Legal Issues Building Website Mobile Applications
Peter Adediran is the owner and a specialist lawyer in Applications (Mobile/Website) and Intellectual Property practices at PAIL Solicitors. Read more on PAIL’s Resource Library or keep up with the firm on Facebook.
Although this article relates primarily to mobile apps the solutions it proposes apply to websites and any other digital platform through which you make your online platform and applications available including for mobile, tablet and other smart devices and application program interfaces.
If you still believe in mobile apps as a great business idea for generating revenue, then you may be on to something. Mobile apps may not be as hot today as cryptocurrency; blockchain; AI; drones and other new technologies, but global app revenue increased by 35% in 2017 to almost $60 billion based on Apple’s App Store and Google Play revenues alone, according to a report released on 05 January 2018 from Sensor Tower, a company providing mobile app intelligence.
Indeed, according to the Statists website by 2020 mobile app revenues are predicted to climb to $188.9 billion based on both app stores and in -app advertising. That’s an impressive growth rate of approximately 200% from 2017 in-app advertising and app store revenue. Further smartphone adoption rates continue to grow with penetration still speeding up in less advanced markets with large populations in Africa and Asia even as they slowdown in advanced markets.
Developing The Gaming App
Whether you are developing a gaming app which dominate the top revenue grossing apps such as. Epic Games Fortnite or Candy Crush by King which reportedly makes $1.3m per day. Or you are a niche market with an app for the healthcare or veterinary market. Your development road-map should include the same basic legal considerations for a new digital technology business. Given that consumers are a very important part of mobile apps.
Consequently a hot topic are terms and conditions and privacy policies that are compliant with the most recent data protection and privacy laws. You will have to deal with the types of issues that are most red flagged by data protection regulators, consumer protection bodies and savvy users bringing private claims for compliance orders for breach of the data protection legislation s167 DPA 2018.
Red Flag Issues
The red flag issues for mobile apps and indeed websites usually amount to 2 core matters:
• Issues where there appears to be some hidden charge or business process that benefits the app business to the detriment of the user that (a) either has not been explained at all; or (b) has been explained differently (misleading) – in other words does the app properly explain the reason for charges or why a user pays an additional premium fee for a “special” feature clearly?
• Whether the user (individual) is informed of what personal data is being collected and processed; the purposes for which their personal data is being collected and processed; the grounds under the GDPR provisions (Data Protection Act 2018) that the app is relying on to collect, process and share the personal data
Clear Terms And Conditions
Failure to have clear terms and conditions can lead to. Accusations of dishonest and/or misleading business practices by users against the app/website which can be a PR disaster. Although any law suit is likely to be a small claim. However the PR fall out could be much worse for revenue. The risks include – PR fallout for breach of privacy and data protection laws. Along with private suits for compliance orders Not forgetting as well as the administrative potential fines of 1) Up to €10 million, or 2% annual global turnover – whichever is higher. 2) Up to €20 million, or 4% annual global turnover – whichever is higher. Giants like Google are already feeling the pressure with regard to the potential fines.
Start with this Road Map
(i) – Do not mislead consumers/users -:
If your app is asking users to make a certain payment, then any language used to incentivise that payment must describe an honest and truthful practice by the business. If the user should not place reliance on a statement to incentivise a decision, then say so in clear plain language.
(ii) – Children -:
Children are afforded special treatment under the GDPR. The recital 38 to the regulations state that children merit specific protection in relation to their personal data. Children’s special position is mentioned at-least eight times in the regulation. At the minimum an age verification process including reasonable attempts to verify the age of users must be established and monitored.
(iii) – Assess your data protection compliance -:
You need to assess processors and data (GDPR Compliance). The primary issues for GDPR compliance with respect to consumer customer users and third parties are:
What is personal information?
- A broad range of data is personal information including usage data which qualifies as personal data under the GDPR. The definition of personal data has been deliberately broadened to include specifics such as id number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social i/d of that natural person by contrast the definition of data processing has not changed. The emphasis on redefining personal data as broadly as possible indicates that all data including analytical data is meant to be captured. GDPR makes it unlawful to process usage data including historical data bases. The new legal bases required under the GDPR for processing usage data including historical databases falls under Article 6 and is also guided by the 7 principles set out under Article 5. All the principles under Article 5 will apply here.
What is processing?
