Configure Real User Monitoring according to GDPR

Ensuring the privacy of your customers’ personal data is now a key component of your digital-business success. DESK provides numerous privacy enhancements that make it easy for you to configure appropriate settings that protect your customers personal data and ensure your organization’s compliance with GDPR.

Note: For details on privacy settings that are configured globally, environment-wide, please see How do I configure global privacy settings?

Data privacy settings for web applications

Data privacy settings available for web applications make it easy to implement data-privacy standards at the application level.

To access application-level data privacy settings

Select Applications from the navigation menu.
Select the web application you want to configure.
Click the Browse (…) button and select Edit.
Select the Data privacy tab.

To provide you with an easy overview of all applicable privacy settings, the Global settings section at the top of the settings page reflects the same environment-wide privacy settings that are configurable at Settings > Preferences > Data privacy.

application data privacy settings

Details of the other privacy settings that are available for web applications are detailed in the following sections.

User tracking

This setting allows you to enable or disable the use of persistent cookies that detect and track returning users. When enabled, DESK Real User Monitoring sets a persistent cookie in end-user browsers that detects if the browser has been used previously to access your application. When disabled, the Returning vs. new users RUM metric no longer works because DESK is no longer able to correlate anonymous user sessions with tagged user sessions.

Note: User tracking is disabled by default for all newly created applications. Settings for existing applications aren’t affected and so must be configured manually.

user tracking

Opt-in mode

With opt-in mode enabled, the injected JavaScript Real User Monitoring code won’t capture any data or set cookies. Data capture and cookie usage can, however, be enabled for individual users using the JavaScript API call dtrum.enable(). This allows you to implement an opt-in setting that enables your customers to comply with the data privacy standards of their region.

During the course of DESK monitoring—even following Real User Monitoring code snippet injection into your application—if your customers don’t have a DESK cookie set in their browser, no RUM monitoring data will be captured. You must explicitly call the JavaScript API call dtrum.enable() from each of your customers’ browsers to activate monitoring-data capture.

DESK also provides a JavaScript API call that can disable monitoring once it’s been enabled using a dtrum.enable() call. Using the call dtrum.disable(), you can implement a dialog that enables your end users to stop sending monitoring data to DESK, even after it’s been explicitly enabled. This API call requires DESK OneAgent v1.145 or above.

Note: Opt-in mode isn’t enabled by default.

opt-in mode

Do Not Track

Another technique for protecting end-user privacy that’s supported by all web browsers is the Do Not Track HTTP header. With this setting enabled, browsers add an additional HTTP request header to all the web requests they send. This header specifies that all user tracking must be disabled.

With the Respect browsers’ “Do Not Track" setting disabled (setting is enabled by default), DESK ignores the browser’s Do Not Track setting and the Do Not Track header. With this setting enabled (the default behavior), there are two options:

Capture anonymous user sessions for “Do Not Track” enabled browsers

(Enabled by default) Captures user sessions from the browser, but excludes all personal information that could lead to the identification of the user. The IP address is masked and no user tag information is sent.

Note: With the User tracking setting enabled (see above), DESK still sets a persistent cookie to detect returning browsers.

Turn Real User Monitoring off for “Do Not Track” enabled browsers

(Disabled by default) No data is captured from browsers that have the “Do Not Track” setting enabled.

Note: The Respect browsers’ Do Not Track setting is enabled by default for both new and existing applications.

do not track

Data privacy settings for mobile apps

To ensure that your mobile apps are compliant with GDPR (or the Google prominent disclosure requirement) you must secure your end user’s permission to capture their personal data and receive crash reports from their mobile devices. Starting with OneAgent for Mobile 7.1.4, there is a setting called User opt-in mode that allows you to implement such behavior. This allows you to control the monitoring data that are captured and whether or not crash reports should be sent on a per-user basis.

Data collection level

off: No data is captured.
performance: OneAgent only captures anonymous performance data. Monitoring data that can be used to identify individual users (for example, user tags or custom values), aren’t captured.
user behavior: Both performance and user data is collected. In this mode, OneAgent recognizes and reports on users who re-visit your app in future sessions.

Crash reporting

disabled: Crash reports aren’t sent to DESK enabled: Crash reports are sent to DESK

Enable User opt-in mode for your mobile app

User opt-in mode must be enabled at build time and you must have the latest version of OneAgent for Mobile (v7.1.4 or above). In addition, you must implement a privacy settings page that allows each individual user of your app to control their preferences and store them using the new API. The following steps describe the workflow for setting up user opt-in mode.

Enable user opt-in mode at build time of your app by setting the DTXUserOptIn flag
At startup, OneAgent for Mobile checks the enabled settings of the device. By default, the data collection level is set to off and crash reporting is disabled so that, upon the first startup of the app, no data is shared with DESK.
Your app checks if the user has agreed to your privacy policy. If not, a dialog is displayed (see example below), asking for the user’s permission. To develop your organization’s own privacy policy language, have a look at the example policy texts that we’ve provided
Once the user has confirmed their settings, you can use the new API calls to store the user’s preferences.
Upon the following startup of your app, OneAgent for Mobile applies the new settings and reports only as much data as the user has agreed to share with DESK.

User opt-in mode for mobile devices

To provide your end users with a cookie opt-out capability, DESK must be configured appropriately. Usually DESK creates tracking cookies automatically. When using cookie opt-in mode, DESK RUM tracking is disabled by default and no cookies are created. When an end user accepts your cookie policy (opt-in mode), DESK RUM is enabled by calling dtrum.enable() within the JavaScript code module. Following this method invocation, DESK tracking cookies are created and RUM is activated.

To activate cookie opt-in mode

Go to Settings > Monitoring > Monitoring overview and click the Applications tab.
Select the desired application, click the browse [...] button, and select Edit.
From the left navigation menu, select Data Privacy and turn on Data-collection & cookie opt-in mode.

data-collection and cookie opt-in mode

Note: If your organization provides an end-user opt-out feature for cookies, you must use the use the opt-in mode command to enable use of DESK cookies and thereby enable DESK RUM. Once your users have opted into our cookie policy, you must additionally run the command dtrum.enable() in the JavaScript code module.

For complete details on cookie usage in DESK, see How does DESK use cookies?