• What does the GDPR mean for your FlippingBook Publisher publications?

With the General Data Protection Regulation (GDPR), effective from May 25, 2018, EU residents will have bigger say over what, how, why, where, and when their personal data is used. Any organization that works with personal data of EU residents has obligations to protect and properly process said data.

In this article we describe how this affects your publications, directly and indirectly and how you can make them compliant with the GDPR, if applicable to you.

The short version of this article

To comply with the GDPR you can 
Option 1: Either eliminate all gathering of personal data

  • If you use FlippingBook Publisher and publish to FlippingBook Cloud:
    • Convert Flash publications to HTML5
    • Make sure your projects are uploaded with FlippingBook Publisher version 2.8.37 or higher.
    • If you use Google Analytics, then make sure that Google IP-anonymization is turned on. If not, turn it on and re-upload.
    • If you embed third party content (e.g. video) in your publications, then make sure that the embedded content is GDPR-compliant.
  • If you upload to your own server
    • Convert your Flash publications to HTML5
    • If you use Google Analytics, then make sure that Google IP-anonymization is turned on and re-upload your projects with FlippingBook Publisher version 2.9.51 or higher
    • If you embed third party content (e.g. video) in your publications, then make sure that the embedded content is GDPR-compliant.

Option 2: make sure that you collect and handle personal data in a GDPR compliant manner

Notify your viewers about the data that is gathered, why, and for how long it is stored before they open your FlippingBook, and ask them for consent.


The full version of this article

At FlippingBook, we have always respected our users’ right to data privacy and protection. We do not rely on advertising as a revenue stream. We have never served ads in publications to our users, and never will. There is no hidden code or script in our publications that gathers your users’ personal data. However, if you use third party services in your publications (like Google Analytics or embedded video), then this may affect what you need to do to make your publications GDPR compliant.

There basically are two approaches:

  1. Eliminate the gathering of personal data in the first place
  2. Make sure that you collect and handle personal data in a GDPR compliant manner

Approach 1: Eliminate the gathering of personal data

For publications hosted on FlippingBook Cloud

If you upload to FlippingBook cloud: make sure that your projects are uploaded with FlippingBook Publisher version 2.8.37 or higher (convert your Flash publications to HTML5!). Flash publications and publications that were uploaded with older versions may contain personally identifiable information.

You can check with which version a publication was uploaded in the FlippingBook Cloud Manager.

  1. Press on FlippingBook Cloud Manager
  2. Sort your publications by version and look which publications were uploaded with older versions.
  3. You can download any project that was uploaded with earlier versions by right-clicking, downloading, and re-uploading them by clicking Upload > FlippingBook Cloud and press Update

What if you use embedded video?

If you embed third party content (e.g. video) in your publications, then you make use of services that are completely beyond our control. Unfortunately, that means that we cannot guarantee that such services don’t gather personal information from your viewers. We can only advise you to

  • Make sure that you collect and handle personal data in a GDPR compliant manner.
  • Alternatively, you can remove the video or replace it with a direct link to the video on the provider’s site.

What if you use Google Analytics?

If your publications use Google Analytics, then make sure that Google IP-anonymization is turned on.


This is the default setting, but we advise you to double check that this is enabled. Especially if your projects were created a long time ago, it is possible that IP-anonymization is not enabled. In that case you will have to turn this option on and re-upload it.

The way in which we track analytics in publications uploaded to FlippingBook cloud with FlippingBook Publisher 2.8.37 or higher does not constitute Personally Identifiable data.

What if you use private publications?

Private publications are publications that are protected with a username (email address) and password. This is obviously personal information, though whether or not you need consent from the end user depends. The GDPR allows data processing when it is “necessary for the performance of a contract to which the data subject is party”.

If this is not the case, then you will have to ask your end user for consent at the moment you obtain his email address for this purpose, and retain records of consent given by users, as well as provide users with clear instructions for revocation of consent. However, this is an organisational rather than a technical issue. FlippingBook does not provide a mechanism for automatic signups and does not use this information in any other way than to provide your users access to the publications that you have entitled them to.


For publications hosted on your own server

If you don’t use any third party services in your publications (like Google Analytics or embedded video), then your HTML5-publications will not gather any personal data.If you still have Flash publications, then convert them to HTML5.

What if you use embedded video?

If you embed third party content (e.g. video) in your publications, then you make use of services that are completely beyond our control. Unfortunately, that means that we cannot guarantee that such services don’t gather personal information from your viewers. We can only advise you to

  1. Make sure that you collect and handle personal data in a GDPR compliant manner.
  2. Alternatively, you can remove the video or replace it with a direct link to the video on the provider’s site.

What if you use Google Analytics?

If your publications use Google Analytics, then make sure that

  1. Google IP-anonymization is turned on. This is the default setting, but we advise you to double check that this is enabled. Especially if your projects were created a long time ago, it is possible that IP-anonymization is not enabled. In that case you will have to turn this option on and re-upload it.
  2. Your publications are uploaded with FlippingBook Publisher version 2.9.51 or higher.

Of course, you can also turn off Google Analytics in your projects and re-upload your publications.

If your GA-enabled publications are uploaded with earlier versions of FlippingBook Publisher, then they will gather personally identifiable data and you must inform your users about what data you track, how you use it, and get their consent before your users open a GA-enabled publication. Also, make sure that your data retention policy in Google Analytics matches the data retention in the information that you provide: https://support.google.com/analytics/answer/7667196  

 

Why do I not have to get consent for analytics when using recents version of FlippingBook Publisher?

GDPR only applies to personal data (Personally Identifiable Information). For publications that you upload

  • To FlippingBook Cloud with FlippingBook  Publisher 2.8.37 or higher, and
  • To your own webserver with FlippingBook Publisher 2.9.51 or higher

we implement Google Analytics in a way that the data is not personal any more. Instead of using the standard implementation (where a unique ID is stored in a cookie, which could be regarded as Personally identifiable), we instead use a random identifier which is created by our scripts and stored in the browser’s local storage. Unlike cookies, these cannot be read by servers. And while this identifier is generated by our scripts, it is done without our knowledge. It is almost certainly unique (there is a miniscule chance that two different visitors get the same one, which is the nature of working with random numbers). We don’t gather or store any other data, so neither we nor Google can have any knowledge of which person is associated with which identifier. This means that it cannot be used to make data personally identifiable as described in the GDPR.

 

Approach 2: Make sure that you collect and handle personal data in a GDPR compliant manner

If you can’t or don’t want to eliminate the gathering of personal data, then you will have to make sure that you collect and handle personal data in a GDPR compliant manner. This means that you will have to notify your viewers about the data that is gathered, why, and for how long it is stored before they open your FlippingBook. Then, you will have to obtain consent and retain records of consent given by users, as well as provide users with clear instructions for revocation of consent.

This scenario can apply when:

  • You used embedded video
  • You use Google Analytics for publications created with FlippingBook version 2.9.41 or lower AND host on your own server.
  • You use FlippingBook Cloud for HTML5 publications that are uploaded with version 2.8.29 or lower (and for all Flash publications)

Please note, that if any of the conditions above apply, then that does NOT automatically mean that you gather personal data. It only means that we cannot guarantee that this is NOT the case. Please refer to the following links to learn more:

For Google Analytics:

Google's general User Consent Policy
Google Analytics Data privacy and security

For video providers:

Vimeo's cookie policy
YouTube cookie types
Wistia's privacy policy

 

 

Was this article helpful?