GDPR compliance for push notifications: what you need to know
This is practical guidance, not legal advice — but most push-notification GDPR questions come down to a few concrete practices.
Consent must be informed and specific
The browser permission prompt alone is weak consent. Tell users what they're opting into ("order updates", "weekly digest") before the native prompt, and keep them able to opt out per topic.
Keep a consent record
Store when and how a subscriber opted in. If you ever need to demonstrate consent, "the browser allowed it" is not enough — a timestamped record tied to the subscriber is.
Push tokens are personal data
An endpoint/token is a pseudonymous identifier tied to a device — treat it as personal data: encrypt at rest, limit access, and include it in deletion/export requests.
Honor deletion and export
- Right to erasure: deleting a subscriber must remove their token and stop all future sends.
- Right to access: be able to export what you hold about a subscriber.
Mind your subprocessors
Apple (APNs), Google (FCM), and browser-vendor push services receive your payloads to deliver them. List them as subprocessors in your privacy policy and offer a DPA to business customers.
OpenPushAPI encrypts credentials at rest, auto-removes dead tokens, supports per-subscriber deletion, and documents its subprocessors — the building blocks for a compliant setup.
Ready to ship push notifications?
Create free account →