Prenly CMP - Internal

Art. no. 217060895

What is Prenly CMP?

CMP stands for Consent management platform.

Prenly CMP is a built-in consent management tool designed to help our customers comply with privacy regulations, such as GDPR and similar laws. Its primary purpose is to manage user consent for the collection of cookies and personal data.

What is it used for? / What are its functions?

According to new digital laws all web pages and Android / iOS apps must have a consent dialog for the collection of cookies and other personal data. It is very important that the customer understands that they are the ones being the “data controller”, and therefore are the ones legally responsible for this.

The Prenly customers are responsible for informing their users about the data collected from the reader's device and the purpose of the collection. This can be done by creating a CMP module in Prenly Workspace. “Prenly CMP” is only one of the supported modules.

The user has the right to deny that the software stores data (for example cookies, or data stored in the native apps, or on the server). Within EU, two laws state this from different perspectives:

GDPR states that it is not allowed to store personal data without a reason, if it is not necessary for the service to function properly.
The ePrivacy Directive (“cookie law”) states that it is not allowed to store data on the users device (cookies other ways to store data), without first informing the user and allowing them to deny it. There are some exceptions, well covered in other documentation.

Note that the CMP feature gives the customer the possibility to comply with both laws.

How is the CMP implemented? - What actions are needed from us?

The consent dialog is managed in Prenly Workspace by a user with the “owner” role. A consent dialog configuration can be used in multiple applications owned by the customer. The instructions on how to create a CMP module are found on the support page.

In PWS:

Go to settings → consent dialog

Click “new”
Prenly CMP is the standard preset; the language can be changed here
Click “create”
Name, Title and content can be edited
“For user analysis” and “for marketing” should be toggled off

Go to Applications → consent dialog

Connect the consent dialog to all applications
Click save

During the onboarding process the customer success team adds the CMP module to the clients applications. The setting for user analysis and marketing are being deactivated, since it is the customers choice to activate them.

When using statistical modules like Matomo, Google analytics, Prenlytics etc

If you use Prenly CMP as a consent dialog and integrate for example Matomo, you can decide what level of data to send from the web and app users. The default setting is that no data at all is sent from the web and app when the user has not given their consent.

However, if you want all data to be sent for later filtering wherever the data ends up, you can set the data to be sent even from those users who have not given consent. Doing this is most probably only legal according to GDPR if the customer sends the data within their own company, which is possible only if they use a self-hosted system that receives the data (like a Matomo server installation, an endpoint to receive Prenlytics data or a server-side GTM container). In these cases, you can choose to send data completely anonymously or including user-id. You are then responsible for filtering the data later in accordance with the law. This should be avoided when using Matomo cloud.

This setting is made in Prenly Workspace, in the Prenly CMP module.

If under "Basic tracking with Matomo" you select "Do not require consent", the data will be sent anonymously - without user-id - for those users who have not given consent to be analyzed.
If under "Individual tracking with Matomo" you select "Do not require consent", all data including user-id will be sent also for those users who have not consented to be analyzed. This allows you to receive all the data to your own data warehouse for filtering.

Other supported CMP modules (Didomi, Cookiebot, Usercentrics) have similar settings for the consent requirement.

How is the CMP implemented? - What actions are needed from the customer?

The customer is responsible for providing a CMP, writing the consent dialog and informing their clients about the data they process or track, including its purpose.

Our customer (as the data controller) should inform their users about:

What sub-processors (third-party companies, like Textalk Media AB) process personal data on behalf of the customer
Why and how each such sub-processor processes data.
The types of processing the customer does, either themself or by their sub-processors. The processing that Textalk Media does on behalf of the customer is explained in the DPA. The customer must themself know what other processing is made and why. All this must according to GDPR be described in the CMP texts or in the privacy policy. )
Defining the specific purposes why data is being collected (e.g., analytics, marketing, functional data), to allow users to give partial consent, which is required in GDPR.
Specifying in text for each such purpose what it includes (for example what sub-processors are used) and what data processing might be done if they give consent to the purpose.
That a DPA exists between the customer and all the sub-processors, including Textalk Media AB.

