The German Data Protection Authority has published guidelines for developers of mobile games and apps. For the first time, the German regulators are indicating how data privacy legislation should be interpreted with regard to mobile and tablet games and other apps. Before drafting the guidelines, the German DPA underwent “apps sweeps days” in which it reviewed some 60 international mobile apps. The review uncovered “considerable grievances” about the lack of clarity as to what data was being collected by the apps, why it was being collected, and whether it was being shared. To address these concerns, the DPA put in the guidelines that app developers ensure that personal information is only collected if it is absolutely necessary for the performance of the app and that apps have app-specific privacy policies that tell users exactly the type and scope of information that will be collected and shared. Stricter rules apply with regard to the collection of health, financial, location, and other sensitive personal information. The guidelines also address jurisdictional applicability, clarifying that laws apply not only to businesses based in Germany, but also to any collection of personal information within Germany controlled by an entity outside of the EU. Violations of German privacy laws can carry fines of up to € 300,000.
Tip: If you are thinking about launching an app that will be sold in German mobile app stores, be sure to read and understand how these guidelines might apply to you. The guidelines are also helpful reminders that privacy authorities around the globe are looking at how their local privacy laws apply in a mobile environment (including in the US).