Following recent controversy over In-App Purchases (IAPs) and the publication of an opinion by European data protection supervisors, app developers have come under increased scrutiny in terms of how their products operate.
Apple recently proposed a settlement for parents whose children had inadvertently incurred sizeable bills while using games and other apps, owing to a default setting on iOS devices. The problems arose where parents were entering their passwords in order to download apps for their children. Once downloaded, the parents would hand their phone or tablet to their children to allow them play the new game. The default setting allowed for a 15 minute window during which a password did not have to be re-entered in order to make purchases and so the children were able to make these IAPs. The apps which were at issue were free-to-download and had built-in IAPs that would prompt the purchase of add-ons and upgrades within the game. An app which offered $99 for a barrel of ‘Smurfberries’, the virtual currency of a game popular with young children, has come under particular criticism for its use of IAPs. Under the proposed settlement, which will only apply in the US, if it can be shown that a minor made such an IAP, iTunes store credit can be recovered for purchases up to $30 and cash refunded for purchases over $30.
Coincidently, the Article 29 Working Party (the organisation responsible for promoting data protection throughout the EU) recently published an opinion in which it addressed data processing standards within apps. The opinion is aimed at all stakeholders in the app development supply chain and identifies some key data processing points in relation to apps:
- Transparency: Using information relating to any processing of data that occurs as a result of use of the app should be clearly provided both before and after downloading the app. Such information should include items such as the identity of the data controller, the precise purpose of the processing and whether there will be any disclosure to third parties.
- Consent: A distinction is made between consenting to downloading the app and consenting to the processing of data as a result of downloading the app. An approach of ‘granular consent’ is suggested, whereby consent is obtained for each specific element of the data processing.
- Security: App developers are reminded of their obligations to ensure that appropriate technological and organisational security measures must be in place in order to properly protect any data which may be collected
In addition to these guidance points, app developers should also be aware of ‘purpose limitation’ (i.e. data should only be collected for one or more specified and limited purposes) and ‘data minimisation’ (i.e. any data collected are relevant to the specified purposes and not excessive).
As apps become an increasingly intrinsic part of our everyday lives, these two developments illustrate that high standards are expected of those who develop and market apps. With the growing ability to collect and process vast amounts of data as a direct result of the increased use of apps, an understanding of how to ensure data protection compliance is critical for app developers so that costly mistakes and negative publicity causing reputational damage can be avoided.