As mobile applications come to dominate users’ consumption of digital media, mobile application developers are increasingly focusing on how to keep users coming back for more and how to monetise those users. One of the keys to sustained user engagement with an app is the use of push notifications, which can deliver notification messages to a user even when the app is not open. These notifications can increase usage of an app and present a potential advertising window for an app developer. Such advertising can either promote the developer’s own products and services, or third party products and services.
Before implementing an app push notification strategy it is important to understand the regulation of direct marketing through app push notifications under Directive 2002/58/EC (the “ePrivacy Directive”), as implemented in Ireland by S.I. 336 of 2011 (the “ePrivacy Regulations”). This is because app push notifications fall within the definition of “electronic mail” under the ePrivacy Directive, which is carried through in the ePrivacy Regulations. Electronic mail includes “any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient”. This broad definition includes an app push notification, as it is a message containing text, sent over a public communications network, and is stored on a customer’s phone until it is opened, deleted or cleared from the phone’s notification centre. App push notifications, along with other electronic mail, are subject to the rules on unsolicited direct marketing communications in regulation 13 of the ePrivacy Regulations.
The ePrivacy Regulations stipulate that direct marketing may only be sent by electronic mail where the recipient has consented to the receipt of such communications, or where the “soft opt in” procedure is availed of in the context of the purchase of goods or services. In order to gain the necessary consent to send direct marketing via app push notifications, a user must be able to make a fully informed decision. It is therefore unlikely that the consent to receive push notifications that is given through a mobile operating system will be sufficient to gain consent to direct marketing messages. Whilst this would be sufficient to send service messages relating to app functions (eg a notification that a friend has posted a photo to a social network), in order to send direct marketing messages a means of capturing consent would need to be built into the app itself (such as through a user registration process).
In addition to the consent requirements under the ePrivacy Regulations, push notifications are also subject to app store policies. For example, Apple’s App Store Review Guidelines require apps to seek the consent of users to receive push notifications and prohibit the use of push notifications to send advertising, promotions or direct marketing of any kind. It is therefore important to ensure that your app push notification strategy doesn’t inadvertently lead to your app being removed from an app store.
Whilst we are not aware of any criminal prosecutions in connection with the use of app push notifications in Ireland to date, we suspect that it is only a matter of time, particularly in light of the increasing focus of regulatory authorities, including the Irish Data Protection Commissioner, on mobile apps. It is therefore important to ensure that compliance with the restrictions on direct marketing in the ePrivacy Regulations, and applicable app store policies, forms an integral part of any push notification strategy.