Privacy is a sensitive subject, as we all know. There are different privacy laws in different countries – GDPR, CCPA, LGPD, and EPrivacy regulations are some of the most well-known. In terms of mobile consent collection, some regulations are stricter than others.
Globally, data privacy has increasingly become a top priority for many countries and regions due to an increasing reliance on digital products and services. Businesses are expected to comply with robust and enforceable data privacy regulations in many regions as a result. Noncompliance with these regulations can not only have serious financial consequences but also have long-lasting and significant effects on public trust and your organization’s reputation.
This article discusses mobile consent and various privacy regulations, including how to remain compliant.
GENERAL LEGAL REQUIREMENTS
This privacy information must be up to date, clear, and easily available throughout the website or app. Some component needs may change based on the type of processing activity, area, user age or business type. It is therefore important to note that, in addition to the fundamental issues stated below, you may have more responsibilities based on your applicable law.
As per general laws users need to be informed of:
- Website/app owner details
- Your notification process for policy changes
- What data is being collected
- Third parties are and what data they are collecting
- Their rights regarding their data.
Depending on the applicable law, you may have to make other disclosures to users, other parties, and the supervisory authority.
The California Consumer Privacy Act is one such statute (CCPA). Users must be warned under the CCPA, in particular, of the risk of their data being sold (think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure must be displayed from the site’s homepage and include an opt-out (DNSMPI) link.
Consent in this context refers to an individual’s informed voluntary agreement to take part in a specific event or process.
In general, users must be able to decline, withdraw, or give consent (depending on regional law). Consent can be obtained using any mechanism that requires the user to undertake a verifiable & direct action, such as checkboxes, text fields, toggle buttons, sending an email in confirmation, and so on. Here, consent is an individual’s informed & voluntary agreement to take part in a given activity or conduct. Users should be aware of the following:
- Apps user information;
- Your policy change notice procedure;
- What information is being gathered;
- Third-party identification and the types of data they are gathering
- The responsibilities they have to their data.
Deciding your law of reference
The laws of a particular region apply only if:
- You base your operations there; or
- You use regional processing services or servers.; or
- Your service targets users from that region
This means that whether you live in the region or not, regional regulations may apply to you and/or your business. As a result, it’s always a good idea to approach your data processing activities with the most stringent available regulations in mind. You may learn more about which laws apply to you by clicking here.
There is no single comprehensive national body of data privacy rules in the United States; nevertheless, there are many state laws, industry recommendations, and particular federal legislation in effect. Because online site/app activity is rarely limited to a single state, it is always advisable to follow the most stringent legal legislation. With this in mind, the state of California has created the most rigorous data privacy law framework. The California Online Privacy Protection Act (CalOPPA), enacted in 2004, was the first state law to make privacy policies mandatory, and it applies to anybody or any organisation whose website or app collects personal information from California residents.
In addition to the standard disclosures outlined above, CalOPPA requires you to:
- Notify affected users when there are security breaches that affect their data.
In terms of consent, US law generally demands that you provide users with a clear way to withdraw consent (opt-out). However, other restrictions apply in circumstances involving “sensitive data” (e.g., health details, credit reports, student database, personal information of children under the age of 13). In such circumstances, a verifiable opt-in action, such as checking a box or taking another affirmative action, is needed.
What happens if you don’t follow CCPA?
For intentional violations, app publishing companies can face a penalty up to $7500 however for unintentional violations, they can face up to $2500 if not resolved within 30 days of being given the notice of such violation.
Special Care Regarding Children
If your service collects, uses, or discloses personal information from children under the age of 13, specific rules apply to those data processing activities.
The Children’s Online Privacy Protection Act (COPPA) is a federal law in the United States that was enacted to better protect the personal data and rights of children under the age of 13.
If you run a website or online service aimed at children under the age of 13, or if you have actual knowledge that you are collecting personal information from children under the age of 13, you must notify parents and obtain their verifiable consent before collecting, using, or disclosing the information, and you must keep the information collected secure.
“Verifiable” means utilising a way of obtaining consent that is difficult for a child to fake and is demonstrably likely to be provided by an adult (e.g., government-issued ID of parents).
What exactly is “personal information” about children?
As per the COPPA Law, “personal information” refers to the child’s:
- Name, ID information (e.g., social security number)
- Location (physical address, geolocation data or IP address)
- Contact Details (phone numbers and email addresses)
- Device identifiers
- Media having any kind of child’s data (e.g., image, voice, videos)
So, technically, the European Union (EU) is not a single country. But, given that the General Data Protection Regulation (GDPR) is regarded the gold standard when it comes to data protection legislation, and given that it applies to every country in the EU, it’s difficult not to put it at the top of our list. Basically, GDPR specifies how personal data should be lawfully processed (how it’s collected, used, protected or interacted with in general).
When it comes to consent, the GDPR is stricter than US standards. Consent must be “explicit and freely provided” under the GDPR. This means that the technique for obtaining consent must be straightforward and require a clear “opt-in” action (pre-ticked boxes and similar “opt-out” procedures are expressly prohibited by the rule).
