As an app developer located in the European Union or Switzerland, publishing your app on the Apple App Store or Google Play Store requires compliance with specific privacy rules. This blog post clarifies the elements developers need to have in mind, giving you clear steps to help you avoid legal pitfalls and ensure a smooth launch.
Understanding Basic GDPR and FADP Requirements for App Developers
Firstly, it is important to understand the key legal requirements that app developers must adhere to. These are included in the European Union’s General Data Protection Regulation (“GDPR”) and in the Swiss Federal Act on Data Protection (“FADP”) and can be divided into the following priorities: data minimization, informing data subjects and appropriate security measures.
The first principle to have in mind is to collect only necessary personal data for your app’s functionality. This means that you need to:
- Establish data retention periods;
- Delete data when it is no longer needed;
- If additional personal data is collected and the GDPR is applicable, app developers need to obtain the consent from users, which must be informed, unambiguous, specific and freely given, prior to the data processing taking place.
This need for consent can happen for example if your app has access to the user’s contacts or photos on their phone, or collects sensitive data such as health related information when that is not needed for the app to function properly. A good rule of thumb is that if the app works as it is expected to without that data, you will likely need a valid consent from the user.
Lastly, implement technical safeguards like encryption to ensure data confidentiality during transmission and storage. Some of the most important measures are:
- Access controls to limit who can access the data;
- Regular update of security protocols;
- Risk assessments to identify and mitigate vulnerabilities, if your activities have the potential to create risks for users’ fundamental rights;
- Human resources training to follow best security practices.
Apple and Google’s Privacy Rules for App Developers
Besides these basic privacy requirements, Apple and Google enforce specific privacy rules for apps published in their platforms. Having a clear understanding of these will allow you to make the publishing process smoother and quicker.
Firstly, Apple and Google also prioritize transparency. Thus, they require app developers to:
- Inform users about the types of personal data collected, such as names, email addresses, or location information, as well as the purpose of and description of the processing activities, including storage and the applicable legal basis;
- Detail any third-party access to user data, such as analytics providers, advertising networks, or cloud storage services.
If data is shared with third-parties, it is important to specify the reasons for sharing, like improving app performance or delivering targeted ads. Ensure third parties have appropriate security measures in place and comply with relevant privacy laws, especially if they are located outside of the EU/Switzerland.
Secondly, Apple and Google focus on empowering users regarding their privacy. For that reason, you must give users the possibility to consent or refuse the processing of non-essential data, such as personalized advertising or analytics.
This possibility must be given prior to any data processing taking place, as well as afterwards, allowing the user to change his or her preferences in an accessible way. Provide clear instructions on how to opt-out, either through in-app settings or external links. Make sure users can still use the app without being penalized for opting out.
Thirdly, these platforms also ensure you implement strong security protections. They require you to inform users of the security measures you employ to protect user data, like encryption, access controls, and secure data storage.
Lastly, if you target specific vulnerable groups, you need to tailor your approach accordingly.
Apps targeting children or other vulnerable users must comply with additional regulations, such as the Google Play’s Families Policy. Especially in the case of children, you need to:
- Obtain verifiable parental consent before collecting children’s data, and limit data collection to the minimum necessary;
- Adopt measures to verify the age of your app’s users. This can be done differently either by a self-declaration of one’s date of birth – which is, nevertheless, easy to bypass – to more complex age verification methods, such as biometrics to analyse facial features and vouching systems to ask age confirmation from third parties.
It is important for app developers to be aware that infringing these store policies may result in app deletion, account termination, or legal action. Non-compliance can also damage your brand’s reputation and user trust, so it is important to uphold platform rules to maintain your app’s success.
With these requirements in mind, there are actions that are important for app developers to take to be compliant with both legal regulations and platform-specific rules.
- Information about data collection, usage and sharing;
- If the GDPR is applicable, explain the legal basis for processing, and if needed, specify special provisions for targeted audiences;
- Ensure that when consent is needed that it is given appropriately before the data processing takes place and that users can freely opt-out of non-essential data processing at any time;
It must also be easily found by users after the download within the app (e.g. within its menu). Ensure the policy is accessible at all times, and users can easily review and modify their preferences.
- Implement robust data security measures, including encryption and access controls.
- When processing non-essential data, ensure explicit, informed, freely-given and unambiguous consent and allow users to opt-out of non-essential data processing activities.
- Manage third-party access and third-country transfers responsibly and ensure their compliance with privacy laws.
- Adapt your app to specific targeted audiences (such as children) and comply with additional regulations.