GDPR Compliance for Apps

The General Data Protection Regulation (GDPR) is an important and globally-influential data and privacy law from the European Union. The GDPR applies to mobile apps that collect and process personal data of EU citizens. It doesn't matter if your app is operated from outside of the EU. The GDPR will still apply.

The purpose of the GDPR is to provide improved privacy protection and control for EU citizens. It is designed to give individuals control of their personal data and to improve how businesses manage personal consumer data.

Under the GDPR, businesses that conduct transactions in the EU, including mobile apps, will be required to comply with the new data privacy rules. Failure to comply with this legislation could result in costly fines.

If you are an app developer or own a mobile app, this article will help you implement GDPR-compliant Privacy Policies and procedures.

GDPR Overview

The GDPR is an EU legislation that gives individuals certain rights regarding their personal information. It was announced in 2016 with a two-year transition period to provide time to comply.

Any mobile app that collects or processes the data of EU citizens falls under the jurisdiction of this regulation.

Regardless of where your business is based, if you have users from the EU, you should begin taking steps to comply with the GDPR.

The GDPR contains 99 articles with many new privacy requirements, including:

• Explicit consent from mobile app users before collecting their personal information
• Data protection by design and by default
• User access to data
• Right to data portability
• Right to be forgotten
• Strict implementation of the rules
• Right to know when one's data has been breached

To ensure compliance with the new GDPR rules, mobile app owners need an app-specific approach to secure data moving to and from mobile devices, as well as several built-in controls for users to control their data.

Make sure to become familiar with Privacy by Design concepts and incorporate them into your GDPR compliance plan.

Key Elements of the GDPR and How to Comply

The GDPR attempts to harmonize a patchwork of differing data privacy laws across Europe. It imposes of a broad set of data collection and handling requirements for companies doing business in the EU.

The implications of the regulation extend to the security of mobile device applications. Mobile app owners must ensure GDPR compliance within their mobile applications, such as when processing financial transactions, collecting email addresses at account sign-up and transmitting data to other apps.

Conduct a privacy law self-audit on your mobile app so you know exactly what privacy practices your business engages in and what information you need to disclose to your users to stay compliant.

Following is a summary of key elements that help explain how mobile applications will be impacted by this new data privacy legislation.

Acquire Informed Consent and Provide Opt Out

One of the most important requirements of the GDPR is to acquire active, informed consent from your app users before collecting or processing their personal information.

Up to now, many apps would assume that a user's decision to proceed with app registration and use was equivalent to having the user's consent to collect data. This is no longer the case.

The GDPR requires apps to acquire the user's active and informed consent before any personal data is collected.

Here's a look at Recital 42:

In order to comply with this requirement, your app must provide users with certain disclosures about the information you collect, as well as a checkbox, button or other means for users to actively click and confirm their consent for you to collect their data.

You cannot pre-tick a consent checkbox or button, or assume that continued use of your app meets the GDPR's requirement of acquiring active consent.

Below is a screenshot from Amazon Prime Video which illustrates a non-compliant method for collecting implied consent. Not only is the assumption that the user's use of the app qualifies as consent, but the statement it also is difficult to read.

In this example, no option to actively opt in or refuse Amazon's data collection procedures is provided. Instead, the app assumes that by clicking the Continue button to complete sign-up, the user is providing consent to collect personal data.

By contrast, here's how Slice gets consent at sign-up by making users check a box that states they agree to the Slice Terms of Service and Privacy Policy. This statement and checkbox are located between the enter email field and the sign-up button, so it would be nearly impossible for a user to overlook it.

Note how this contrasts to the example from Amazon where the text is at the very bottom and easily missed.

The Privacy Policy is linked so users can check it out and see exactly what they're consenting to when it comes to their personal information and privacy.

Here's how the Waze app presents users with a breakdown of why Waze uses personal data along with some specific examples of what types of data it uses. Users must click Agree to allow Waze to do so:

The GDPR takes consent requirements one step further. When asking for specific pieces of data, you need to provide individual (or "granular") options for obtaining consent. You should let users know the different purposes behind collecting each piece of data.

For example, in Sainsbury's mobile app signup screen, users' phone numbers are requested. With this request is an explanation of why the phone number is being requested. Nectar Card information is also requested with explanation, but noted as being optional.

The Terms and Conditions has its own separate "I Agree" checkbox to get user consent to be bound by the Terms.

