Table of Contents
Mobile apps often collect a lot of personal data. Accordingly, they are subject to data protection law rules. Therefore, if your business utilises a mobile app, complying with data protection rules is something you must understand and take seriously. This article will explore key issues around mobile app requirements under the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
Data Protection Laws and Mobile Apps
The UK GDPR is the law governing the use of personal data. It contains many rules you must follow, depending on the types of personal data your business processes.
Complying with the GDPR is a big topic. Accordingly, let us explore a few key issues you must consider for mobile apps.
Lawful Basis for Processing Personal Data on Mobile Apps
Mobile apps will process a heavy amount of personal data, such as:
- individual contact data;
- credit card and bank details; and
- location data.
As such, mobile apps need to determine a ‘lawful basis’ for processing personal data.
Processing is lawful under Article 6 of the UK GDPR if one of the following legal grounds applies.
1. Consent
Relying on consent means the individual has given clear consent for you to process their data for a specific purpose. Consent must be:
- freely given;
- specific; and
- informed.
Generally, this is a difficult ground to rely upon. Accordingly, you must take particular care if you intend to rely on consent.
2. Contract
You may have a lawful basis to process the data under a contract. For example, the processing may be necessary as part of a contract with the individual or because they have asked you to take specific steps before entering a contract.
3. Legal Obligation
Under this basis, processing data is necessary to comply with the law. You can rely on this legal basis if you must process personal data to comply with a legal obligation.
4. Vital Interests
A vital interest refers to where processing is necessary to protect someone’s life. You are likely to be able to rely on this ground if you need to save an individual’s life. However, this ground is very limited in scope.
5. Public Task
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. This ground usually applies to public authorities.
6. Legitimate Interests
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests.
It will be up to the mobile app provider to consider the appropriate lawful basis to process personal data. However, most providers tend to rely on the grounds of ‘consent’, ‘performance of a contract’ and ‘legitimate interests’ to process personal data (depending on how they use the personal data of app users).
Additional rules and considerations will apply if:
- the apps targets children; or
- you collect a special category personal data.
This is a complex topic. Therefore, you should take legal advice on this if you need clarification.
Mobile App Privacy Policy
It is mandatory to give clear privacy information to all individuals from whom you collect personal data as a data controller. A data controller is an organisation that decides how and why to use personal data.
A mobile app will often collect a large amount of personal data from individuals, for example, when they first sign up or create an account.
The most common way to provide privacy information on a mobile app is through a privacy policy document. The privacy policy should tell individuals various facts about how the app will use their data.
For example, as a mobile app owner, and data controller, you should confirm:
- what personal data do you collect from users;
- how you will use their personal data;
- how long you keep their personal data;
- who you share their personal data with;
- how you will keep their personal data safe; and
- what their data protection rights are.
Businesses should provide this information so that users know how you will use their data before they sign up for the app. For example, a mobile app privacy policy can pop up before a user is prompted to sign up and insert their personal details.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Mobile App Cookie Policy
Often, mobile apps deploy cookies. When doing so, app users need to be informed about cookies, give consent for their use or decline them. In the UK, the key law governing the use of cookies is the PECR. In addition to the UK GDPR, the PECR law requires mobile apps to get informed consent from users before storing cookies on their devices. If you are deploying cookies, you must also provide a cookie policy. This must be available to the user before they install the app.
A cookie policy is a document that provides detailed information about cookies. The policy needs to explain various details on the different types of cookies a business uses and allow users to control and change their preferences around using cookies.
Therefore, it is vital to carry out a cookie audit to understand what cookies your app uses and how they work. This can be a fairly technical exercise. Accordingly, most app providers engage technical software developer experts to assist with this process.
Apps using cookies must provide users with comprehensive information in a user-friendly format. The key is to be extremely transparent and provide ‘clear and comprehensive’ information so users understand what cookies you use and what they will do. You should also understand the practicalities around how users can turn cookies on or off.
This factsheet sets out how your business can become GDPR compliant.
Key Information You Should Provide
Some of the key information you should provide includes:
- which cookies you will use;
- the purpose you are using cookies for;
- how long you will use cookies for;
- whether third parties will have access to the cookies;
- how users can opt out of the use of cookies; and
- any relevant technical information about cookies.
These are some of the key requirements for mobile apps. Mobile app owners should carefully review the GDPR (and any other relevant) legal rules and ensure their operations comply. For example, additional considerations include ensuring data security on the mobile apps. Similarly, you might apply the principles of ‘privacy by design’, including designing the apps with data protection considerations in mind.
Key Takeaways
Mobile apps often collect a lot of personal data. As such, they are subject to the rules under the UK General Data Protection Regulation (GDPR) data protection law regime. Some key issues include determining the appropriate lawful basis to process personal data and providing users with a compliant privacy policy. Additionally, app owners must comply with Privacy and Electronic Communications Regulations rules if they deploy cookies. Mobile app owners should follow all applicable UK GDPR rules when operating mobile apps.
If you need legal advice on compliance with the UK GDPR, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.