Configure Real User Monitoring according to GDPR

Ensuring the privacy of your customers’ personal data is now a key component of your digital-business success. Dynatrace provides numerous privacy enhancements that make it easy for you to configure appropriate settings that protect your customers' personal data and ensure your organization’s compliance with GDPR.

Note: For details on privacy settings that are configured globally, environment-wide, please see How do I configure global privacy settings?

Data privacy settings for web applications

Data privacy settings available for web applications make it easy to implement data-privacy standards at the application level.

To access application-level data privacy settings:

  1. In the Dynatrace menu, go to Web.
  2. Select the application you want to configure.
  3. Select Browse () > Edit.
  4. Select the Data privacy tab.

To provide you with an easy overview of all applicable privacy settings, the Global settings section at the top of the settings page reflects the same environment-wide privacy settings that are configurable at Settings > Preferences > Data privacy.

RUM data privacy and security

Details of the other privacy settings that are available for web applications are detailed in the following sections.

User tracking

This setting allows you to enable or disable the use of persistent cookies that detect and track returning users. When enabled, Dynatrace Real User Monitoring sets a persistent cookie in end-user browsers that detects if the browser has been used previously to access your application. When disabled, the Returning vs. new users RUM metric no longer works because Dynatrace is no longer able to correlate anonymous user sessions with tagged user sessions. Learn how we store this cookie.

Note: User tracking is disabled by default for all newly created applications. Settings for existing applications aren’t affected and so must be configured manually.

User tracking

Opt-in mode

With opt-in mode enabled, the injected RUM JavaScript won’t capture any data or set cookies. Data capture and cookie usage can, however, be enabled for individual users using the JavaScript API call dtrum.enable(). This allows you to implement an opt-in setting that enables your customers to comply with the data privacy standards of their region.

During the course of Dynatrace monitoring—even following the RUM JavaScript injection into your application—if your customers don’t have a Dynatrace cookie set in their browser, no RUM monitoring data will be captured. You must explicitly call the JavaScript API call dtrum.enable() from each of your customers’ browsers to activate monitoring data capture.

Dynatrace also provides a JavaScript API call that can disable monitoring once it’s been enabled using a dtrum.enable() call. Using the call dtrum.disable(), you can implement a dialog that enables your end users to stop sending monitoring data to Dynatrace, even after it’s been explicitly enabled. This API call requires Dynatrace OneAgent v1.145 or above.

Note: Opt-in mode isn’t enabled by default.

data collection and cookie opt-in mode

Do Not Track

Another technique for protecting end-user privacy that’s supported by all web browsers is the Do Not Track HTTP header. With this setting enabled, browsers add an additional HTTP request header to all the web requests they send. This header specifies that all user tracking must be disabled.

With Comply with 'Do Not Track' browser settings disabled (setting is enabled by default), Dynatrace ignores the browser’s Do Not Track setting and the Do Not Track header. With this setting enabled (the default behavior), there are two options:

Capture anonymous user sessions for “Do Not Track”-enabled browsers

(Enabled by default) Captures user sessions from the browser, but excludes all personal information that could lead to the identification of the user. The IP address is masked and no user tag information is sent.

Note: With the User tracking setting enabled (see above), Dynatrace still sets a persistent cookie to detect returning browsers.

Turn Real User Monitoring off for “Do Not Track”-enabled browsers

(Disabled by default) No data is captured from browsers that have the “Do Not Track” setting enabled.

Note: Comply with 'Do Not Track' browser settings is enabled by default for both new and existing applications.

Do not track

Data privacy settings for mobile apps

To ensure that your mobile apps are compliant with GDPR (or the Google prominent disclosure requirement), you must secure your end user’s permission to capture their personal data and receive crash reports from their mobile devices. Starting with OneAgent for Mobile 7.1.4, there is a setting called User opt-in mode that allows you to implement such behavior. This allows you to control the monitoring data that is captured and whether or not crash reports should be sent on a per-user basis.

Data collection level

off: No data is captured.
performance: OneAgent only captures anonymous performance data. Monitoring data that can be used to identify individual users (for example, user tags or custom values), aren’t captured.
user behavior: Both performance and user data is collected. In this mode, OneAgent recognizes and reports on users who revisit your app in future sessions.

User tracking

A native mobile app only attaches the x-dynatrace header to webrequests. For hybrid apps, instead of the x-dynatrace header, the dtAdk and dtAdkTag cookies are attached to the webrequests that originate from webviews. The x-dynatrace header and the dtAdkTag cookie are used to link the mobile part of the webrequest to the service part captured by another OneAgent. The dtAdk cookie is used to join sessions from mobile agent and JavaScript agent so that they can appear as a single session in the user session search.

Crash reporting

disabled: Crash reports aren’t sent to Dynatrace. enabled: Crash reports are sent to Dynatrace.

Enable user opt-in mode for your mobile app

To ensure compliance with GDPR regulations, configure your Android and iOS apps for data privacy.

User opt-in mode must be enabled at build time and you must have the latest version of OneAgent for Mobile (v8 or above). You must also implement a privacy settings page that allows each individual user of your app to control their preferences and store them using the new API. The following steps describe the workflow for setting up the user opt-in mode:

  1. Enable user opt-in mode at build time of your app by setting the DTXUserOptIn flag.
  2. At startup, OneAgent for Mobile checks the enabled settings of the device. By default, the data collection level is set to off and crash reporting is disabled so that, upon the first startup of the app, no data is shared with Dynatrace.
  3. Your app checks if the user has agreed to your privacy policy. If not, a dialog is displayed (see example below) asking for the user’s permission. To develop your organization’s own privacy policy language, have a look at the example policy texts that we’ve provided.
  4. When the user confirms their settings, use the new API calls to store the user’s preferences.

Upon the next startup of your app, OneAgent for Mobile applies the new settings and reports only as much data as the user has agreed to share with Dynatrace.

user opt in mode mobile

To provide your end users with a cookie opt-out capability, Dynatrace must be configured appropriately. Usually Dynatrace creates tracking cookies automatically. When using cookie opt-in mode, Dynatrace RUM tracking is disabled by default and no cookies are created. When an end user accepts your cookie policy (opt-in mode), Dynatrace RUM is enabled by calling dtrum.enable() within the RUM JavaScript. Following this method invocation, Dynatrace tracking cookies are created and RUM is activated.

To activate cookie opt-in mode

  1. In the Dynatrace menu, go to Settings > Monitoring > Monitoring overview, and select the Applications tab.
  2. Select the application you want to configure.
  3. Select Browse () > Edit.
  4. From the left, select Data Privacy, and turn on Data-collection & opt-in mode.

data collection and cookie opt-in mode

Note: If your organization provides an end-user opt-out feature for cookies, you must use the use the opt-in mode command to enable use of Dynatrace cookies and thereby enable Dynatrace RUM. Once your users have opted into our cookie policy, you must additionally run the command dtrum.enable() in the RUM JavaScript.

For complete details on cookie usage in Dynatrace, see How does Dynatrace use cookies?