Sainsbury's asks for permission to contact users and also provides a clear option for users to decline being contacted. With this permission request, Sainsbury's outlines methods it will use for contacting users (SMS, post, phone, etc.), as well as with what types of materials (coupons, exclusive offers, etc.).

Users are also told at this point that their information will never be sold to other companies for marketing purposes.

Once consent is granted, the GDPR requires apps to provide users with ongoing control of their information, including the right to revoke previously granted consent.

The Adobe PDF app includes a separate checkbox that users have to check to consent to being contacted via email.

Tasty, a mobile app owned by BuzzFeed, includes a clause in its Privacy Policy for allowing users to stop allowing the app to track location data even after consent has been given to allow tracking:

Let's take a look at the various rights the GDPR grants to users so you can ensure your mobile app is in compliance.

Rights of Individuals

In addition to giving individuals the right to control their consent to collect and process their data, the GDPR also gives mobile app users many additional rights to control your use of their data.

These rights need to be mentioned in your Privacy Policy to inform users of them.

Here's how Sainsbury's includes a link directly to "Your Rights" in its Privacy Policy, which is linked to its mobile app:

Let's take a look at each of the rights and how to present them in your mobile app.

The Right to Access Data

One of the rights users get under the GDPR is the right to access their data upon request, granted by Article 15.

If a user makes an information request under the GDPR, you need to honor that request and provide the user with the information shown in Article 15 above. You will have one month to fulfill the request, or two if the requested data is too complicated or too large to fulfill in 30 days.

See our article for guidance: How to Handle Privacy Access Requests Under the GDPR.

Note that the GDPR does allow you to charge a "reasonable fee based on administrative costs" where the request for data access is "manifestly unfounded or excessive." However, the general spirit of the regulation is to provide consumers control over the collection and use of their data for free or as close to free as possible.

To comply with these requirements, many apps include a clause in their Privacy Policy that explains how users can get a copy of their data or access it themselves.

Here's how Age UK does this:

Facebook goes a step further, providing users with a Download Your Information tool:

The Right of Restriction of Processing

The GDPR allows app users to restrict your use of their data. If an individual asks you to stop processing their data, you must comply immediately.

According to Article 18 of the GDPR, users have the right to restrict the processing of their personal data if they claim one of the following:

• That their data is inaccurate
• The processing is unlawful
• The business doesn't need the data for the original purpose stated
• The individual objects to the processing of their data

Here's an example from Sainsbury's of a clause you can include in your Privacy Policy regarding the right to restrict data processing:

The Right to Data Portability

In cases where data is processed with automated devices or machines, users have the right to what is called "data portability." This means that users who provide their data to your mobile app have the right to transmit it to another mobile app or business without any interference from your business.

The end user also can instruct you to transmit their personal information to a third party entity for any reason. Unless the request would be in violation of a law or court order, then you are obligated under the GDPR to comply with user requests to transmit their data.

The reasons users might choose to port their data to another app or instruct you to transmit their data to another entity are varied, from a desire to interact through your app with a social platform or forum, to sharing data with creditors, job sites, medical providers and so forth.

While it's not necessary to define every possible opportunity for your users to transmit data to another entity, it is required that you disclose this right to your users.

Here's how LinkedIn does it with a simple clause in its Privacy Policy:

The Right to Object

Article 21 of the GDPR gives users of your mobile app the right to request that you stop processing their data in the following circumstances:

• Processing based on a legitimate interest, performing a task or exercising official authority, or profiling
• Direct marketing
• Processing for historical or scientific research

According to the GDPR, you must let users know "at the point of first communication" as well as in your Privacy Policy that they have this right to object.

A way to let users know about their right to object at the point of first communication can be something like the following email sign-up form from Zettasphere.

Here, users are told at the point when their email addresses are collected that "all emails include an unsubscribe link" and that "you may opt-out at any time." The Privacy Policy is also linked.

The Privacy Policy includes similar information as is disclosed in the email subscription box.

In addition to allowing users the ability to revoke consent to ongoing processing of their data, you also must give them the right to refuse collection of their data in the first place.

The Right to Rectification

If mobile app users find their data to be inaccurate or incomplete, they have the right to change it or have it be changed according to Article 16 of the GDPR.

Most mobile apps allow users to change their personal data in real time from their devices.