Note: The standard text when creating the Prenly CMP is in English. The buttons in the consent dialog will translate to the application language, however the dialog text needs to be provided by the customer in the suitable language.

What data is being processed?

“Processing” personal data as d refined by GDPR, means basically any operation on personal data, like collecting, storing, watching. using, or deleting it.

Under GDPR, personal data includes any information identifying or relating to an individual, even small or encrypted pieces like names or passwords. Prenly processes data primarily to ensure service functionality, such as storing IP addresses, device identifiers, and cookies.

Depending on configuration, statistical data requiring user consent may also be processed. Prenly respects CMP choices, ensuring no consent-dependent processing occurs until the user submits their preferences.

Public Application

For public applications, basic processing include:

IP addresses: Stored for up to 30 days, used for tracking data traffic, preventing hacking attempts, troubleshooting technical errors, and protecting against viruses or unauthorized use.
Device information: This includes device type, screen size, operating system, browser information
Unique identifier for native apps (Android/iOS): If the user accesses the service via a native app, a unique identifier is stored to help with troubleshooting, adapting content, enabling in-app purchases, and sending push notifications. This identifier is deleted when the app is uninstalled
Session information: Cookies or similar technologies are used to generate a visit ID that groups interactions into sessions. This ID does not include personal data but helps with session continuity

Application Requiring Login:

For login-based applications, Prenly may process personal data to manage subscriptions and secure access, including:

User ID, customer number, login credentials (name and password), and email address.
Subscription details (e.g., product codes).
Optional personal data like phone numbers, postal addresses, or social security numbers (configurable by the customer).
Temporary passwords (“tokens”) for login sessions.

By default, user tracking requires consent, and user IDs are excluded from contextual data if consent is denied. Customers can adjust this logic in Prenly Workspace based on legal requirements.

Tracking

Statistical modules

Prenly supports a number of statistical modules to perform user-specific identifiers to collect information that allows monitoring activities or behaviors for specific users over time. Both public and logged-in applications may track.

Tracking is normally only made with the user’s consent, but there may be exceptions since there are cases where the customer legally may do some kinds of tracking without consent (these legal aspects/decisions is something that the customer is responsible for deciding).

Event model

Tracking is made by continuously triggering “metric events” as long as the user consumes the e-paper. Each event comes with some information, called “attributes”, that explains what the user did, like opening an article or stopping to play a podcast episode. Some of the data collected is event-specific data, with details like which article was opened, what podcast episode was closed etc.

Some of the data collected is contextual data to provide insights into user interactions. This includes:

Technical environment (e.g., device details, screen size, OS information)
Session details (visit IDs, which group interactions into visits)
User consent preferences (if applicable, collected through the CMP)

Exporting data

Some statistical modules export data to external servers, such as customer-hosted servers, Google, or third-party providers.

Legal notes:

Even if personal data (e.g., IP address or user ID) is anonymized or deleted after processing, it still falls under GDPR.
Data sent outside the EU/EEA or to third parties typically requires explicit user consent.

Specific modules:

Matomo: Configured to export data to external servers. Open-source setups can anonymize data, but personal data like IP addresses may still be sent.
GTM/Google Analytics: Data is generally sent to Google unless a customer uses a self-hosted GTM server.
Prenlytics: Typically exports data to external servers.

Processing personal data in a custom tab

If the Prenly app is showing an external web page like the customer’s website (in a native app custom tab) as a single-page application (SPA), the Prenly software will NEVER process personal data processed within the custom tab. So if that website has integrated GA, Snoobi or other tracking scripts - it is kept within the custom tab and will never reach the native app.

Note that Prenly do NOT know or are responsible for tracking or other personal data processing that takes place within a custom tab. To help the customers build their site to be placed in the custom tab, we should recommend them to use our JS Bridge software. With that software, they can access the consent that the user made in the native app, and act accordingly.

Is a CMP needed for a public app?

Yes, a CMP should be implemented even for public apps. According to GDPR, personal data (such as IP addresses and device identifiers) is always processed, regardless of whether it’s essential for system functionality. This means customers are required to inform users about this data processing. Implementing a CMP ensures compliance with regulations like GDPR by clearly informing users about what data is collected, why it’s processed, and providing them with the choice to consent or decline data collection.