GDPR & CCPA For Apps – Tips For Privacy Compliant Apps

Let’s look at GDPR, the CCPA and how you can make sure that your app is ready for the coming changes.

What’s the most important currency around? It’s data. It’s used to fuel everything from your personal assistant to your social media feed. But let me tell you one thing about this data. It’s private, it needs to be safeguarded and soon, fellow app developers, it will be the law for you to ensure this.

Data is so omnipotent in our digital lives. Privacy regulation is set to make data handlers liable for how they collect, protect, store and remove this data. Some have predicted that up to 55% of apps aren’t ready for this change.

But you thought GDPR is only for email marketers. Wrong. Complying with privacy regulations is integral to running a successful mobile app business. As a mobile developer, under the new legislation, you will be responsible for all the personal data from your app.

That’s right – as of the 1st Jan 2020 responsibility will rest with you to ensure that you are in control of user data. But it doesn’t have to be all doom and gloom. The GDPR and CCPA are an opportunity for developers to create effective relationships with their users. It also means that you can offer up a great app experience at the same time.


But what is GDPR and CCPA?

GDPR stands for the General Data Protection Regulation and it came into effect on the 25th of May 2018. It is designed to protect data as it is collected and stored. It is also in place to ensure that the user is in control of their data. It seeks to allows the user to easily opt-out and remove their data when they so desire.

The CCPA is similar and will come into play on the 1st of Jan 2020 – the California Consumer Privacy Act is a bill meant to enhance privacy rights and consumer protection for residents of California, United States.

For apps, this means that a proper system for opt-in, data collection and data storage will need to be in place. As well as this the infrastructure to opt-out and be forgotten are essential to comply with the legislation.

There are some key principles to define when looking at the legislation from a developer’s perspective. We will help to explain these next and look at exactly what these principles mean for developers, as well as practical advice for app owners.

The consent toolkit is launching soon, sign up below to get free early access



Explicit consent

This is a key requirement for mobile apps. The legislation says that businesses must request and receive consent to collect use and move personal data. Further, this request must be made and given in clear intelligible and easily accessible way. It cannot be confusing. As well as this the user must be able to withdraw consent as quickly as they can give it.

This means that apps will need to communicate better with their users. They must clearly define the type of personal data they collect around users. Developers will need to explain why this data is collected and obtain clear consent to collect this information.

Practically this means that you may wish to ask for certain types of personal data at different points of the user experience. For example, it’s generally a better idea to ask users for data consent at a point where it is relevant to the action that the user is performing.

So don’t ask for every permission under the sun the first time your app is opened. It might be better to wait for the right moment to communicate these to the user.

This also gives you a better opportunity to communicate the value that the user will receive by opting-in for this type of data collection. It also means that you can clearly explain opt-out procedures as well (but more on that later).

For example, we help our partner apps to obtain consent for location permissions by providing a dialogue with the user at the right moment. This could be when the user is looking for nearby venues or searching for local deals.

By clearly explaining to the user at this moment it allows the user to come to an informed decision on how they want to share their personal data with the app. This complies with the ‘explicit consent’ as defined in the GDPR legislation.

Find out more about asking for consent by speaking to our app team.


The right to be forgotten

One of the keys focuses of the legislation is the right to be forgotten. This means that app developers will need to create a system of opting-out that allows users to be in control of the data collected through the app.

As previously mentioned this should be as simple for the user as opting-in. Your app users should be able to request that their entire data history is deleted and removed from all records. This includes third parties (yes that means every SDK that you have used in your app that uses personal data).

For developers, this means designing user control into the app so that the user can perform these actions when desired. Apps must be able to process and act upon these user requests and then ensure that all personal data is removed.

This might be in the form of an option to contact you with questions about your data.

Or you can add a data section to your app settings page that allows your users to opt out of different types of data collection. You can also add the option to revoke all data collection.

The aim of GDPR in this area is the put the user in control of their data. If you can design your app to facilitate this control then your app will be compliant and your users will have a better experience when using your app.


Privacy by design

This section is all about the proper encryption and data handling procedures.

You might think that this is an obvious approach to take when designing a mobile app. Perhaps you have considered privacy at multiple points in the planning of your app. That’s great – the key points to remember is that GDPR makes this a legal requirement.

So from a project’s inception to every point in the lifecycle privacy and data protection will need to be front and centre. It’s about anticipating, managing and preventing privacy issues. And doing this before a single line of code has been written.

There are fundamentals that app developers will do well to follow once the legislation comes into force:

Privacy must be proactive, not reactive, it must also be preventative not remedial. This means that developers should be thinking about privacy from stage one of the design process all the way through to after the user’s app engagement has ended.

Define the kinds of data that your app will use in the design phase. Assess potential issues that may arise when using this data. Make sure that your app is designed to secure this data by default and has the correct opt-in processes before you do anything with this data.

When processing user data ensure that your systems are designed to secure the data. This might mean pseudonymization of data or even creating a completely secure way of processing personal data.

The basic idea here is that privacy and data control to become a key part of designing any new app feature. By taking this approach you create an app experience that is secure. It provides users with the controls to input personal information in the knowledge that it is secured and that they can have it removed at any time.


Consent module and Tamoco’s secure SDK

As mentioned one area where developers need to ensure compliance with GDPR is through the use of third-party SDKs. Many of this access and use user data, and often there is not explicit consent for this from the end user.

If you’ve been paying attention you’ll realise that this is a direct breach of GDPR. As a developer, you’ll need to balance the use of third-party SDKs with user privacy and consent. Partnering with SDKs that place user opt-in front and centre will be a sensible approach once GDPR comes into effect.

At Tamoco we help apps to comply with the new regulation whilst providing a powerful toolkit to boost app engagement and monetization. Our product allows apps to get valuable insights and analytics into their app audiences whilst ensuring GDPR compliance.

Manage consent today – sign up below to get free early access


James is the marketing manager at Tamoco.