GDPR Effect on E-Learning Apps, or User Data Protection at All Costs

Please, tell us how paranoid you are about your personal data. We sure hope that your “spidey sense”, combined with two-factor authentication, automatic log-off and plenty of other precautionary measures are a part of your daily routine on the Internet. But what if you are responsible for the storage and security of data of hundreds, thousands, or even millions of your mobile users? In this article, we are going to speculate about the things that are huge for user data protection.
Jun 08, 2016

User Protection

We’ll dive deep into a very complex and long document called GDPR (General Data Protection Regulation). In short, it has changed the way personal users’ data should be collected and processed. In this article, we will show it to you.

We are going to speak a little of what measures app owners should apply to make their software GDPR compliant.

We will also focus on the individuals’ rights in respect of their personal data that has to be put under the microscope after GRPR has come in force.

Also, we will analyze some things the world leading E-Learning companies (Duolingo, Moodle) do to avoid enormous fines and keep their users’ data protected.

For you to not fall asleep, we have some shocking figures in data breaches facts and memes inside. Enjoy.

GDPR in E-Learning: “Sudden” Privacy Policy Changes

It’s been more than three months now since GDPR act came to force. You might have gotten tired of all these notifications about websites using cookies and updating their privacy policies - that is how you got acquainted with the act as a user.

We've updated Privacy Policy


E-Learning companies that have active users in the European Union had to adjust accordingly. For instance, the biggest MOOC platforms - Udacity and Coursera - had their privacy policy updated on the same day - May 12, 2018 - two weeks before GDPR came in force on May, 25.

Udacity Cookies


Duolingo, a big language learning app has the latest update of its privacy policy made on August 17, 2018. It clearly has more than one point that has to be remade due to the new regulation rules.

As those notifications were all over the web, some websites were creative about informing users that they are going to track their cookies. “This is not a big deal, but we use cookies, FYI. You’d allow us, right?”.

The others were way too official. Let’s take Green Day music as an example. In order to check out their new albums on the official website, one has to read about their privacy policy and agree on the cookies use. Punk rockers are responsible these days.

Grandma Cookies


Six Principles of GDPR Data Protection

There are 6 principles relating to the processing of personal data listed in Article 5(2) of EU data regulation 88-page document.

  • Lawfulness, Fairness, and Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage Limitation
  • Integrity and Confidentiality

Let’s quickly run through all of them in respect of how E-Learning apps should treat all the personal information of their users.

Lawfulness, fairness, and transparency.

This concept is pretty easy to understand and embrace. All the information has to be gathered in a lawful way. Users should realize that the company gets their personal data, so the language of the note that makes them aware of that should be plain and clear.

No monkey business, there is simply no need to misguide the users about data collection. E-Learning mobile apps should easily follow this principle as it doesn’t require anything extraterrestrial.

Purpose limitation.

There must be a reason for collecting, storing and further processing data. Data subject should be aware of the reason.

The original purpose must be the only one, companies are forbidden to use user data for other reasons.



Here is what Duolingo states among its purposes for data collecting:

“We may also use your contact information to send you notifications regarding new services, offersб and promotions offered by Duolingo if you affirmatively consent to receive such communications.”

Moodle answer the questions of how the collected data for their app work with a single purpose - to provide access to the online courses on this site (app - for Moodle Mobile).

This principle allows using your activity data for statistical purposes.

This is obviously some good news for app owners as they need to study user behavior in order to improve their software.

Data Minimization.

The less info user provides to the mobile app, the smaller the damage of the potentially breached data. There is no need to ask users about their sexual orientation for an educational software, for example.

In fact, the second biggest data breach in history has happened in October 2016 with Adult Friend Finder databases. Perhaps, info about the user’s religion, sexual orientation and some other data put into the dating apps would never be requested by educational apps.

More than 412 million user accounts were compromised. You might not want to get down in history by the data contained in your dating app portfolio.

As an educational app owner, don’t ask too much - surveys might be less effective than actual user behavior studying, but at least it’s legal to ask the info that way.

No conflicts



App owners must provide users with the opportunity to update the info. Every reasonable step should be taken to change or delete inaccurate or incomplete user information.

Storage Limitation.

Let us quote Moodle policy on this:

How long is my data stored?
Your personal data is stored as long as your account is active on this site.

That means that after you deactivate the account in a learning app, personal data should quit the mobile app with the user.

Integrity and Confidentiality.

There is no need to analyze this point, to be honest. It simply goes without saying.

The organizations must take reasonable measures to protect against data breaches and unlawful processing.

Focus on the Individuals’ Rights

There is quite a range of individuals’ rights that have to be covered by the software owner to claim that the app is GDPR compliant.

These are screenshots from Duolingo and Moodle websites that describe data subject rights.

Duolingo Privacy


Moodle Privacy


These are just two ways to list the number of individuals’ rights that has to be obliged.3

Among the most interesting points here we’d like to highlight are the right to be forgotten and the right to object to the processing of certain types.

The first one is the dream for a little star named Barbra Streisand. You might have heard of the Streisand effect. The more you try to hide something, the more Internet is inclined to see that. Not the case here.

Users have the right to have all the information about their studying to be deleted by the processor under the new Regulation.

Had Beyonce used her unflattering picture her publicist was trying to delete as information provided to the GDPR-compliant E-Learning provider, it would have gone forever. Hopefully.

