be exposed to when researching GDPR compliance are: "data subject" - an end user who connects to your app and who personal data you receive, "data controller" - an entity that receives the data, "data processor" - any entity that processes the data on behalf of the controller (Bubble acts as a data processor in relation to your app), "data sub-processor" - any services that the data processor engages to assist in data processing.

Other jurisdictions are implementing their own regulations, including CPPA from the US, PIPEDA from Canada and others. If you find your business exposed to a lot of traffic from such locations, you should consider compliance with those regulations.

Is Bubble.io GDPR compliant: long answers to 3 questions

Now that we've revised the basics on GDPR, let's look at the 3 questions in more detail.

Long Answer to Question 1: Is Bubble.io GDPR compliant in relation to EU-US data transfers?

There's a certain level of uncertainty and controversy in relation to GDPR and the transfers between the EU and US. The reason for that being that a number of regulation packages have been implemented and struck down by the European courts.

At this point, companies like Bubble.io are implementing the DPAs (Data Processing Agreements) that incorporate the SCCs (Standard Contractual Clauses). The SCC is the currently used package of such regulatory documents.

Why is there controversy in relation to the use of SCCs? It's because SCCs have not been officially accepted as the main contract that companies can use to substantiate the data transfers between the EU and US.

At the same time, all IT companies currently use SCCs, and Bubble.io is no exception.

Should you get a dedicated EU-based server from Bubble.io to ensure GDPR compliance?

If you google around, you're going to bump into certain threads on the Bubble.io forum that deal with GDPR compliance. Here's the most popular one.

It starts with the correspondence between the Bubble.io users who are building apps on top of the platform and the customer support. The heading is ominous, saying that Bubbl.io is not GDPR compliant!

However, after a while you'll start bumping into the messages from other users who've engaged the professional legal firms to confirm that Bubble.io is actually GDPR compliant. Like the below (here's a link to it).

What's the root cause of this debacle? It's quite prosaic - spinning an dedicated EU-based server would cause your company up to $5,000 per month, which is a huge price to pay for a young SaaS endeavor. It's quite clear that Bubble.io might be engaged in an overly enthusiastic promotion campaign here.

You don't need to get a dedicated server based in the EU, and the use of the SCC within DPA fully suffices.

Potential implementation of Privacy Shield 2.0

Another source of controversy is the potential implementation of Privacy Shield 2.0, which allegedly creates a lot of uncertainty. It doesn't. You can safely build on Bubble.io, launch your MVP and proceed with your roadmap.

Here's a short story on Privacy Shield 2.0. For around 20 years, there have been various documentation packages dealing with the EU-US transfers. So, as we've talked above, all of the previous versions have been struck down. The industry fell back down to the SCCs, and there's no problem with that.

Currently, a new package called Privacy Shield 2.0 is being negotiated. There are certain moves to set up a court that will review the data subject requests and the authorities on the two sides of the Atlantic are trying to harmonize various definitions of the "personal data", "data subject" and "privacy rights".

Currently, there's no certainty when Privacy Shield 2.0 will become the law. It may get struck down too, just like the previous packages.

Again, Bubble.io is fully GDPR compliant, and you can safely roll out on top of the platform.

Long Answer to Question 2: How do I know that Bubble.io works only with GDPR compliant providers?

It's clear that we've hashed it out well in the short version, so let's move on!

Long Answer to Question 3: How do I know that my Bubble.io-based app is GDPR compliant?

As we've stated in the short version, the best way to deal with this question is to run through a checklist and fix any problems that you have. In this way, you'll be able to ensure that your Bubble.io-based app is fully compliant with GDPR. (Make sure that you consult with your legal team to consider potential problems. This is not legal advice.)

Here's our checklist for GDPR compliance.

Step 1. Create a GDPR compliant privacy policy for your Bubble.io app

Start with creating your privacy notice. Here's a good article on all things privacy policy to start off with.

Overall, you should always avoid ambiguous language that doesn't clearly describe the activities that you perform with regard to the users' personal information.

Don't say this: "We may use your personal data to develop new services". Instead, say this: "We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive".

At the bottom of the linked article, you'll also find a boilerplate template for the GDPR-compliant privacy policy. You can easily use it and move on with your process.

There's a number of "automated" makers for your privacy policy, cookies policy and cookies banner. You don't need to invest time and effort in dealing with those. Instead, just stick with the GDPR-compliant privacy notice like the one in the article.

Step 2. Set up a cookies consent banner that fully complies with GDPR

There's a certain controversy with some posters on the Bubble.io forum posting that you absolutely need to embed a cookies consent banner and allow users to accept or reject specific groups of cookies. The image below shows an example of such a banner.

Such a consent banner is usually called a "finer-grained control". Though it'll offer better UX, it's not a must-have (as confirmed by the Bubble's Product Team here). In addition, Bubble.io has certain issues with tracking the specific cookies that plugins add up to the mix.

