Header background

New privacy settings secure your customers’ personal data

Ensuring the privacy of your customers’ personal data is now a key component of your digital-business success. In response to the General Data Protection Regulations (GDPR) for EU citizens, Dynatrace has introduced numerous privacy enhancements that make it easy for you to configure appropriate settings that protect your customers’ personal data and ensure your organization’s compliance with GDPR.

Global data privacy settings

Dynatrace now features an enhanced Data privacy settings page that provides global settings you can quickly deploy across your entire Dynatrace environment. Please note that some of these global settings (those that relate to server-side monitoring) were previously available at Settings > Web & mobile monitoring.

What’s changed?

  • Dynatrace Help now features numerous GDPR-related Help topics that explain all Dynatrace configuration options related to data privacy and GDPR compliance.
  • The Mask end-user IP addresses & GPS coordinates setting now applies to both Real User Monitoring and server-side monitoring. When enabled, end-user IP addresses are masked during the course of monitoring web applications, mobile apps, custom applications, and server-side services. Masking takes place at the moment of detection, so IP addresses are never captured or stored.
  • For all newly created Dynatrace environments, the Mask end-user IP addresses & GPS coordinates setting is enabled by default.

To access global privacy settings, go to Settings Preferences Data privacy.

Global Data Privacy Settings

Data privacy settings for web applications

Data privacy settings available for web applications make it easy to implement data-privacy standards at the application level. Most of these settings have been available in the product for a while, but they were previously hidden in other settings sections. Now all Data privacy settings for web applications are consolidated on a single page.

To access application-level data privacy settings

  1. Select Applications from the navigation menu.
  2. Select the web application you want to configure.
  3. Click the Browse () button and select Edit.
  4. Select the Data privacy tab.

To provide you with an easy overview of all applicable privacy settings, the Global settings section at the top of the settings page reflects the same environment-wide privacy settings that are configurable at Settings Preferences Data privacy (in a future release, these global settings will be overwritten with application-specific privacy settings).

Application Data Privacy Settings

Details of the other new privacy settings that are now available for web applications are detailed in the following sections.

User tracking

This setting allows you to enable or disable the use of persistent cookies that detect and track returning users. When enabled, Dynatrace Real User Monitoring sets a persistent cookie in end-user browsers that detects if the browser has been used previously to access your application. When disabled, the Returning vs. new users RUM metric no longer works because Dynatrace is no longer able to correlate anonymous user sessions with tagged user sessions.

Important change: User tracking is disabled by default for all newly created applications! Settings for existing applications aren’t affected and so must be configured manually.

User Tracking for existing apps

Opt-in mode

Opt-in mode for web applications has been available in Dynatrace for some time now (for details, see How to ensure your customers’ data privacy during monitoring), however, this setting was hidden in Advanced setup settings. With opt-in mode enabled, the injected JavaScript Real User Monitoring code won’t capture any data or set cookies. Data capture and cookie usage can, however, be enabled for individual users using the JavaScript API call dtrum.enable(). This allows you to implement an opt-in setting that enables your customers to comply with the data privacy standards of their region.

During the course of Dynatrace monitoring—even following Real User Monitoring code snippet injection into your application—if your customers don’t have a Dynatrace cookie set in their browser, no RUM monitoring data will be captured. You must explicitly call the JavaScript API call dtrum.enable() from each of your customers’ browsers to activate monitoring-data capture.

Dynatrace now also provides a JavaScript API call that can disable monitoring once it’s been enabled using a dtrum.enable() call. Using the call dtrum.disable(), you can implement a dialog that enables your end users to stop sending monitoring data to Dynatrace, even after it’s been explicitly enabled.

The Opt-in mode setting isn’t enabled by default.

Opt-in mode for web apps

Do Not Track

Another technique for protecting end-user privacy that’s supported by all web browsers is the Do Not Track HTTP header. With this setting enabled, browsers add an additional HTTP request header to all the web requests they send. This header specifies that all user tracking must be disabled. Similar to Opt-in mode, this setting has existed for some time already, but it has been recently enhanced.

With the Respect browsers’ “Do Not Track setting disabled (setting is enabled by default), Dynatrace ignores the browser’s Do Not Track setting and the Do Not Track header. With this setting enabled (the default behavior), there are two options:

  • Capture anonymous user sessions for “Do Not Track” enabled browsers: (enabled by default) Captures user sessions from the browser, but excludes all personal information that could lead to the identification of the user. The IP address is masked and no user tag information is sent.
    Note: With User tracking enabled (see above), Dynatrace still sets a persistent cookie to detect returning browsers.
  • Turn real user monitoring off for “Do Not Track” enabled browsers: (disabled by default) No data is captured from browsers that have the “Do Not Track” setting enabled.

Important change: The Respect browsers’ Do Not Track setting is enabled by default for both new and existing applications. 

Do Not Track for web apps

Data privacy settings for mobile apps

To ensure that your mobile apps are compliant with GDPR (or the Google prominent disclosure requirement) you must secure your end user’s permission to capture their personal data and receive crash reports from their mobile devices. Starting with OneAgent for Mobile 7.1.4, there is a new setting called user opt-in mode that allows you to implement such behavior. This allows you to control the monitoring data that are captured and whether or not crash reports should be sent on a per-user basis.

Data collection level

  • off: No data are captured.
  • performance: OneAgent only captures anonymous performance data. Monitoring data that can be used to identify individual users (for example, user tags or custom values), aren’t captured.
  • user behavior: Both performance and user data are collected. In this mode, OneAgent recognizes and reports on users who re-visit your app in future sessions.

Crash reporting

  • disabled: Crash reports aren’t sent to Dynatrace
  • enabled: Crash reports are sent to Dynatrace

Enable user opt-in mode for your mobile app

User opt-in mode must be enabled at build time and you must have the latest version of OneAgent for Mobile (v7.1.4 or above). In addition, you must implement a privacy settings page that allows each individual user of your app to control their preferences and store them using the new API. The following steps describe the workflow for setting up user opt-in mode.

  1. Enable user opt-in mode at build time of your app by setting the DTXUserOptIn flag
  2. At startup, OneAgent for Mobile checks the enabled settings of the device. By default, the data collection level is set to off and crash reporting is disabled so that, upon the first startup of the app, no data is shared with Dynatrace.
  3. Your app checks if the user has agreed to your privacy policy. If not, a dialog is displayed (see example below), asking for the user’s permission. To develop your organization’s own privacy policy language, have a look at the example policy texts that we’ve provided.
  4. Once the user has confirmed their settings, you can use the new API calls to store the user’s preferences.
  5. Upon the following startup of your app, OneAgent for Mobile applies the new settings and reports only as much data as the user has agreed to share with Dynatrace.