Data protection and GDPR for app developers | LEXR

As an app developer located in the European Union or Switzerland, publishing your app on the Apple App Store or Google Play Store requires compliance with specific privacy rules. This blog post clarifies the elements developers need to have in mind, giving you clear steps to help you avoid legal pitfalls and ensure a smooth launch.

Understanding Basic GDPR and FADP Requirements for App Developers

Firstly, it is important to understand the key legal requirements that app developers must adhere to. These are included in the European Union’s General Data Protection Regulation (“GDPR”) and in the Swiss Federal Act on Data Protection (“FADP”) and can be divided into the following priorities: data minimization, informing data subjects and appropriate security measures.

The first principle to have in mind is to collect only necessary personal data for your app’s functionality. This means that you need to:

Establish data retention periods;
Delete data when it is no longer needed;
If additional personal data is collected and the GDPR is applicable, app developers need to obtain the consent from users, which must be informed, unambiguous, specific and freely given, prior to the data processing taking place.

This need for consent can happen for example if your app has access to the user’s contacts or photos on their phone, or collects sensitive data such as health related information when that is not needed for the app to function properly. A good rule of thumb is that if the app works as it is expected to without that data, you will likely need a valid consent from the user.

Secondly, transparency is key. You need to inform data subjects about the personal data you collect, its purpose, third-country transfers and their rights, through a privacy policy. If the GDPR is applicable, you also need to inform about the legal basis for processing.

Lastly, implement technical safeguards like encryption to ensure data confidentiality during transmission and storage. Some of the most important measures are:

Access controls to limit who can access the data;
Regular update of security protocols;
Risk assessments to identify and mitigate vulnerabilities, if your activities have the potential to create risks for users’ fundamental rights;
Human resources training to follow best security practices.

Apple and Google’s Privacy Rules for App Developers

Besides these basic privacy requirements, Apple and Google enforce specific privacy rules for apps published in their platforms. Having a clear understanding of these will allow you to make the publishing process smoother and quicker.

Firstly, Apple and Google also prioritize transparency. Thus, they require app developers to:

Inform users about the types of personal data collected, such as names, email addresses, or location information, as well as the purpose of and description of the processing activities, including storage and the applicable legal basis;
Detail any third-party access to user data, such as analytics providers, advertising networks, or cloud storage services.

If data is shared with third-parties, it is important to specify the reasons for sharing, like improving app performance or delivering targeted ads. Ensure third parties have appropriate security measures in place and comply with relevant privacy laws, especially if they are located outside of the EU/Switzerland.

Secondly, Apple and Google focus on empowering users regarding their privacy. For that reason, you must give users the possibility to consent or refuse the processing of non-essential data, such as personalized advertising or analytics.

This possibility must be given prior to any data processing taking place, as well as afterwards, allowing the user to change his or her preferences in an accessible way. Provide clear instructions on how to opt-out, either through in-app settings or external links. Make sure users can still use the app without being penalized for opting out.

Thirdly, these platforms also ensure you implement strong security protections. They require you to inform users of the security measures you employ to protect user data, like encryption, access controls, and secure data storage.

Lastly, if you target specific vulnerable groups, you need to tailor your approach accordingly.

Apps targeting children or other vulnerable users must comply with additional regulations, such as the Google Play’s Families Policy. Especially in the case of children, you need to:

Obtain verifiable parental consent before collecting children’s data, and limit data collection to the minimum necessary;
Adopt measures to verify the age of your app’s users. This can be done differently either by a self-declaration of one’s date of birth – which is, nevertheless, easy to bypass – to more complex age verification methods, such as biometrics to analyse facial features and vouching systems to ask age confirmation from third parties.

It is important for app developers to be aware that infringing these store policies may result in app deletion, account termination, or legal action. Non-compliance can also damage your brand’s reputation and user trust, so it is important to uphold platform rules to maintain your app’s success.

Making your Privacy Policy Compliant with Applicable Privacy Laws and Rules

With these requirements in mind, there are actions that are important for app developers to take to be compliant with both legal regulations and platform-specific rules.

The most important step to take is to tailor your privacy policy to your app. Your app’s privacy policy must address its unique data processing activities and not simply mirror your website’s policy. An app may have access to device functions (e.g. location, camera, contacts) and do other data processing activities that are not used in a website-context.

For this reason, these are the most important elements to pay attention to when drafting your privacy policy:

Information about data collection, usage and sharing;
If the GDPR is applicable, explain the legal basis for processing, and if needed, specify special provisions for targeted audiences;
Ensure that when consent is needed that it is given appropriately before the data processing takes place and that users can freely opt-out of non-essential data processing at any time;
Bear in mind that the GDPR and the FADP impose further obligations than those asked by Apple and Google. These include the definition of data retention periods and informing users of the rights they have in regard to their data. Include these requirements in your privacy policy and ensure your app complies with them, even if this information is not asked by the app store when you publish it.

After completing your privacy policy, make sure it is easily accessible. The privacy policy must be available before data processing occurs. This means it should be provided to the user in your app’s page in the store. If you provide the app on your own website, you can notify the user of the privacy policy before the download, namely through a pop-up notification.

It must also be easily found by users after the download within the app (e.g. within its menu). Ensure the policy is accessible at all times, and users can easily review and modify their preferences.

Additionally, ensure it is written in plain language. The privacy policy should be written in simple, understandable language, avoiding technical jargon or legal terms. Use clear headings and bullet points to organize information and make it easy for users to grasp the implications of your data processing activities. Take into account the limited legibility of documents on the smaller screens of the devices they are usually installed on.

Conclusion

To successfully publish your app on the App Store or Google Play Store, comply with GDPR and FADP standards, follow Apple and Google’s privacy rules, and create an easily accessible, user-friendly app privacy policy. By addressing these crucial points, you’ll be well on your way to a smooth app launch:

Implement robust data security measures, including encryption and access controls.
When processing non-essential data, ensure explicit, informed, freely-given and unambiguous consent and allow users to opt-out of non-essential data processing activities.
Create an app-specific privacy policy addressing all privacy and platform requirements.
Ensure users have access to your privacy policy before they download your app and make your privacy policy easily accessible in the app menu, the app store page and on your website.
Manage third-party access and third-country transfers responsibly and ensure their compliance with privacy laws.
Adapt your app to specific targeted audiences (such as children) and comply with additional regulations.

Data Protection

Navigating Privacy Rules for App Developers: App Store Compliance and Privacy Requirements

Understanding Basic GDPR and FADP Requirements for App Developers

Apple and Google’s Privacy Rules for App Developers

Making your Privacy Policy Compliant with Applicable Privacy Laws and Rules

Conclusion

Related

Data Processing Agreement I: Determine whether you are a Controller or a Processor

Data Processing Agreements: Navigating the Essentials for Data Protection Compliance (Part 2)

KYC for FinTech companies: Data protection guide part 2 – Follow the data

The new Swiss Data Protection Act comes into force: What tech companies need to do now

The Internet of Things in the GDPR era

Pseudonymisation versus anonymisation: a practical privacy guide

KYC for FinTech companies: Data protection guide part 3 – Manage the data

Confidential Computing and GDPR

GDPR in Switzerland – What it means for businesses

GDPR impact on AdTech and Real-Time Bidding (RTB)

KYC for FinTech companies – Guide to a data protection compliant implementation

How to handle data breaches – a privacy best practice guide

Let’s Go!