A good start is a simple cookie consent that allows users to either accept or reject all of the cookies that you collect at your app. Here's an example of such a banner.

You can look for a popular plugin for cookies consent banner that has been developed for the native use with Bubble.io.

Step 3. Create a detailed cookies notice

As you can see, this cute and simple banner just states the fact that your app collects cookies and provides a "learn more" link.

You can either set up a stand-alone cookies policy and embed the comments into the global privacy policy, like in the example above. The second option is easier to execute, and it'll save you time when you need to make certain updates. Again, here's a link to that article with a template for a privacy policy that includes a cookie notice.

Take your time to go through each cookie and describe its purpose and use in detail. This is a highly beneficial practice that is mandated by the GDPR.

Step 4. Fix the problem with the first cookies load, and allow users to withdraw consent

Out of the box, Bubble.io automatically collects the cookies for each new visitor to your app. This was done prior to the implementation of GDPR, and it's a useful feature for the testing purposes.

However, when you are ready to push the app into the production stage, you'll need to prevent this functionality. Otherwise, your app will end up first collecting the user's cookies and only after that asking whether they are OK with this or not.

To prevent this feature, you'll need to go through the following actions.  

Action 1. Prevent the first cookies load

Go to Settings > General, and then find the setting called "Do not set cookies on new users by default". Tick it off. In this way, you'll be able to switch off the first cookies load.

Action 2. Create the work for "opt-in to cookies"

Next, set up a workflow that allows users to opt in to cookies by connecting the actions to the cookies consent banner.

Action 3. Enable users to withdraw their consent

In line with the requirements set up by GDPR, you should allow users to quickly withdraw their consent to cookies being collected at your site.

A good way to implement this is to set up a button in the footer that leads to the cookies page, where users can click the "withdraw consent" button to prevent the execution of the cookies consent process.

Find more commentary on the solution in this post.

Step 5. Fix the problem with Google fonts

As this thread from the Bubble.io forum states, Google fonts are automatically uploaded from a US-based server. This may be done outside of the standard backend operations running completely via Bubble.io. When the fonts are loaded, the information on the user's IP address is sent to the US server.

Without going into much detail, you'll need to go directly into the JSON file and clean out any instances when the Google fonts are retrieved from the US server. Unfortunately, this can't be done from within the native visual editor that Bubble.io offers, since in some cases the Google fonts are being attached to the parent elements with no sign of their use from within Bubble.io.

Nix in the bud this potential threat to your GDPR compliance efforts.

Step 6. Allow users easy access to your team

In your privacy policy, make sure to specify the name and contract information for the responsible employee who can deal with any requests from the data subjects.

Quickly react to any requests from users regarding their right to learn what kind of information you are collecting, as well as requests for deletion of the stored data.

Step 7. Run cookies assessments after you install new plugins

Whenever you install a new plugin on top of your Bubble.io-built app, you might start collecting new cookies and personal information.

GDPR doesn't forbid you from collecting the user's personal data, but it seeks to limit the collection and processing of such information.

Just make sure to run the assessment in the testing mode so that you can see what kind of cookies the plugin exposes you to. In case that you see anything that resembles a frivolous collection practice, reach out to the plugin developer.

Step 8. Limit your collection to absolutely necessary personal data and map your data flows

This point closely ties into Step 8, and your best stance is to limit your collection only to those cookies and personal data that you must access for you to correctly run your operations.

Set the tone and start mapping your data flows from the earliest iterations of your app. You need to understand how you receive, process and delete the personal data from your users so that you can clearly substantiate the details of your processes in case that you need to.

As you can see, it's pretty feasible for your team to run these 9 Steps to ensure GDPR compliance. We worked hard to take account of all details and will keep tabs on the developments to adjust it accordingly. If you find any missing step or practice, reach out to us so that we can figure it out together.

Summary

We've talked about the major points on how to make your app fully GDPR compliant. Let's reiterate the main points.

• Data transfers between EU and US are governed by the Bubble's DPA, which incorporates the SCC.  Thus, Bubble.io is fully GDPR compliant in terms of the cross-border transfers.
• Bubble.io works with various sub-processors like AWS, Firebase and others. Their joint operations are governed by their contracts, and they are liable for any breaches of GDPR. You don't have to be concerned about that, since you are working with major service providers globally who care about compliance and reputation.
• Your app's architecture is fully on you. We presented you with an effective 9-step action plan that helps you ensure that your Bubble.io app is fully compliant.
• Always make sure that you only collect the cookies and other personal information that you absolutely need for your app to function correctly.
• Map your data flows to keep tabs on how your app handles all information, including personal data and other information flows.

Act proactively and always fix potential problems so that you mitigate threats in terms of GDPR compliance and overall security stance. Making your app GDPR compliant isn't hard - you just need to go through certain steps. The new regulation like Privacy Shield 2.0 will deliver even more improvements to how we deal with our users' personal data. Subscribe to our blog and stay informed on all major developments in the bubbling and no-code/low-code industry overall.