Overview and motivation
With
SAP Cloud Platform SDK for iOS 2.0 SP02 release we have support for Privacy Consent Forms that can be presented to the users during onboarding. These Privacy Consent Forms can be used to inform users about the data being collected as well as how that data will be used by the app. These forms can be used to support the various user consent requirements around the world such as:
- General Data Protection Regulation (GDPR) introduced by European Union (EU) came into effect from May 25th, 2018 that requires a consent from users in order to collect any personally identifiable information (PII) data about them.
- Health Insurance Portability and Accountability Act (HIPAA) regulations that are in force in United States from 1996.
- Personal Information Protection and Electronic Documents Act (PIPEDA) regulations in Canada that are in force from January 2001.
- Personal Information Security Specification released by China that came into effect from May 1st
The SDK for iOS now has support for these consent forms that can be part of the onboarding flow for the end users. These forms make it easy for the developers to get consent from end users for sharing and complying with the law. It should however be noted that the developers still have to keep track of the consent given (or denied) by the end users in the appropriate backend systems complying with all the auditing and other necessary legal requirements.
The user consent forms supported in the latest release are of two types:
- Single step user consent form – In this case, there is just one form requesting consent
- Multi step user consent form - In this case, there are multiple forms that can be used to request user consent.
In addition, during the onboarding flow, the user consent can be of two types:
- Mandatory - In this case, the onboarding flow of the app is aborted if user doesn’t consent
- Optional – In this case, the onboarding flow of the app continues and the user can consent at a later stage.
Details
To review the support for GDPR consent forms and understand the framework controls behind them, first generate a Master Detail application using the Sample app provided as part for the SDK for iOS Assistant. The Sample app (as well as any new app) generated by the Assistant will have built-in support for both the user consent forms that are cascaded in the onboarding flow.
To insert the user consent forms as part of the onboarding flow as part of the Sample app, please note the following the generated project:
- The sample app project file swift has the new flow for onboarding and the definition for the function configuredUserConsentStep
- The new class configuredUserConsentStep derived from OnboardingStep and FUIUserConsentViewControllerDelegate is now invoked as part of the OnboardingSteps
- Review the function configuredUserConsentStep to understand the framework classes for user consent forms and changes that will need to be made for customizing the user consent forms.
- The FUIUserConsentViewController class is used to display a series of user consent forms during the onboarding flow. This UIViewController class can be used to either display a single step user consent form or a multi-step user consent form that can be presented to the end user for positively opting-in for any collection of data before an app starts.
For illustration here is the code fragment for the function configuredUserConsentStep with custom text in the user consent form (variable spText below). Compile the sample text with just the change in spText variable – ignore the multi-step consent for now.
// UserConsentStep
private func configuredUserConsentStep() -> UserConsentStep {
// Content consists of two forms - a single page form first and then a multi page form
// Content for the single page form
let spTitle = "Data Privacy"
let spText = "Detailed text about how data privacy pertains to this app and why it is important for the user to enable this functionality.\r\nFor e.g: 'This app collects information about your physical location and stores it on the server so that it can recommend other services in your geographical area'"
let spAttributes = [NSAttributedStringKey.font: UIFont(name: "Georgia", size: 17.0)!]
let spBody = NSAttributedString(string: spText, attributes: spAttributes)
let spActionTitle = "Learn more about Data Privacy"
var spPageContent = UserConsentPageContent()
spPageContent.title = spTitle
spPageContent.titleAttributedText = nil
spPageContent.bodyAttributedText = spBody
spPageContent.actionTitle = spActionTitle
let spFormContent = UserConsentFormContent(version: "one", isRequired: true, pages: [spPageContent])
}
The modified user consent form will now like this:
If the user denies consent, then a notice is displayed that the onboarding flow will be terminated:
The onboarding flow will be similar in a multi-step consent form (first and last step of 3 step form shown here):
Other Enhanced Security features
In this release, we have added the feature of automatically changing the passcode flow based on passcode policy on the server. For example, if a new passcode policy has to be enforced (for e.g. increasing the length of passcode from 6 to 8 characters) or new type of authentication in the flow (for e.g. FaceID), then this can be set on the server side and can be automatically enforced on all the clients.