ON THIS PAGE
There are many different apps, starting from social media platforms, entertainment, and hobbies to navigation, banking apps, or specific apps for any niche of leisure time, sports, or business. These apps often collect much data about their users: geo-location data, personal information, interests, and habits, lists of social contacts, and others. This proliferation of apps has raised privacy concerns about users’ personal data. To address these concerns, governments around the world have implemented privacy laws that regulate how to deal with user data. In this article, we will cover privacy laws around the world, privacy issues, and legal requirements for apps.
Key privacy laws Around the World
Note, that privacy laws apply for users based on their residence, independently of the origin of a company. For example, if a company, that operates the app, is registered in the USA, and provides services for European residents, the app must meet EU privacy standards.
The United States does not have a common privacy law at a federal level. Currently, only these five US states have comprehensive data privacy laws: California (CCPA, effective Jan. 1, 2020), Virginia (VCDPA, effective Jan. 1, 2023), Colorado (CPA, effective July 1, 2023), Connecticut (CTDPA, effective July 1, 2023), and Utah (UCPA, effective Dec. 31, 2023).
The California Privacy Rights Act (CPRA), which went into effect on January 1, 2023, expands the CCPA requirements. Under the CPRA, websites will have to provide a link titled “Do Not Sell Or Share My Personal Information” and a link titled “Limit The Use Of My Sensitive Personal Information”.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the management of the personal information of Canadian residents.
In Brazil, there is a General Personal Data Protection Act (LGPD), that sets out the requirements for how entities must handle the personal information of Brazilian residents.
Mobile App Legal Requirements
When creating your app, you must make sure it complies with legal requirements. The key legal requirements are the following:
- Explain what personal information you collect. Personally identifiable information could be a name, username, password, identification number, location data, email, phone number, or other online identifier.
- Explain why you collect personal information. To collect user information, you need to have a legitimate interest.
- Disclose if you share or sell personal information. You should define if you share or sell personal data to third parties, and disclose the identity of these third parties.
- Describe the users’ rights. For example, under the GDPR, the users have the following rights:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The rights around automated decision-making and profiling.
- Disclose the identity of the company and provide contact information. Users should be able to reach you regarding their personal data collection and usage.
If the CCPA applies to you, you need to explicitly display the “Do Not Sell My Personal Information” link.
Adequate security measures must be implemented to protect user data from unauthorized access or data breaches, especially if you own an e-commerce app. To protect users’ data, use the following measures:
- Use Transport Layer Security (TLS). TLS implements end-to-end encryption for apps, preventing reading users’ messages even if messages are sent unencrypted.
- Use verification or authentication methods. Use a phone verification app to ensure that the users are what they pretend to be, use tokens or other mobile-specific authentication methods.
- Refresh sessions more often. If you are using access tokens- shorten them to a few minutes and add refresh tokens. This will protect your app from attackers.
- Include log-out requests. Invalidate tokens that are not in use.
- Do not send too much information. Send less personal information or split sending data into several requests.
- Regularly perform security audits.
Fair Information Practice Principles (FIPPs)
Although not officially integrated into any privacy legislation, FIPPS are relevant and up-to-date these days. It is recommended that app follow the eight Fair Information Practice Principles:Collection Limitation Principle. You should limit the collection of personal data to the necessary. When collected, the data subject has to know about it and has to give consent.
- Data Quality Principle. Collected personal data should be relevant to the purpose for which they were collected and should be accurate and kept up-to-date.
- Purpose Specification Principle. The purposes for the collection of personal data should be specified prior to the collection of the data.
- Use Limitation Principle. Personal data should not be disclosed or processed for purposes other than those specified to the users prior to the collection of data.
- Security Principle. Personal data must be protected by adequate security means against data breaches, loss, or unauthorized access, destruction, use, modification, or disclosure of data.
- Individual Participation Principle. An individual should have the right access, rectification, and erasure of data, related to him.
- Accountability Principle. You should be accountable for complying with the principles stated above.
In the USA, if your business has 15 or more employees, the Americans with Disabilities Act (ADA) requires apps to be accessible to everyone, including users with visual or hearing impairments.
The Accessibility for Ontarians with Disabilities Act (AODA) sets out a process for enforcing accessibility standards in Canada. AODA requires all public sector organizations and nonprofit and private organizations with more than 50 employees to comply with the regulation.
In Europe, the EU Web Accessibility Directive requires public sector organizations in the EU to make their mobile apps operable, understandable, and perceivable for people with visual or hearing disabilities.
You can make your app accessible in these ways:
- Use larger fonts.
- Use clear contrast between backgrounds and fonts.
- Provide web reading tools.
- Provide transcripts.
- Describe images.
Intellectual Property Rights and Trademarks
Your app could have registered trademarks, such as your branding or logos, or copyrights for your design, graphics, or images. To prevent others from stealing your content, you could:
- Place watermarks on images. This will inform others to whom the images belong.
- Include copyright notices.
- Add a Digital Millennium Copyright Act (DMCA) badge to your app, which is free. If someone steals your content, the DMCA will help you recover your content.
Frequently Asked Questions
What are the main privacy laws for apps?
In European Economic Area, there are GDPR and the EU cookie law that set forth requirements for apps if they collect or process user personal data. In the USA, there is no common privacy law at a federal level. Currently, these five US states have comprehensive data privacy laws: California (CCPA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). In Canada, there is PIPEDA, in Brazil there is LGPD, in Turkey – KVKK, in South Africa - POPIA, in Saudi Arabia - SAPDPL, and others.
What are the legal requirements for mobile apps?