For better or worse, in modern society more and more of social and business interaction is conducted through our cell phones. While we may cringe when looking at data about how many times we pick up and look at our phones each day, or how much time we spend on social media, as business people and legal professionals it is important to recognize how this digital interface drives business and the legal challenges it presents.
Mobile applications are and seem destined to remain one of the central ways business is conducted. Companies developing an app for their business would be wise to consider the legal issues involved at every step of the app development process.
Legal Issues & App Development
Confidentiality Agreements – The first step in the mobile application development process usually involves retention of a software house to develop the mobile app. Development of the app inherently involves the use of confidential and proprietary business data of the company which can range from customer lists, to design technology to perhaps the product idea itself. Accordingly, the business ought to enter into a Non-Disclosure Agreement ( NDA) to protect its information. This NDA should include all information concerning the business: financial data, know-how, show-how, operating, marketing, or trade data. Additionally, the definition should include information concerning the product: ideas, solutions, operating methods, functionalities, and elements of the app’s architecture. Consider also, the obligations of the software house. They should include, among others, maintaining the confidentiality of all obtained confidential information, as well as an obligation according to which the other party will disclose information to its staff only if it is necessary and that it will obligate the staff to also maintain the secrecy of this information. As with any contract, for the NDA, choice of law provisions and enforcement clauses will also require close consideration.
Intellectual Property- Retention of a software house for app development also involves issues of intellectual property. Intellectual property (IP) relates to all work that is original and created during the mobile app development process. During the app development process, the business will be creating legal app ideas, original content, designs, logo, app names, source code, etc. All these original elements are considered IP and belong to the business. The company needs to register them as trademarks, copyright, or patents to protect the app idea.
In order for a EULA, or any terms and conditions to be effective, the user of the app needs to consent to these terms. The most effective way to get user consent is use of “clickwrap agreements’’. Developers disclose them before the app is downloaded. The EULA is presented to the user, requiring them to state that they have read it and then agree to its terms by clicking on the “I Accept” button.
App Store Requirements- Once the app is ready, the next step is distribution of mobile apps through app stores. The app must comply with all app publishing requirements arising from the guidelines of Google and the guidelines of Apple. The developing business must also check government regulations for apps before distributing them. The terms and policies put emphasis on personal data protection and address IP issues concerning the app. These platforms also reserve the right to modify their legal terms or add new clauses when necessary. The app must comply with changes or else it will result in legal action or removal from the app store.
Privacy Laws and Mobile Applications
FTC Regulations: For App Developers that intend to do business in the U.S., which will be most of them, The Federal Trade Commission has broad authority to regulate and enforce privacy under Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits unfair or deceptive acts or practices in commerce. The FTC has issued various guidance documents addressing privacy and data security issues in the mobile app context. Notable for App Developers, the FTC recommends that mobile applications that collect personal information from users
- Provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information such as geolocation, financial, health, or children’s data (to the extent platforms have not already provided such disclosures and obtained such consent).
- Coordinate and communicate with ad networks and other third parties (such as analytics companies) that provide services for apps so that accurate disclosures can be made to consumers.
- Participate in self-regulatory programs, trade associations, and industry organizations, which can provide guidance on how to make uniform, short-form privacy disclosures.
Additional information on FTC guidance is available at https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers
Children’s Online Privacy Protection Act COPPA. The Children’s Online Privacy Protection Act (COPPA)46 regulates the collection and use of personally identifiable information (PII) of children under the age of 13. The FTC is the primary agency that enforces COPPA and has issued implementing regulations, known as the COPPA Rule. The FTC has confirmed that the language of COPPA is broad enough to apply to mobile apps. Specifically, the agency has held that it views mobile apps as “online services” covered by COPPA because they “send and/or receive information over the Internet.” The FTC has also issued guidance on privacy disclosures in kids’ mobile apps.
HIPPA – A mobile app is subject to HIPAA if: The owner or operator of the app is a covered entity or business associate. The app collects and/or stores protected health information (PHI). Covered entities are health care providers that conduct certain electronic transactions, health plans, and health care clearinghouses. Business associates are persons or entities that perform certain functions, activities, or services for or on behalf of a covered entity that involve the creation, receipt, maintenance, or transmission of PHI (such as claims processing, billing, and data analysis). If the mobile application collects or transmits individually identifiable health information in any form it is vital that HIPPA compliance be ensured.
Other Federal Laws that Mobile App Developers, should consider depending on the sector of the application include: Gramm-Leach-Bliley Act (GLBA)—financial products or services, Fair Credit Reporting Act (FCRA)—consumer credit reports, Video Privacy Protection Act (VPPA)—videotape service providers (including providers of online video streaming)
California isn’t the only entrant into this space. Illinois has enacted its own privacy law, the Biometric Information Privacy Act (BIPA) which currently is one of the toughest laws in the U.S. concerning the protection of biometric data. Under BIPA, any company doing business in Illinois or providing a service to Illinois residents that involves the collection of biometric data, must, obtain informed consent, may only disclose the data under limited circumstances, must adhere to retention and protection guidelines, and may not profit from the data. And under BIPA, biometric data is not limited to that collected by health or fitness apps. Courts have held that under BIPA, biometrics also includes, face, hand, retina or ear features. Similarly protected are behavioral characteristics including gestures, voice, typing rhythm, and gait. As such, any application using face ID or fingerprint for app. security would qualify. Any timekeeping or HR application would qualify. Of course any health and fitness application would qualify. BIPA contains a private right of action and a statutory damage of at least $1,000 for each violation.
Other states with their own privacy laws include Colorado, Utah, Virginia and Connecticut. Each of these statutes contain their own provisions regarding rights to access data, delete data, correct data and opt out of data collection.
Enforcement Actions– Failure to adhere to relevant privacy laws can lead to enforcement actions. Consider for example Snapchat, Inc. (photo messaging app—deceptive representations about the disappearing nature of messages sent through the app, the amount of personal data collected, the collection of geolocation information, and security measures); and Goldenshores Techs., Inc. (flashlight app—failed to adequately disclose that precise geolocation and persistent device identifiers were transmitted to various third parties, including advertising networks, when users ran the app, and misrepresented how much control users had over the collection and use of their data).
Security failures or misrepresentations about the security available to users of the app. also has led to enforcement actions. Consider for example, Fandango, Inc. (movie ticketing app—deceptive representations about security when, among other things, the developer overrode default SSL certificate validation settings without implementing other security measures).
National Telecommunications & Information Administration (NTIA). NTIA is an agency of the U.S. Department of Commerce that serves as the President’s principal adviser on telecommunications and information policy. It developed a voluntary code of conduct. The FTC has indicated that, for purposes of enforcement actions, it will look favorably on companies that adhere to NTIA’s code of conduct.