The UK ICO (the data protection regulator) has reminded app developers to prioritise privacy. Apps collect a wide range of personal data, and focusing on data privacy is vital. With the ever-increasing reliance on mobile applications in daily life, developers should consider data privacy as a priority.
Our data protection experts explore the ICO’s guidance and some of the key issues for app developers in this article.
Contents:
ICO reminds app developers to prioritise privacy
The ICO recently investigated period- and fertility-tracking apps, delving into how they process personal data and assessing the potential adverse effects on users. In its guidance, the ICO emphasised the importance of prioritising privacy:
‘Signing up to an app often involves handing over large amounts of personal information, especially with apps that support our health and wellbeing. Users deserve peace of mind that their data is secure, and they are only expected to share information that is necessary. When we announced we were looking into period and fertility apps, we received a helpful response from users who were able to share their experiences with us. We want to reassure users that we haven’t found any evidence these apps are using their data in a way that could cause them harm. However, our review has highlighted there are improvements app developers could make to ensure they are meeting all their obligations to be transparent with their users and keep their data safe.’ - Emily Keaney, ICO’s Deputy Commissioner of Regulatory Policy.
What are the key privacy considerations for app developers?
In a technology-driven world filled with mobile apps; developers have access to huge amounts of personal data every day. With this comes a range of obligations under the UK General Data Protection Regulation (UK GDPR), which sets out stringent rules and obligations that app developers must follow when processing user personal data collected via their apps.
Apps across various categories, such as social media, news, fitness, and those through which goods or services can be purchased, collect a wide range of personal data from their users. This data may include:
- Basic personal information: Names, email addresses, phone numbers, and birthdates.
- Financial data: Bank account details, credit and debit card information, and transaction history.
- Location data: GPS coordinates, IP addresses, and other location-based information.
- Technical data: Device information, browser type, operating system, and unique device identifiers.
- Usage data: App interactions, preferences, and behaviour patterns.
Much of this data is collected through cookies and other tracking technologies deployed on users' devices, allowing apps to gather valuable insights into user behaviour and preferences.
App developers must be transparent about the types of data they collect (including via privacy policies), obtain necessary consents, and implement appropriate security measures to protect users' personal information.
The UK Information Commissioner’s Officer (ICO) urges all app developers to embed privacy considerations into the design process itself (so-called ‘privacy by design’), rather than treating it as an afterthought. This proactive approach ensures that privacy is upheld as a primary right from the inception of an app and all the way through the development process.
How can app developers comply with data privacy obligations?
Compliance with data protection laws is mandatory and developers must firstly familiarise themselves with the relevant data protection law rules and then ensure that they comply with them. Developers need to integrate appropriate practices into the initial development phase and throughout the entire life cycle of the app, including subsequent version releases. By doing so, developers will not only comply with their legal obligations, but also build trust with their users. Privacy is not just a legal obligation but also a key factor in maintaining user confidence and loyalty in our digital age.
If you are developing a new app that relies on user registrations or otherwise collects personal data, it is crucial to consider privacy and data protection from the outset. The ICO has provided key questions that you and your app development team should address during the design phase to ensure compliance with data protection laws:
- Do you offer a comprehensive privacy policy? Apps must display a clear and comprehensive privacy policy detailing how personal data is collected, processed, and stored on them. The privacy policy should be easily accessible to users and written in plain language. Getting your policy right can particularly be challenging for certain apps, such as those aimed at children. Privacy policies must be fully UK GDPR compliant, and this often requires a range of details to be disclosed to users. Our article ‘Privacy policies for iOS apps’ looks at what you need to consider when submitting new apps or app updates to Apple’s App Store.
- Have you considered your lawful basis for processing? Developers must consider and document a valid lawful basis for processing user data, which could be consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. Each processing activity must be justified under one of these lawful bases.
- Do you have an appropriate consent mechanism? App developers must implement robust mechanisms for obtaining user consent before collecting or processing personal data where consent is the lawful basis for the collection and processing of that personal data. Consent should be freely given, specific, informed, and unambiguous, and users must be able to withdraw consent at any time.
- How will you minimise personal data? Apps should collect only the personal data necessary for their intended purpose and not collect excessive or irrelevant personal data. Adopting a data minimisation approach not only ensures that you comply with your legal obligations, but also helps to mitigate privacy risks and enhances user trust.
- Do you have appropriate data security measures in place? Implementing strong security measures is crucial to safeguarding personal data against unauthorised access, disclosure, alteration, or destruction. For instance, measures such as encryption, access controls, and regular security assessments may be essential components of your security strategy, particularly given the high volumes of data apps hold.
- Have you published a cookie policy? In addition to the UK GDPR rules, compliance with the Privacy and Electronic Communications Regulations is vital. Mobile apps commonly use cookies, requiring informed consent from users. Apps must provide transparent information about cookies and how users can control them. Before installing the app, users must have access to a cookie policy explaining the types of cookies used and choices allowing them to manage preferences, as well as a compliant consent mechanism.
Why does privacy law compliance matter for app developers?
Compliance with UK GDPR is not merely a legal obligation for app developers. It is a fundamental practice for fostering trust, transparency, and accountability with users. By prioritising user privacy and adhering to best practices, app developers can demonstrate their commitment to compliance with data protection laws while delivering responsible and user-friendly app experiences.
As the ICO continues to focus on app data collection and privacy issues, app developers must remain vigilant and proactive in their compliance efforts. The ICO's commitment to publishing more guidance for app users underscores the high priority placed on protecting user privacy in the mobile app space. App developers should closely monitor these developments and seek guidance from data privacy legal experts if they need it to ensure that their practices align with the latest regulatory expectations set by the ICO.
