The introduction of data privacy laws, emanating from the EU and California, can have a large impact on how businesses manage their users’ personal data, and these laws are applicable to web apps as well. If you store a user’s personally identifiable information without explicitly getting their consent, you essentially have violated the General Data Protection Regulation (GDPR). If you use it for reasons not explicitly outlined in your consent dialogue, you again have violated GDPR. If you don’t give them away to revoke their consent and purge any data you have on them, you have violated GDPR yet again.
GDPR is crucial and has implications on data and privacy laws across the European Union. It applies to mobile and applications which collect and process personal data of EU citizens, regardless of whether or not the app is operated from outside the EU. Under GDPR, organisations which perform any transactions in the EU, including mobile apps, will be needed to be compliant with data privacy rules., and failure to comply with this legislation could result in costly fines.
A similar mandate exists in California. If your company/app has an annual revenue of $25 million or more, its mobile platform receives personal information from at least 50,000 California residents, or if 50% of your revenue comes from selling Californians’ personal information, your company is subject to California Consumer Privacy Act regardless of where it is located. Under the new regulations, users have the right to know what data is being collected and where it is going. Users also get the ability to opt-out of having their data sold and can ask for the data to be deleted.
App Developers Need To Be Very Careful About Data Collection/Consent
Now, if you were to develop a web app that would likely store user data in a database of some kind. If you are storing customer data from the EU, GDPR laws still apply even though you may not be a licensed company. So, private customer data from Europe entails you to make sure that you are GDPR-compliant to prevent yourself from getting into any legal issues surrounding how data should be stored, ported and utilised.
If part of your business activities involves selling user data, selling access to user data, providing services whose core functionality involves actions on user data you have, then you can audit it for compliance. The basic tenets of privacy laws like GDPR and CPP include the following norms which must be followed:
- People have the right to refuse personal data collection
- App and site users must have access to their own information
- Only necessary and relevant data is collected
- Data should only exist for a limited time of use or processing
- Individuals may request and receive data deletion at any time
- All security breaches must be disclosed immediately, otherwise fines for violating GDPR are quite hefty. The total amount of GDPR fines to date has been more than $150,000,000!
Developers need to be very transparent about the ways in which they collect and use data, be more considerate of their users, and more thorough in their development and documentation processes. The app should tell users with a breakdown of data the app uses, including personal data along with some specific examples of what types of data the application uses. If users deny consent, you explicitly have to set up some extra options that tell you not to use/store the advertising ID. IP addresses are also considered PII and are covered under GDPR, which can potentially mess with Google Analytics if you set things up in a wrong way.
You must not use data for purposes that the user has not consented to. In particular, using personal data on any kind for purposes that are not compatible with the purposes developers informed your customers of when collecting the data (stated in your privacy notice on your web site), is a major violation.
You Have To Be Privacy Law Compliant
GDPR can be very risky for web app developers whose apps are being used in some specific global geographies. It can be very challenging to implement all these changes, none of which seem trivial or even practical for your website, especially for small projects with a single developer. If a developer cannot hire a lawyer that specialises in data privacy, you have to be very careful and do your research when handling it on your own.
Whatever programming language you work in, or role you have or product you create, GDPR requires you to be more methodical and transparent about how you do things as an app developer/owner.
The easiest way is to comply is to only keep data for a short amount of time. The GDPR introduces a right for individuals to have personal data erased, also called ‘the right to be forgotten’. GDPR specifies the exact timeframe, but you need to comply within 30 days of a user asking to delete their data.
If you set all your data to automatically expire after the set number of days after it is created, you don’t have to worry about people asking to delete their data. One of the easiest things that developers/technology teams are doing is just blocking users from the EU. Meaning if you do not have a business presence in the EU and are not targeting their users in any way, GDPR does not apply. But, that won’t work in a case where similar regulations are enforced around the globe and in India.
Protection Of The App Also Becomes Very Important To Prevent Data Breaches
Also, for security and preventing breaches, if an application needs to store personal information, the data should be encrypted with adequate and strong encryption algorithms, including hashing. In many data breach incidents, all personal data was saved in plain text, which had bad consequences for its users.
Many companies do not use HTTPS for their websites because they do not consider it necessary, but this is not in compliance with data privacy and protection mandates. The reason why it is bad is that if the application does not need any form of authentication, then HTTPS might not seem needed, but if some applications collect personal information, without the web encryption, this information is sent in clear text, and it will be exposed through the web. Also, developers should make sure that the SSL certificate has been correctly deployed and is not exposed to vulnerabilities linked to SSL protocols.
Users must have precise visibility about the usage of cookies by the application. They must be informed that the application is accepting cookies, the application should give the opportunity for users to accept or deny cookies. Make sure sessions and cookies expire and are destroyed after logout. What developers should also do though is automatically delete data that they do not require anymore, such as old logs, user contact details of customers long gone, old backups etc.
Many applications use IP addresses as a metric to control authentication, and apps log this data in case someone tries to bypass authentication controls. Users should be informed about this, as well as how long the logs will be stored in the system.