Legal Compliance for Mobile Apps

Children's information and sharing it is top of mind for regulators, as we have been telling our clients for a while, and as we saw yesterday in a new CA AG $500,000 settlement with Tilting Point Media LLC (Tilting Point) for #CCPA and #COPPA compliance issues in mobile app game “SpongeBob: Krusty Cook-Off.” Practice points: Directed at children: 🔹 If you are aware that children under 13 are using your services - they are is directed to children. Saying in your terms of service and privacy policy that consumers under 13 are not authorized to use it - doesn't change this. Regulator 1, 2, 3: 🔹 CA AG will use every enforcement tool to ensure compliance with the law and that companies exercise diligence with privacy law requirements 🔹 If one regulator tells you that you are not compliant (here BBB National Programs CARU): assess your compliance with other laws you could be enforced against by another regulator Data minimization: 🔹 Don't collect more personal information than reasonably necessary for a child to participate. Mind your SDKs: 🔹An SDK facilitates data sharing that can be a sale (CCPA) and/or unfair/deceptive (FTC) and/or subject to COPPA just like any data sharing. 🔹 You need to know: what information each SDK collects; evaluate contracts re: sharing of data through them - making sure you have the right consent. 🔹 You may need a formal SDK governance framework. 🔹 Every year: assess data minimization and SDK usage. (ensuring data flows appropriately change based on the consumer's age). 🔹 Every year: conduct adequate training for personnel re sharing and SDKs Sale/share: 🔹 Disclose your sale and share correctly in your privacy notice 🔹 Don't sell/share personal information of under 13's without parental consent 🔹When you do sell/share: provide a just-in-time notice explaining what information is collected, the purpose, sale/share, link to privacy policy, & parental or opt-in consent required. [FTC also says this in BetterHelp] Mixed audience 🔹When using an age screen it has to be neutral. 🔹Neutral means: (1) ask age information in a neutral manner that does not default to a set age of 16 or above or encourage users to falsify age information; (2) not suggest that certain features will not be available; and (3) provide CLEAR AND CONSPICUOUS notice that the age entered should be accurate to the user and is collected to ensure data use and advertising is appropriate. 🔹If the person is under 13 or 16 - direct them to a portion of the service that doesn't use data other than as permitted by COPPA/CCPA or get parental / opt in consent For ads in your apps, make sure they are: 🔹Identified as being an ad; 🔹Include a prominent one-click “X” or “Close” button; 🔹Do not manipulate or deceive consumers into engaging 🔹Do not advertise activities/products in which children cannot legally engage/possess. #dataprivacy #dataprotection #privacyFOMO Complaint: https://rb.gy/enu19e Agreement: https://rb.gy/jq6lke

"But we’re not a big company!" DPDP fines don’t care. "It’s just a small app update." That’s how it all starts. • You collect a bit more data. • Then a bit more. Before you know it, you’re storing sensitive information without proper protection. Ignoring user consent. Neglecting security. And you tell yourself - this is what innovation looks like, right? Growth. Data-driven decisions. No limits. WRONG. Companies think speed trumps structure - until it doesn’t. The DPDP Act doesn’t bend for innovation excuses. It demands accountability. That "small oversight" isn’t small anymore. Non-compliance can mean fines up to ₹250 crore. Now, Web and App development companies are uniquely impacted by the DPDP Act. Because you often serve as the frontline collectors and processors of personal data. And if you’re building something big for your clients, like a digital lending platform, you need structure. As for the companies, without privacy compliance, your business will crumble. And you’ll have nothing left for the users you’re trying to serve. But the good thing is that this is entirely preventable. So what I suggest here is: 1) Conduct a data audit every quarter. Identify what you collect and eliminate what’s not important. 2) Implement Privacy by Design. Merge data protection into your development process from day one. 3) Educate your team on the DPDP Act. Make sure everyone understands their role in compliance. 4) Stay updated on legal changes. Assign someone to monitor updates to data protection laws. 5) Put user trust first. Be transparent about data practices and give users control. The end goal here is to be intentional. It’s to protect your users. Because once their trust is gone, you don’t get it back. And remember, the DPDP Act isn’t here to slow you down - it’s here to make sure you last. ---  👉 TL;DR: Privacy compliance isn’t optional. Follow DPDP regulations now, or risk losing trust - and paying the price later.

Does your organization’s mobile app have location-based services? If so, here’s four steps to take based on the FTC’s newest location #privacy enforcement actions.⬇️ The Federal Trade Commission recently announced resolution of two separate enforcement actions against location data brokers, Gravy Analytics and Mobilewalla, for allegedly obtaining and selling precise location data without opt-in consent. The FTC's decision to issue the complaints and consent decrees was 5-0 and 4-1 respectively, which may preview continued bipartisan interest in location data privacy issues under the new administration. The proposed consent decrees with Gravy Analytics and Mobilewalla include extensive requirements for robust #compliance programs, including for location data that may reveal additional sensitive characteristics, like a person visiting a medical facility, military building, union office, school, day care, or religious organization. Mobilewalla's also has unique requirements prohibiting retention of data received in real-time bidding exchanges (commonly used for #digitaladvertising).    How did they get the location data? Gravy Analytics--a B2B company--allegedly obtained location data from third-party partnerships, including consumer-facing mobile apps that it partnered with. Mobilewalla allegedly obtained location data from real-time bidding exchanges and data aggregators, which upstream likely included data obtained from mobile apps that processed location data.    If your organization has an #ios or #android #mobileapp with location-based features, or that otherwise processes precise geolocation data, these actions suggest some steps to take to help keep customer trust in your organization's data practices and to stay ahead of where enforcement could go in this space. Here are four steps to consider:   1️⃣ Get Consent. Look at the opt-in consent language used in your mobile app, and confirm it covers both your organization's use and any use by third parties your organization shares that data with. The FTC and state privacy laws will require opt-in consent for uses of precise geolocation data. 2️⃣Identify Sharing. Validate what vendors and third parties geolocation data is being shared with, and for what purposes.  3️⃣Limit Use. Confirm your organization has binding contractual commitments limiting how vendors and third parties are using and sharing data. If there are none, your organization may be "selling" this sensitive data; state privacy laws will require notice and opt-in or opt-out procedures for sensitive data sales. 4️⃣Diligence and Monitoring. Review vendor and third party diligence and monitoring approaches, and consider tailoring them for the data sale considerations these and other actions raise. For example, will the vendors or third parties your organization works with be re-selling the location data your organization shares, and do they have sensitive location compliance programs in place?