Peter Adediran is the owner and a specialist lawyer in Applications (Mobile/Website) and Intellectual Property practices at PAIL Solicitors. Read more on PAIL’s Resource Library or keep up with the firm on Facebook.
Although this article relates primarily to mobile apps the solutions it proposes apply to websites and any other digital platform through which you make your online platform and applications available including for mobile, tablet and other smart devices and application program interfaces.
If you still believe in mobile apps as a great business idea for generating revenue, then you may be on to something. Mobile apps may not be as hot today as cryptocurrency; blockchain; AI; drones and other new technologies, but global app revenue increased by 35% in 2017 to almost $60 billion based on Apple’s App Store and Google Play revenues alone, according to a report released on 05 January 2018 from Sensor Tower, a company providing mobile app intelligence. Indeed, according to the Statists website by 2020 mobile app revenues are predicted to climb to $188.9 billion based on both app stores and in -app advertising. That’s an impressive growth rate of approximately 200% from 2017 in-app advertising and app store revenue. Further smartphone adoption rates continue to grow with penetration still speeding up in less advanced markets with large populations in Africa and Asia even as they slowdown in advanced markets.
Whether you are developing a gaming app which dominate the top revenue grossing apps such as Epic Games Fortnite or Candy Crush by King which reportedly makes $1.3m per day or you are a niche market with an app for the healthcare or veterinary market, your development road-map should include the same basic legal considerations for a new digital technology business. Given that consumers are a very important part of mobile apps a hot topic are terms and conditions and privacy policies that are compliant with the most recent data protection and privacy laws. You will have to deal with the types of issues that are most red flagged by data protection regulators, consumer protection bodies and savvy users bringing private claims for compliance orders for breach of the data protection legislation s167 DPA 2018.
The red flag issues for mobile apps and indeed websites usually amount to 2 core matters:
• Issues where there appears to be some hidden charge or business process that benefits the app business to the detriment of the user that (a) either has not been explained at all; or (b) has been explained differently (misleading) – in other words does the app properly explain the reason for charges or why a user pays an additional premium fee for a “special” feature clearly?
• Whether the user (individual) is informed of what personal data is being collected and processed; the purposes for which their personal data is being collected and processed; the grounds under the GDPR provisions (Data Protection Act 2018) that the app is relying on to collect, process and share the personal data
Failure to have clear terms and conditions can lead to accusations of dishonest and/or misleading business practices by users against the app/website which can be a PR disaster. Although any law suit is likely to be a small claim, the PR fall out could be much worse for revenue. The risks include – PR fallout for breach of privacy and data protection laws, private suits for compliance orders, as well as the administrative potential fines of 1) Up to €10 million, or 2% annual global turnover – whichever is higher. 2) Up to €20 million, or 4% annual global turnover – whichever is higher. Giants like Google are already feeling the pressure with regard to the potential fines.
Start with this Road Map
(i) – Do not mislead consumers/users -: If your app is asking users to make a certain payment, then any language used to incentivise that payment must describe an honest and truthful practice by the business. If the user should not place reliance on a statement to incentivise a decision, then say so in clear plain language.
(ii) – Children -: Children are afforded special treatment under the GDPR. The recital 38 to the regulations state that children merit specific protection in relation to their personal data. Children’s special position is mentioned at-least eight times in the regulation. At the minimum an age verification process including reasonable attempts to verify the age of users must be established and monitored.
(iii) – Assess your data protection compliance -: You need to assess processors and data (GDPR Compliance). The primary issues for GDPR compliance with respect to consumer customer users and third parties are:
(which must be specific and unambiguous to serve as a valid legal basis) which would be difficult to satisfy since successive data analysis is subject to increasingly complex mathematical and automated mechanical computations; or
6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;” or
6(1)(f) “processing is necessary for the purposes of the legitimate interests…”
There is no provision for domestic legislation to explain what is meant by “legitimate interests”, but to rely on legitimate interests as a legal basis for processing usage data or any personal data you will need to demonstrate that it balanced its legitimate interests against the interests, fundamental rights and freedoms of the data subject and ensure that the individual’s rights are not overridden. When carrying out this exercise, you will need to factor a data subject’s reasonable expectations based on the relationship between the two parties. Provided that the usage data is in the legitimate interests of the customer then you can process usage data. Compliance with the requirement not to override customer interests can be dealt with by an unsubscribe mechanism. Note* GDPR has no “grandfather” provision allowing for continued use of data collected using non-compliant consent after the effective date of the GDPR.
Rights relative to service utilisation. If a user claims their right to restrict data processing, can you deny them service? To satisfy the principles of Art 5 you need to state clearly in your PP:
1. The information you collect;
2. How you intend to use personal information;
3. With whom you share personal information;
4. Whether information must be provided, and if so why;
5. How long personal information will be kept;
6. The ground you are relying on to collect and use personal information; and
7. Any consequences of your use of customer personal information.
The answer to the question above will depend on what ground you are relying on as the lawful basis on which you collect and use that category of customer personal data.
(iv) – Boilerplate terms are bad -: If you rely on boilerplate terms to solve very complex and challenging legal pitfalls for your business processes, then think again. As consumers become increasingly savvy you can expect that claims for compliance orders in the county court to increase. You will need simple terms and conditions and policies written in plain language by experts who understand the marketplace not one size fits all formal and technical terms. Each digital business is different with its own unique business plan and processes that is at-least one reason why legalese boilerplate terms are inappropriate in an increasingly competitive and consumer savvy marketplace.
By Peter Adediran
09 08 2018
There are more terms and conditions and privacy law issues than the ones set out above relating to applications. The scenarios and laws outlined in this article should give a good idea of the types of issues faced most often in digital technology related applications. It also provides the up-to-date law on data protection law. Notwithstanding, the information and any commentary on the law contained on this web site is provided free of charge for information purposes only. Every reasonable effort is made to make the information and commentary accurate and up to date, but no responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by PAIL Solicitors. The information and commentary does not, and is not intended to, amount to legal advice to any person on a specific case or matter. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter and not to rely on the information or comments on this site. No responsibility is accepted for the content or accuracy of linked sites.