Before starting to build your next no-code mobile app you might have lots of questions and ideas. And we bet that most of them are business or development related. But don’t forget about the legal side! There are many critical issues that need to be considered – fortunately, we’ve gathered them here.

General legal requirements

Under the vast majority of legislations, if your app processes personal data you’re required to:

  • make disclosures about your data processing activities via a comprehensive privacy policy,
  • ensure that there are effective security measures in place for protecting personal data, and
  • implement methods for receiving user consent or facilitating its withdrawal (consent here refers to the informed voluntary agreement of an individual to engage in a particular event or process. It may be acquired using any method that requires the user to take an affirmative and verifiable action, like checkboxes, text fields, toggle buttons, sending an email in confirmation etc.)

In general, users need to be informed of:

  • app owner details;
  • the effective date of your privacy policy;
  • your notification process for policy changes;
  • what data is being collected;
  • third-party access to their data (who the third-parties are and what data they’re collecting);
  • their rights in regards to their data.

US, EU, international? How to determine your law of reference

Generally, the laws of a particular region apply if:

  • you base your operations there; or
  • you use processing services or servers based in the region; or
  • your service targets users from that region

This effectively means that regional regulations may apply to you and/or your business whether you’re located in the region or not. For that reason, it’s always a good idea to handle your data processing activities with the strictest applicable regulations in mind. Here’s a simple rule of thumb:

  • Law of reference - Comply with the laws of the country in which you base your operations, as well as those of the country your app targets.
  • The language of your documents - Your legal documents must be written in the same language as your app so your users are able to understand them.

That said, let's see the main US and EU regulations.

US law (CalOPPA and CCPA)

In the US, currently there is no single comprehensive national body of data regulations: there are various laws on a state level as well as industry guidelines and a few specific federal laws in place. Since online app activity is rarely limited to just one state, it’s always best to adhere to the strictest applicable regulations, like the ones implemented by the state of California.

The California Online Privacy Protection Act (CalOPPA) was the first state law to make privacy policies mandatory and it applies to a person or company whose website/app processes personal data of California residents. In addition to the generally required disclosures above, CalOPPA also requires that you:

  • post your privacy policy on the homepage of your website/app;
  • include in your privacy policy a description of the process by which users can request changes to personal data (if such a process exists);
  • include in your privacy policy a statement on how “Do Not Track” requests are handled;
  • notify affected users in the occurrence of security breaches that impact their data.

In regards to consent, US law generally requires that you give users a clear option for withdrawing consent (opt-out). Different rules apply, however, in cases involving “sensitive data” (e.g. health information, credit reports, student data, personal information of children under 13). In such cases, there must be a verifiable opt-in action such as checking a box or some other affirmative action.

Another US law (that complements but does not replace the CalOPPA – which still applies) is the California Consumer Privacy Act (CCPA). Fully enforceable since July 1st, 2020, the CCPA enhances consumer privacy rights for residents of California. Under the CCPA, businesses that target Californian consumers must include specific disclosures in their privacy policies. These disclosures include descriptions of consumer rights, processing partners, purposes, sources and more. Also, Californian users need to be informed of the possibility of their data being sold (you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”). The disclosure needs to be visible from the homepage of the site and must include an opt-out (DNSMPI) link.

You can read more about the CCPA here.

EU law (GDPR and ePrivacy Directive/Cookie Law)

The GDPR specifies how personal data should be lawfully processed, and can apply to you whether your company is based in the EU or not: if your app can be used by EU users (or you’re based in the EU), the GDPR applies to you.

Compared to the US regulations, the GDPR is more strict when it comes to consent. Consent under the GDPR, must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms).

You can read more about the GDPR here.

Also, EU users need to be informed about cookie use and given the option to consent or decline. The ePrivacy Directive (also known as Cookie Law) requires users’ informed consent before storing cookies on a user’s device and tracking them. This means that if your app (or any third-party service used by your app) uses cookies, you must first obtain valid consent prior to the installation.


Privacy Policy

Under most countries' laws it's mandatory that you disclose details related to privacy and your data processing activities. Mobile apps are no exception: they're required to provide a privacy policy (and, if they make use of cookies and similar tracking technologies, a cookie policy).

In order to be compliant, your policy must be:

  • up-to-date;
  • understandable;
  • unambiguous, and
  • easily accessible throughout the app.

You may be further responsible for making additional disclosures to users, third-parties and the supervisory authority depending on your law of reference.

Without a privacy policy, you risk app store rejection.