For example, Chewy, a popular online pet supply store, lets users edit important personal data like payment methods on file directly within its mobile app.

You should provide a statement in your Privacy Policy about how a user can make necessary edits and updates, along with easy access to a User Settings or Account page within your mobile app.

Regardless of whether or not your app provides self-edit options for users, you'll still need to provide contact information so users can request you correct any inaccurate personal information for them.

Right to Be Informed

The GDPR also requires a principle of transparency in Recital 58. This means that it is the right of individuals to be informed about who is collecting their data and for what purpose. The information should be easily accessible and easily understood, and provided free of charge.

Your mobile app users must be provided with information (such as notices) that is concise, easily accessible, and in easy to understand language. In addition to this, it recommends using visual aids where necessary or helpful.

Additionally, if your mobile app collects and processes the personal data of children, you're required to post information about your use of that data that is in clear and plain language that a child can understand. Many apps include a clause in their Privacy Policy to explain efforts to protect minors.

Here is Facebook's Data Policy clause on Minors and safety:

Make sure your mobile app Privacy Policy is written in a way that is easy to understand and will actually inform your users about your privacy practices and their rights.

Right to Erasure

The GDPR gives mobile app users the right to erasure of their data, also referred to as "right to be forgotten."

Under the GDPR, mobile app users can request the erasure of their personal data without unnecessary delay if their personal data is no longer needed for the express purpose for which it was originally collected or processed.

Users also may withdraw their consent to use their data if they object to the processing of their data or find that their data is being unlawfully processed.

The best way to comply with this is to make sure your mobile app has a way for users to fully delete accounts, and make sure that you delete all of the user information if that occurs.

Remember: You should only be storing data for as long as is necessary for the purposes for which you collected the data. While this is up for interpretation, you'll need to set reasonable time limits or you may run into legal issues.

Data Protection Officer (DPO)

Under the GDPR, certain organizations will need to hire a Data Protection Officer (DPO) who will be responsible for ensuring proper compliance with the legislation.

You'll need a DPO if your organization:

• Is a public body or authority, including governments, universities, etc.,
• Regularly and systematically processes or monitors data from individuals in the EU, or
• Deals significantly with special categories of personal data or personal data relating to criminal convictions or offenses.

For example, an app associated with a government body will need DPO oversight. So will an app that deals with personal health data, such as medical records.

If your organization needs a DPO, the DPO will play a role in making sure your app is GDPR-compliant. Make sure to make the correct determination by learning more about DPO requirements and responsibilities.

Data Security

The GDPR requires data controllers and data processors to take appropriate measures to ensure the privacy and security of individuals. This includes the use of modern technologies like encryption.

Article 32 on Security of processing recommends "pseudonymisation" and encryption of mobile app users' personal data. App owners must ensure the ongoing confidentiality, integrity, availability, and resilience of their data processing systems.

In case of a physical or technical incident, the data processor must be able to restore the availability of the data in a timely manner so as to make it accessible again.

Also, it is the data processor's responsibility to test, assess, and evaluate the effectiveness of the measures your app takes to ensure the security of the data you process.

Mobile devices are vulnerable to hacking attacks. User data must be protected at all phases, including in the processing of the data as well as on the user's device.

Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is an assessment of the risks of a security breach occurring. You should conduct a DPIA for all of your apps, especially high-risk apps that hold user financial data and other sensitive personal data.

If any breach of user data or privacy occurs with your app, it is the responsibility of the data controller to immediately notify the user and the concerned authorities of any breach and its likely impact on the affected users.

You should conduct a DPIA and make sure you have a proper plan in place for how to handle a data breach on your app.

Next Steps

The first step in complying with the GDPR is to determine whether or not your mobile app collects and processes the personal information of EU citizens. If it does, the next step is to bring your Privacy Policy and internal procedures in line with the new legislation.

You will also need to ask for informed consent to collect and use personal data. This means using a "clickwrap" method for obtaining consent, such as an opt-in checkbox or button that is not pre-selected.

As a mobile app owner, you need to:

• Understand the privacy rights and protections the GDPR grants to EU citizens
• Understand and comply with GDPR data handling rules
• Ensure your data collection, management and sharing procedures follow the GDPR requirements
• Post an appropriate Privacy Policy to your mobile app(s)
• Use a checkbox, button, toggle or other opt-in method to collect active and informed user consent to process data before you do so