Navigating Data Privacy Regulations for Mobile Apps: What Brands Need to Know
By Andra Robinson
June 13, 2024
Andra Robinson is Vice President of Legal and Associate General Counsel for Airship, the mobile app experience company. She is licensed to practice in California and holds a Certified Information Privacy Professional certification.
This story originally appeared on Today's General Counsel.
Navigating Data Privacy Regulations for Mobile Apps: What Brands Need to Know
We’re in a new era for data privacy, where consumers are informed and pushing back on companies tracking their every move. In response, government enforcement agencies worldwide have expanded their attention to mobile apps. It’s critical that companies are shaping their practices and policies to reflect these new data privacy regulations for mobile apps.
A number of states across the United States are racing to enact new consumer data privacy laws to fill the void of a comprehensive federal legislation. At the federal level, the American Privacy Rights Act (APRA) is undergoing review in Congress.
Meanwhile, the Federal Trade Commission (FTC) has been increasingly focused on mobile app enforcement, particularly for health apps and those that collect sensitive information like geolocation. Ovulation tracking app Premom faces a proposed order in which the company would be “barred from sharing users’ personal health data with third parties for advertising, required to obtain users’ consent before sharing health data for any other purpose, and must tell consumers how their personal data will be used.”
More recently, the FTC completed an enforcement agreement against X-Mode Social and its use of SDKs (software development kits) for collecting precise geo-location data from app users. The FTC indicated concerns about the app’s ability to pinpoint a user’s location on a map and tie it to sensitive locations. They also called out X-Mode’s disregard for requests from users to opt out of personalized ads as it continued to share the Mobile Advertiser IDs for users with marketers.
Data Privacy Concerns in Europe
In the European Union, the activist group None of Your Business (NOYB) filed a series of complaints in September 2023 against mobile apps for sharing personal data with third parties without user consent.
Last year, the France Data Protection Authority (known as CNIL) announced mobile app and data privacy compliance as a priority for 2023. CNIL is expected to release recommendations for the mobile app ecosystem in the coming months. Draft recommendations for mobile apps include: defining collection parameters, applying data-privacy-by-design and privacy-by-default, managing consent and rights, and aligning with security best practices and recommendations. It’s also expected that CNIL will focus on holding mobile app developers accountable for the security of their apps and their vendors, such as SDKs, they work with.
With an increasing global focus on mobile app privacy issues, there are several steps brands can take now to ensure regulatory compliance:
- Understand what SDKs are in the mobile app, what they collect and for what purpose; regularly review SDK vendors and their security standards.
- Honor all requests from users regarding the use of personal data and ensure a method for opt-out requests is provided for California compliance. In the EU, get consent prior to SDK activation on the user’s device.
- Have clear privacy policies in place that describe how the mobile app uses data, including the use of data from third-party SDKs.
- Obtain clear consent for any data shared with third-party SDKs and ensure it fits within the parameters of customer relationships, and the purposes for which the data is collected.
- Review practices for sharing data with advertisers and get user consent for sharing.
- Embed clear consent practices in the tech stack, including rights to opt out or opt in (as required by local regulatory standards) as well as have user data deleted at any time.
All too often privacy conversations come at the end of a sales cycle or as an afterthought to development and implementation. Data privacy is no longer just an IT or legal concern. Every department should be involved in developing a comprehensive data governance strategy to better align product vision, customer use cases and competitive advantage that can be gleaned by data collected and protected in the right ways.
Enforcement penalties and reputational risks make it clear businesses need to put privacy conversations at the forefront of their mobile efforts as they navigate new data privacy regulations for mobile apps. Even more importantly, brands should strive to build digital consumer trust. The most successful brands will embrace privacy and take it on as an act of stewardship. Their customers will not only appreciate it, they’ll reward them for it.
Get the free newsletter
Subscribe for timely and substantive news curated for the law firm audience.