Data Privacy and Compliance
Take Responsibility to Protect User Privacy
A mobile app is an essential user communication and engagement channel that simplifies access to personal information. At the same time, an app may be a source of data breaches in a malicious hacker's hands. Mandatory regulations like GDPR, CCPA, PDPA, as well as Apple and Google guidelines, are in place to ensure accountability and user data privacy, regardless of the app geography or business domain.
By design and default, user privacy should be a top consideration during mobile app construction and throughout the development cycle. Personally identifiable information (PII) and other sensitive data must be treated with discretion as the highest priority.
Mobile app compliance should be a part of an overall strategy of user rights protection—communicated in a form of a code of conduct, employee handbook (for B2E app), or service terms & conditions and privacy policy (for B2C app).
In general, apps should make this content easily understood by the user:
- What specific personal data is collected
- The purpose of data collection
- What form of the data is collected
- Where data is transferred to
- How long data is retained by the app
Transparency is Key
A compliant app fairly informs the user in a clear and easily accessible manner, providing all mandatory information, such as:
- Proper app metadata on the marketplace
- Explanation of the need to access the device's advertising identifier (iOS IDFA, Android AAID) and what this means for the user. Such descriptions are provided even if the app itself does not perform the tracking, but third parties may
- For permission requests, messages about what value is delivered to the user (i.e. location tracking services)
- Any attempt to gather user analytics to track behavior or performance
- Informational screens (such as about the app, about the developer, customer support or FAQs)
- User privacy-related notifications (optional, either push or in-app)
Security in Place
An app should treat data protection as a shared responsibility of all the parties accessing that data. Ensuring the user security during design, as well as in production, is obligatory now. This includes authorization, proper use of system API, encrypting confidential data-at-rest and data-in-transit as well as passing formal security testing.
Least Required Information
An app should not collect data upfront for any reason if the purpose is "to be determined later"–a minimal user data set should be defined during the product design phase to make sure the app is functional. As the product evolves and more features are added, additional user information collection may be added as soon as it is necessary.
Accuracy is Paramount
An app treats proper UX and accuracy of personal data as a default personal right. The user should be able to easily use the app and consume the content. A proper app reasonably incorporates iOS Human Interface Guidelines, as well as Google Material Design notation. The user should be able to request data correction and rectification, and the app should populate the correction when applied.
User Rights are Guaranteed
An app engages personal data in advertisements or other interests lawfully. This means they make user rights readily available, like:
- Opt-out or the “unsubscribe” feature is provided for receiving prospects and advertisements
- Opt-in is provided for the transfer of data to other parties and the collection of sensitive information
- Ability to review or erase the data collected, which may be a mobile-friendly feature
Functional Resiliency
A compliant app should be aware of the dynamic nature of the data collected. The app is responsible for gracefully handling future situations when any user permission granted is revoked, any consent given is nullified or any data collected is erased—meaning the application reacts accordingly and keeps its state consistently.
This is the first in a series of blogs—stay tuned for the next piece that will discuss Mobile App Security.