- Regarding method for processing, the choices include:6(1)(a) “consent”(which must be specific and unambiguous to serve as a valid legal basis) which would be difficult to satisfy since successive data analysis is subject to increasingly complex mathematical and automated mechanical computations; or6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;” or6(1)(f) “processing is necessary for the purposes of the legitimate interests…”
- There is no provision for domestic legislation to explain what is meant by “legitimate interests”, but to rely on legitimate interests as a legal basis for processing usage data or any personal data you will need to demonstrate that it balanced its legitimate interests against the interests, fundamental rights and freedoms of the data subject and ensure that the individual’s rights are not overridden. When carrying out this exercise, you will need to factor a data subject’s reasonable expectations based on the relationship between the two parties. Provided that the usage data is in the legitimate interests of the customer then you can process usage data. Compliance with the requirement not to override customer interests can be dealt with by an unsubscribe mechanism. Note* GDPR has no “grandfather” provision allowing for continued use of data collected using non-compliant consent after the effective date of the GDPR.
How do we deal with erasure requests?
- Article 5(1)(b) Purpose limitation and Article 5(1)(e) Storage limitation principles are applicable as well as Art 17 Right to Erasure. You will have to indicate in your privacy polies the length of time you intend to hold each category of personal data.Rights relative to service utilisation. If a user claims their right to restrict data processing, can you deny them service? To satisfy the principles of Art 5 you need to state clearly in your PP:1. The information you collect;2. How you intend to use personal information;3. With whom you share personal information;4. Whether information must be provided, and if so why;5. How long personal information will be kept;6. The ground you are relying on to collect and use personal information; and
7. Any consequences of your use of customer personal information.
The answer to the question above will depend on what ground you are relying on as the lawful basis on. Dependant on how you collect and use that category of customer personal data.
- If you are relying on consent for processing the category of data, then the customer must have consented to the processing of that category of data for one or more specific purposes. Consent must comply with the principles Art 5 (fairness, necessity, proportionality). Art 7 requires consent to be determined in a detailed prescribed way and Art7(1)(d) states that when assessing whether consent is freely given account will be taken of whether performance of the contract is conditional on consent to processing of non-essential personal data to performance of the contract.
Does direct marketing qualify as a legitimate interest?
- Direct marketing does not qualify as a legitimate interest ground. You will require valid consent for any direct marketing. Valid consent may be given by a written statement including by email. This could include ticking a box visiting your website. Opt-out is not an option. Consent must be given for each purpose. You cannot just bundle together multiple purposes. Blanket acceptance of terms and conditions does not qualify as valid consent. Consent should be given before processing commences. Withdrawal of consent must be as straightforward as the notification. Therefore it must not cause detriment to the customer or pro i.e. you cannot restrict the service.
Right to data portability –
- What do we need to provide? Article 7, where processing is based on consent the data subject is entitled to data portability. The customers and pros are entitled to receive all their data provided to you, in a structured, commonly used and machine-readable format. Especially if processing is based on consent or on contract and was processed by automated means: Art 20. There is a public interest or official authority exception but that is for actual authorities like the police.
Our data is based/stored in the EU but is accessible to our staff/contractors outside the EU. – what provisions if any do we need?
(iv) – Boilerplate terms are bad -:
If you rely on boilerplate terms to solve very complex and challenging legal pitfalls for your business processes. Stop, then think again. As consumers become increasingly savvy you can expect that claims for compliance orders in the county court to increase. You will need simple terms and conditions and policies written in plain language by experts. Experts who understand the marketplace not one size fits all formal and technical terms. Each digital business is different with its own unique business plan and processes. That is at-least one reason why legalese boilerplate terms are inappropriate in an increasingly competitive and consumer savvy marketplace.
By Peter Adediran
09 08 2018
There are more terms and conditions and privacy law issues than the ones set out above relating to applications. The scenarios and laws outlined in this article should give a good idea of the types of issues faced most often in digital technology related applications. It also provides the up-to-date law on data protection law. Notwithstanding, the information and any commentary on the law contained on this web site. It is provided free of charge for information purposes only.
Every reasonable effort is made to make the information and commentary accurate and up to date. However no responsibility for its accuracy and correctness. Or for any consequences of relying on it, is assumed by PAIL Solicitors. The information and commentary does not, and is not intended to, amount to legal advice to any person on a specific case or matter. Therefore you are strongly advised to obtain specific, personal advice from a lawyer about your case or matter. Consequently do not to rely on the information or comments on this site. No responsibility is accepted for the content or accuracy of linked sites.