Recently, app store providers have become increasingly active in imposing and enforcing privacy requirements for developers. For example, both Apple and Google have threatened removal of apps from their respective app stores based on the collection of in-app user activity and crash logs for analytics purposes in violation of the platform rules. These examples demonstrate that developers should consider not only legal requirements, but also platform rules, before publishing a mobile app.
Earlier this year, Apple contacted several developers whose mobile apps incorporated a third-party analytics tool that took screenshots of the app while in use and recorded users’ taps and swipes within the app. When the analytics tool was not properly configured, it could also capture users’ textual input into the app, including of data like payment card details. Apple explained that use of the third-party analytics code ran afoul of its App Store Review Guidelines, which state:
“Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. This includes any use of the device camera, microphone, or other user inputs.”
Apple explained that the app would be removed from the App Store if the third-party code was not promptly removed.
Google, too, has taken similar steps regarding the collection of analytics data. Last year, Google contacted developers whose mobile apps automatically sent crash reports to the developer, stating that the crash reports contained sensitive user data. Google’s policies require that in cases where “users may not expect that their personal or sensitive user data will be required to provide or improve the features of your app,” the app “must provide an in-app disclosure of your data collection and use” that includes a “request for user consent.” Under Google’s policies, a reference in the app privacy policy, without more, would not be sufficient.
These enforcement positions may catch some developers by surprise. For instance, some developers may assume that the device operating system will cause a permission request screen to appear where it is required. As the two cases cited above demonstrate, this is not always the case. Compounding the problem, some developers may find it difficult to determine precisely what code in their app triggers the alleged policy violation. In many cases, a third-party software development kit (SDK) may contain the code that triggered the violation, and some developers may find it difficult to debug these issues.
Our Take:
These recent actions by app store providers demonstrate several important points:
- App stores are becoming an important force in the privacy enforcement landscape. Although app stores cannot impose monetary penalties like a regulator, their ability to remove an app from their store is at least as powerful a tool to ensure compliance.
- Developers must take into account platform requirements when developing and publishing their apps, in addition to applicable law. In some cases, platform requirements may exceed legal requirements.
- Developers should not assume that the device operating system will prompt user consent in all scenarios where the platform rules would require it. This is the case because the consent requirements depend on context – e.g., under Google’s policies, consent may not be required for data collection that is related to the app’s core functionality, but would be required where it might not be apparent to the user that the data is being collected.
App developers should therefore periodically review both their privacy policies and app user flows to confirm that appropriate disclosures are being made – and consents being obtained – regarding the app’s data collection, use, and sharing. It is important to ensure that developers consider the data practices of third-party SDK providers, as well, which can also trigger app store scrutiny.