Both the Apple App Store and Google Play require apps to have a valid privacy policy and to follow applicable law. Failure to do so can result in massive fines, app store rejection, leave you open to litigation and negatively affect the credibility of your app.

iOS apps

App Store Connect requires a privacy policy for all new apps and app updates. Article 5.1 of Apple’s App Store Review Guidelines provides an overview of Apple’s privacy guidelines (and grounds for rejection where these conditions are not met). Article 5.1.1 on Data Collection and Storage further specifies as follows:

(i) Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

  • Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
  • Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third-party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.
  • Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.

In addition, your app’s privacy policy link or text will only be editable when you submit a new version of your app.

Read more about Privacy Policy for iOS Apps.

Android apps

On the other hand, Google Play only explicitly requires that a link to a privacy policy be visible on your app’s store listing page and within your app in cases where:

  • Your app handles personal or sensitive user data, as defined in the user data policies (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data).
  • Your app is in the “Designed for Families” program (regardless of access to sensitive permissions or data).

However, it is critical to note here that, platform requirements aside, under the vast majority of legislations, and particularly under California’s CalOPPA, CCPA and the GDPR, privacy notices are legally required.

Also, if your Android app processes personal data for reasons unrelated to its functionality, you’re required to make additional, easily visible disclosures about this usage and collect user consent where required.

Read more about Privacy Policy for Android Apps.

Cookies, trackers, and similar technologies

Many app developers use cookies either in-app or via their app’s website for everything from usage statistics to remarketing ads. If you use non-exempt cookies (i.e. statistical, advertising or profiling cookies) and you have EU-based users, you’re required by both by law, and by law-abiding third-parties such as Apple and Google, to comply with legal requirements under the ePrivacy Directive (Cookie Law) and the GDPR.

The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them. This means that if you have EU-based users and your app (or any third-party service used by your app) uses cookies, trackers and similar tracking technologies:

  • you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; and
  • you must obtain informed consent prior to the installation of those cookies.

Cookie-related requirements

In practice, you’ll need to:

  • provide a cookie policy;
  • show a cookie banner at the user’s first access; and
  • block non-exempt cookies before obtaining user consent (and release them only after informed consent has been provided).

This generally means having valid cookie policy and cookie consent management solution in place.

Provide a cookie policy

The cookie policy must:

  • indicate the type of the cookies installed (e.g. statistical, advertising etc.);
  • describe in detail the purpose of installation of cookies;
  • indicate all third-parties that install or that could install cookies, with a link to their respective policies, and any opt-out forms (where available);
  • be available in all languages in which the service is provided.

Show a cookie banner at the user’s first visit

The cookie banner should:

  • inform users of any cookies that your app uses;
  • ask for the user’s consent before running those cookies in the first place (and clearly state which action will signify consent);
  • be sufficiently conspicuous so as to make it noticeable;
  • link to a cookie policy that explains in detail the purpose of the various categories of cookies and the third-parties involved.

Block non-exempt cookies before obtaining user consent

Because informed opt-in or prior consent is required under the GDPR and ePrivacy (Cookie Law), you’ll need to make sure that you’ve set up a mechanism that block non-exempt cookies until the user has given consent via an affirmative action such as clicking and “Accept” button. Prior to consent, no cookies — except for exempt cookies — can be installed. Additionally, if you monetize your app or its content by running third-party ads, you should also consider meeting industry standards by utilizing IAB's Transparency and Consent Framework – which allows users to set advertising preferences and communicates consumer consent across participating ad networks. Failure to do so can result in limited ad network access and, ultimately, a decrease in ad revenue.


Children

If your app is knowingly collecting, using, or disclosing personal information from children under 13, then there are some special guidelines that you are legally required to follow under the vast majority of legislations, including both US and EU law.

US

Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13 (or which have actual knowledge that they are collecting personal information from children under 13) must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children.

“Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult (eg. control questions).

A central requirement of this Act is having a COPPA-compliant privacy policy in place.

EU

Under EU GDPR, consent is one of the lawful bases for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service. You must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child. Furthermore, if you target children over the age of 13, you must write clear and age-appropriate privacy notices for them so that they understand what they’re consenting to.

Learn more about legal requirements for apps used by children.

How to make your no code app compliant in minutes

Creating a privacy policy and handling cookie consent for your app without code can be a serious headache. Here's where iubenda's solutions can help: Our Privacy Policy Generator and Cookie Management Solution make complying with multiple laws and app platform requirements easy. Our solutions are affordable, drafted by an international legal team, fully customizable, available in 8 languages, and always up-to-date with the main global legislations like COPPA, the CCPA, the GDPR and others.

Visit iubenda.com/en/mobile to generate your privacy policy and manage cookie consent to meet GDPR, CCPA, ePrivacy and major app stores requirements.