5 Tips for Mobile-App Privacy Compliance

To meet consumer and regulator expectations, Apple and Google have recently implemented new mobile-app privacy rules for apps offered through their stores. This is significant for the businesses that have noticed the year-over-year growth of the adoption and consumer spending on apps. In 2020, mobile app downloads grew by 7% to 218 billion. Consumer spending increased 20% in that same period, ballooning to $143 billion (according to App Annie). But businesses considering an app need to be cognizant of their privacy obligations and potential compliance issues.

CGL’s 5 Tips for Mobile-App Privacy Compliance

Tip 1: Know, Understand, and Comply With Applicable Privacy Laws.

To avoid enforcement (like the 106 mobile apps which China’s Ministry of Industry and Information Technology just ordered to be removed from app stores), mobile apps that collect data from users will need to apply with any applicable privacy laws. 

The GDPR, for instance, applies to mobile apps that collect the personal data of EU citizens. Meanwhile, the Federal Trade Commission (FTC) requires businesses to live up to any express or implied claims about privacy. 

With an increasing number of jurisdictions enacting comprehensive privacy laws, we suggest consulting with an experienced privacy attorney before launching your app. The initial cost of your privacy guidance will be significantly less than defending any claims of privacy non-compliance. If possible, it’s best to seek guidance before developing the app. Implementing privacy by design principles early allows privacy to be built into your app from the outset, instead of bolting it on at the end. This is generally more cost-effective and also offers better privacy outcomes. 

Tip 2: Your Privacy Practices Should Be Easy to Find & Understand. 

Apple now requires mobile app developers to make sure their apps explain what data the app collects, how the app collects it, parties with whom the data is shared, and what the data retention and deletion policies are. Specifically, Apple requires:

“Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

• Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.

• Confirm that any third party with whom an app shares user data (in compliance with these Guidelines)—such as analytics tools, advertising networks and third-party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data—will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.

• Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.”

 

Meanwhile, apps available through Google’s Play Store will all be required to declare how they collect and handle user data by April 2022. Developers must make information about their security practices and the collection and handling of data through third-party libraries or SDKs available too. 

The clear trend (and lesson) here is that the major app stores are adapting to consumer and regulator expectations of privacy. Developers too will need to adapt to these increasing demands for transparency to remain competitive. 

Tip 3: Make It Easy For Users to Manage Their Privacy.

From January 31, any apps that require an account to be created and that wish to be available through Apple’s App Store will need to allow users to initiate the account deletion through the app.  Apple suggests to app developers that they forego any requirement to create an account where possible. 

The most common way for users to manage their privacy settings is via a privacy dashboard. You should consider including a privacy dashboard that: 

• Allows users to delete their account in just a few clicks. 
• Allows users to delete their information without deleting their account. 
• Provides a brief explanation of what the settings mean. 
• Makes it simple for users to opt-out by adopting toggle buttons. 

Tip 4: Don’t Let Screen Size Impact Your Efforts to Obtain Consent. 

The fact that your users are using a smaller screen does not excuse you from obtaining valid consent or presenting privacy information in a way that is clear and easy to understand. It does, however, require more creativity than it would on a larger screen. 

Here are some best practices for obtaining valid consent on smartphone and tablet screens:

• Layer the information by placing important details upfront and embedding links to the more granular details of your privacy practices. 
• Provide a privacy dashboard (as outlined above). 
• Use graphics that convey meaning, where possible. For instance, you could employ a GPS graphic to demonstrate when your app is accessing a user’s location data. 
• Draw attention to important information using color.
• Allow users to set a period of time for renewing consent.

Tip 5: Collect Data for a Legitimate Business Purpose. 

It’s best to limit the collection of information to what is needed to carry out a legitimate purpose. This aligns with the requirements of the GDPR, Apple’s App Store, and consumer expectations (amongst other things). It also makes your app more appealing to consumers. The FTC suggests consumers should consider deleting apps that request lots of permissions, including contacts, camera, storage, location, and microphone (and outlines how to find this information). With this in mind, only requesting access to data absolutely necessary makes sense from both the compliance and customer satisfaction perspectives. 

If you need assistance navigating privacy compliance and best practices, reach out. We’re here to help! 

• 5 Tip Friday