If a user is tired of the app sending him/her the marketing emails, he/she may object to that, and it would be GDPR violation of his rights to send them some more after the object is expressed.

Consumer Data Rights


This is just a few things that app owners should keep a close eye on.

How Big of a Deal Is GDPR (Google and Facebook are fined $9.3 billion)

If you still think that GDPR is some document that doesn’t affect you as a startupper, you might be wrong.

GDPR is a big deal


Even if you are targeting US users, and only a small portion of your potential users are EU citizens, you have to follow the regulation. Otherwise, you will never show the profit for your company as you will only work to cover the fines for the European Union.

How big could these fines be? You might feel yourself like a loser in a monopoly game at some point.

It actually reminds of an old Louis CK monologue where he described such a loss to his then-9-year-old daughter.

Louis CK plays European Union in this scene. Those business owners that violate GDPR rules are his daughter.

“OK, so here’s what’s going to happen now, OK? All your property, everything you have, all your railroads, your houses, all your money – that’s mine now. You gotta give it all to me. Give it to me, that’s right. And no–no, you can’t play anymore, see, because even though you’re giving me all of that, it doesn’t even touch how much you owe me. It doesn’t even touch it, baby. You’re going down hard. It’s really bad. All you’ve been working for, all day, I’m going to take it now and I’m going to use it to destroy your sister.”

We are talking billions of dollars in fines. Google, Facebook faced $9.3 billion in fines just days after rules came in force.

The way Facebook-owned Instagram and WhatsApp is a no-no for the European Union. Plenty of violations were on Google’s side - Alphabet - the Google-owned company is liable for $4.88 billion in fines.

Is these figures don’t frighten you, it is hard to blame you, as it is hard to even imagine this pile of money.

If you won’t take GDPR seriously, you’ll get bankrupt pretty soon.


Among the main changes GDPR brought us are:

  • Data collection minimization and purpose limitations
  • User consent obligations
  • Mandatory data breach notifications
  • Closer attention to the expanded set of individuals’ rights

If you are planning on starting your own mobile app in the educational sector (or already have one), you should prioritize user privacy pretty high.

Following all the standards might be quite complex.

Careless attitude towards the private data of users is now very punishable not by just reducing the potential cost of your company and costing it the reputation, but also financially - in the form of fines.

This is definitely not a thing to forget while putting your mobile app on market. BTW, if you need some help with building an E-Learning mobile app, contact us here.

Blog writers

Subscribe to Belitsoft's Blog for Entrepreneurs

Join successful software startup founders! Get insights from growing companies like, where to get an idea, how to validate it, how to launch, and how to hire people - everything. Enter your email address below (no spam):

Email *


Lead Generation Design of The Best SaaS Websites

If clothes make the man, the design makes the website. That's where potential customers start evaluating a product. The SaaS website can (and should) be an online lead-generation machine, so each component of it has to be as good as possible. As people generally remember the first and the last thing they see, having impressive header and footer can go a long way towards making your product successful. What do some of the best SaaS companies do with their websites’ headers/footers? Look at this list to get and keep in mind some ideas for custom software development while building or redesigning your SaaS website. ...

PHP 7 vs Node.js

Our team is experienced both in PHP programming and Node.js development. We have a portfolio with both PHP-based applications and Node.js-based applications as well as mixed ones. What do we take into account when considering which tool to use in custom software development? ...

The Top 10 Advantages Of Laravel for Cost-Effective Web Development

Laravel framework is very popular for custom software development. It is the Most Starred PHP Framework on Github: more than 35 000 developers from all over the world (mostly from the USA) greatly appreciate robust features of this platform. Based on data of the BuiltWith, Laravel's popular websites verticals include Business, Entertainment, Media, News, Shopping, Technology, Vehicles. Why is Laravel so popular? ...

100% Remote Million-Dollar SaaS Companies

Companies that hire remote (distributed, virtual, dispersed, or dedicated) workers and do it well seem to have a huge leg up on the competition. Let’s learn how these successful SaaS companies use global talents to increase software quality and reduce the cost of rent and office supplies: Basecamp, Buffer, Chargify, Convertkit, Ghost(pro), Groove, Hubstaff, Invision, Olark, and Zapier. As the company where you can find a remote PHP developer, we believe that you could utilize their experience and expertise to build your own full remote SaaS company. ...

SaaS Founders Who Became Rich Starting With MVP

Belitsoft has a huge experience in MVP software development for startups and prototypes for existing brands. MVP is a minimal version of the product with the minimum set of features that is enough to deploy and test the key hypothesis to solve problems of this product’ potential customers. Experts suggest that, in B2B, it’s not an MVP until you sell it. Viable means you can sell it. ...

Profitable SaaS Startup Ideas

The way to get profitable startup idea is not to try to think of startup ideas (including SaaS development). It's to look for problems, preferably problems you have yourself.  In fact, for many entrepreneurs, successful business ideas start out as solutions designed to address a challenge they face personally. Solving the problem that frustrates you may be one of the best ways of finding an idea for your startup. Look at these software developers who turned their problem into success.  ...

Get A Free Quote

Do you have a software development project to implement? We have people to work on it.
We will be glad to answer all your questions as well as estimate any project of yours.
Use the form below to describe the project and we will get in touch with you within 1 business day.

Call us:
Phone - USA
Contact form