Before starting to build your next no-code mobile app you might have lots of questions and ideas. And we bet that most of them are business or development related. But don’t forget about the legal side! There are many critical issues that need to be considered – fortunately, we’ve gathered them here.
General legal requirements
Under the vast majority of legislations, if your app processes personal data you’re required to:
- ensure that there are effective security measures in place for protecting personal data, and
- implement methods for receiving user consent or facilitating its withdrawal (consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process. It may be acquired using any method that requires the user to take an affirmative and verifiable action, like checkboxes, text fields, toggle buttons, sending an email in confirmation etc.)
In general, users need to be informed of:
- app owner details;
- your notification process for policy changes;
- what data is being collected;
- third-party access to their data (who the third-parties are and what data they’re collecting);
- their rights in regards to their data.
US, EU, international? How to determine your law of reference
Generally, the laws of a particular region apply if:
- you base your operations there; or
- you use processing services or servers based in the region; or
- your service targets users from that region
This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always a good idea to handle your data processing activities with the strictest applicable regulations in mind. Here’s a simple rule of thumb:
- Law of reference - Comply with the laws of the country in which you base your operations, as well as those of the country your app targets.
- The language of your documents - Your legal documents must be written in the same language as your app so your users are able to understand them.
That said, let's see the main US and EU regulations.
US law (CalOPPA and CCPA)
In the US, currently there is no single comprehensive national body of data regulations: there are various laws on a state level as well as industry guidelines and a few specific federal laws in place. Since online app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations, like the ones implemented by the state of California.
The California Online Privacy Protection Act (CalOPPA) was the first state law to make privacy policies mandatory and it applies to a person or company whose website/app processes personal data of California residents. In addition to the generally required disclosures above, CalOPPA also requires that you:
- notify affected users in the occurrence of security breaches that impact their data.
In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.
Another US law (that complements but does not replace the CalOPPA – which still applies) is the California Consumer Privacy Act (CCPA). Fully enforceable since July 1st, 2020, the CCPA enhances consumer privacy rights for residents of California. Under the CCPA, businesses that target Californian consumers must include specific disclosures in their privacy policies. These disclosures include descriptions of consumer rights, processing partners, purposes, sources and more. Also, Californian users need to be informed of the possibility of their data being sold (you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure needs to be visible from the homepage of the site and must include an opt-out (DNSMPI) link.
You can read more about the CCPA here.
EU law (GDPR and ePrivacy Directive/Cookie Law)
The GDPR specifies how personal data should be lawfully processed, and can apply to you whether your company is based in the EU or not: if your app can be used by EU users (or you’re based in the EU), the GDPR applies to you.
Compared to the US regulations, the GDPR is more strict when it comes to consent. Consent under the GDPR, must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).
You can read more about the GDPR here.
In order to be compliant, your policy must be:
- unambiguous, and
- easily accessible throughout the app.
You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.
- Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
- Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.
- Your app handles personal or sensitive user data, as defined in the user data policies (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data).
- Your app is in the “Designed for Families” program (regardless of access to sensitive permissions or data).
However, it is critical to note here that, platform requirements aside, under the vast majority of legislations, and particularly under California’s CalOPPA, CCPA and the GDPR, privacy notices are legally required.
Also, if your Android app processes personal data for reasons unrelated to its functionality, you’re required to make additional, easily visible disclosures about this usage and collect user consent where required.
Cookies, trackers, and similar technologies
- you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; and
- you must obtain informed consent prior to the installation of those cookies.
In practice, you’ll need to:
- show a cookie banner at the user’s first access; and
- block non-exempt cookies before obtaining user consent (and release them only after informed consent has been provided).
- indicate the type of the cookies installed (e.g. statistical, advertising etc.);
- describe in detail the purpose of installation of cookies;
- indicate all third-parties that install or that could install cookies, with a link to their respective policies, and any opt-out forms (where available);
- be available in all languages in which the service is provided.
Show a cookie banner at the user’s first visit
The cookie banner should:
- inform users of any cookies that your app uses;
- ask for the user’s consent before running those cookies in the first place (and clearly state which action will signify consent);
- be sufficiently conspicuous so as to make it noticeable;
Block non-exempt cookies before obtaining user consent
Because informed opt-in or prior consent is required under the GDPR and ePrivacy (Cookie Law), you’ll need to make sure that you’ve set up a mechanism that block non-exempt cookies until the user has given consent via an affirmative action such as clicking and “Accept” button. Prior to consent, no cookies — except for exempt cookies — can be installed. Additionally, if you monetize your app or its content by running third-party ads, you should also consider meeting industry standards by utilizing IAB's Transparency and Consent Framework – which allows users to set advertising preferences and communicates consumer consent across participating ad networks. Failure to do so can result in limited ad network access and, ultimately, a decrease in ad revenue.
If your app is knowingly collecting, using, or disclosing personal information from children under 13, then there are some special guidelines that you are legally required to follow under the vast majority of legislations, including both US and EU law.
Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13 (or which have actual knowledge that they are collecting personal information from children under 13) must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.
“Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (eg. control questions).
Under EU GDPR, consent is one of the lawful bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service. You must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child. Furthermore, if you target children over the age of 13, you must write clear and age-appropriate privacy notices for them so that they understand what they’re consenting to.
Learn more about legal requirements for apps used by children.
How to make your no code app compliant in minutes