Records of consent should at least have the following information:
- The user’s identity who is giving consent;
- When did they consent;
- What disclosures were made by them at the time they consented;
- Methods used for obtaining the user’s consent (e.g., newsletter form, during checkout etc.);
- Whether they withdrew the consent or not
What happens if you don’t follow GDPR?
Noncompliance and data breaches under the GDPR can result in fines of up to 20 million euros or 4% of the infringing company’s annual global turnover, whichever is higher.
Special Care Regarding Children
Consent is one of the legitimate bases for processing children’s data under the EU GDPR. If you use this ground to process the data of children under the age of 13, you must obtain verified consent from a parent or guardian, unless the service you provide is preventative or counselling. You must make reasonable measures (using available technology) to verify that the person giving consent is the child’s legal guardian. Furthermore, if you intend to target children over the age of 13, you must provide them with clear and age-appropriate privacy notifications so that they understand what they are agreeing to.
EPrivacy DIRECTIVE (COOKIE LAW)
Because employing cookies involves both the processing of user data and the installation of files that could be used for tracking, it is a key source of worry when it comes to the privacy of user data. To address this concern, the EPrivacy Directive (or Cookie Law) was enacted.
Organizations that target EU users must inform them about data collection operations and give them the choice to choose whether or not to collect data. This implies that if your site/app (or any third-party service utilised by your site/app) utilises cookies, you must get valid consent before installing those cookies, unless they fall into the category of exempt cookies.
As per the laws, you will need to:
- show a simple & visible cookie banner at the user’s first access;
- Before gaining user consent, block all non-exempt cookies (and release them only after informed consent has been provided).
- clearly show the kind of cookies installed (e.g., statistical, advertising, etc.);
- describe in detail the reason of cookie installation
- Indicate all third parties that have or may install cookies, as well as a link to their individual policies and any opt-out forms (where accessible);
- be available in all languages in which the service is offered.
Show a cookie banner at the user’s first visit
As required by the law a cookie banner must:
- Inform users about any cookies used by your app;
- Before running the cookies, obtain the user’s permission (and clearly specify which action will be consent);
- be visible enough to draw attention to itself
Block non-exempt cookies before obtaining user consent
Because informed opt-in or prior consent is necessary under the GDPR and EPrivacy (Cookie Law), you must ensure that you have in place a mechanism that blocks non-exempt cookies until the user has given consent via an affirmative action such as clicking a “Accept” button. Except for exempt cookies, no cookies can be installed prior to consent.
Furthermore, if you monetize your app or its content with third-party ads, you should consider meeting industry standards. Failure to do so may result in restricted ad network access and, as a result, a reduction in ad revenue.
Exemptions to the consent requirement
Some cookies are exempt from the consent requirement and hence are not subject to preventive blocking (but you must still tell users about your cookie use – see caution box below). The following are the exceptions:
- Technical cookies are strictly required for the service to be provided. Preference cookies, session cookies, load balancing, and so on are examples of these.
- Statistical cookies that are maintained directly by you (rather than by third parties), as long as the data is not used for profiling *
- Third-party statistics cookies that are Anonymized (e.g., Google Analytics) *
*This exemption might not be relevant for all regions and is thus governed by specific local regulations.
Depending on the applicable law, you may also have to make other disclosures to users, third parties, and the supervisory authority.
- Identify what data the app/service collects, how it collects, and how it is used.
- Explain its data retention/deletion policies and how a user can revoke consent and/or seek data deletion.
- Your app manages personal or sensitive user data, as outlined in the user data privacy policies (such as personal information, payment and financial information, authentication information, contact data, mic and camera sensor data, and sensitive mobile data).
- Your app has been accepted into the “Designed for Families” program (with or without access to sensitive permissions or data).
However, it is important to remember that, platform requirements aside, privacy notices are legally needed under the great majority of legislations, particularly California’s CalOPPA, CCPA, and the GDPR.
Furthermore, if your Android app handles personal data for reasons unrelated to its operation, you must make extra, easily visible disclosures about this usage and obtain user consent when necessary.
HOW TO USE SWING2APP TO MAKE YOUR NO-CODE APP COMPLIANT IN MINUTES
With Swing2App, you can create no-code apps without worrying about all these laws, as we handle everything for you.
Yes! You read that correctly. A no-code app can be easily created using Swing2App, which is fully compliant with both the App Store and Google Play Store privacy policies.
Swing2App automatically updates your app to keep up with the latest policies and guidelines. If you create your app without it, you have to update it regularly to stay up-to-date.
It is, however, an expensive and time-consuming process because a developer has to review all guidelines for every update of Android and iOS. Furthermore, you must carefully review the privacy policies, otherwise, you may have your app rejected.
There is no need to worry! We provide Swing2App support for all app store guidelines updates in addition to ensuring compliance with privacy policies. With Swing2App, your app is prepared for future contingencies as well!
Please feel free to contact us if you are interested in creating law-compliant apps or wish to take your app to the next level. The professionals at our company will provide the finest law-compliant app services and help you in improving your product without a doubt!
Leave a Reply