The Key Legal Considerations in Mobile App Development

This post has been thoroughly checked by legal professionals, including Tomasz Palak.

You have a solid business idea and value proposition for a mobile app. You’ve done your research into your target audience and selected your software house. Perhaps you’ve even created an MVP and done some usability testing? Great news. Now it’s just a case of getting your app developed and released into the world, right? Let’s get started!

But wait… are you actually ready for your app to be used by the masses?

• Have you taken the time to draw up an Independent Contractor agreement with your chosen development provider?
• Have you considered your own intellectual property rights?
• If you’re collecting customer data, have you thought about GDPR issues?
• Do you have a Privacy Policy?

There are a number of legal considerations that you should be mindful of in the process of developing your app.

In this whitepaper, we give you a rundown of what you should do to make sure you’re compliant. That way, you can get on with the more exciting part of developing your app and getting it to the right people.

1. Intellectual property rights

When you’re developing a new mobile product, you should think about both protecting your own property rights and ensuring that you’re not infringing on those of other product owners. That’s why it’s important to take legal advice on your IP position early on.

Creating a new mobile app gives rise to a potential new set of rights:

• The original code, content and imagery within your app may qualify for copyright protection. This will vary by country. If you’re based in the States, you can take a look at US copyright law here. If you want to read more about EU copyright law, here’sthe lowdown. If you’re based in another country, be sure to check the regulations where you are. Copyright is an attribute of the author from the moment the work is created and does not require any additional formal steps (unlike a trademark or patent).
• The source code of your app may be protected as a trade secret. If you want to check the instances in which this is the case, this resource fromThomson Reuterscan help.
• The processes within your app may qualify for a patent. Here is an overview of theUSlaw relating to patents, and here is the equivalent information for EU member states.

At the beginning of the development process, it is important that you take the time to define, secure and protect your IP rights. You can do this by drawing up IP rights assignment agreements with your internal employees and any contractors involved in the project.

In the case where your mobile app involves using an IP owned by someone else, you should evaluate whether a license is needed for your proposed use, and ensure that you secure all the necessary permissions.

2. Non-disclosure agreements (NDAs)

Nobody wants their business idea to be stolen by the competition. So in order to protect yours, you should make sure that you have a confidentiality agreement ready for your chosen software developer to sign. At 10Clouds, we always encourage our clients to sign an NDA before proceeding with the development process.

But what should such a document include?

The Scope of Confidentiality

• The agreement that confidential information must be kept secret and cannot be leaked to any third parties. It may also mean that only certain employees on the side of the software developer have access to the confidential information. All employees and contractors must be briefed on what they are and aren’t allowed to say about the project externally and what should be perceived as confidential information.
• The software developer cannot use the confidential information themselves.

Note that it is always a good idea to specify precisely which elements of your app are covered by the NDA agreement. This should include but not be limited to: app name, code, graphics, content, client data, processes, marketing and sales materials. Confidential materials can also be labelled as such so that every person using them is aware of the confidentiality obligation.

Exclusions from Confidentiality

There are certain exclusions from confidentiality. These typically include:

• Publicly accessible information
• Information already known by the software house
• Information independently generated by the software house

Obligations of the parties

This section covers the software house’s obligation to maintain the confidentiality of the shared information. The restrictions might include:

• Using the information only for the purposes specified in the agreement
• Sharing the confidential information information only with the people who need to know it
• Taking the necessary steps to keep this information secret

3. Independent contractor agreements

Separate to an NDA, you should also have an independent contractor agreement. This specifies the details of how your cooperation will work, and should include any relevant information about the process of work (e.g. using Agile Methodology) as well as how the team will be structured, what time zones you will be working in, what tools and technologies will be used in development and when each phase of the work will be delivered.

The clauses that an Independent contractor agreement should feature:

Services - Listing all of the services that the software house is expected to provide as part of this agreement and the outputs that will be expected from their work.

Compensation - The amount that has been agreed in full for the software house’s services. The manner in which invoices will be issued and paid, and how taxation will be handled.

Term and termination -Your contractor agreement should clearly state how long the contract is expected to last. You may also want to include a clause relating to an early termination from either party and clearly outlining how the handover should be managed in these instances.

Ownership - This should relate to the copyright act, as outlined above.

Rights applications - This reflects your obligation as the app owner to file applications for copyright, trademark, patent and other protections related to their work.

Force majeure (a.k.a. Unforeseeable circumstances) - One of the main things that Covid-19 has taught us is that life doesn’t always go to plan. The same is true of software development. Sometimes, there are circumstances beyond a software house’s control which prevent a certain element of the project from being delivered on time. Remember to include a mutually-binding clause relating to force majeure in your contract.

4. Privacy and data protection

Privacy is a key legal consideration that is critical in digital product development, wherever you are in the world. We always advise that you think about this from the very beginning of the app development process. Below, we outline the requirements of GDPR, which is applicable to all digital product owners who will be handling the data of users in the European Union. If you’re based in the States, you’ll be bound by the Children’s Online Privacy Protection Act, which we also cover below.

You should also be mindful of the data protection requirements based on the sector that you’re in - e.g. if you’re handling medical data, there will be additional requirements that you have to fulfil. If in doubt about the specific laws that you will be governed by, it’s always a good idea to get a lawyer involved.

GDPR (EU)

GDPR is a set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.

According to the official GDPR website for the EU:

GDPR is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

So what should you do to be GDPR compliant?

In a nutshell, there are several measures that you should take to be GDPR compliant:

• Have an updated privacy policy: A privacy policy is a key requirement for mobile apps. The Apple App Store requires all mobile apps to have a valid privacy policy and follow applicable laws and regulations, while Google Play states that you must add a privacy policy if your target audience includes children under 13. Your privacy policy should outline how you handle user data and should be easily found on your website or app when it launches.
• Having a Cookie consent banner: This lets users know what cookies you have on your website and how they can opt out of them.
• Make sure that you’re complying with the 72 hour data breach notification: This means that any data breach must be reported within 72 hours. You might consider appointing a specific staff member to this role.
• Make sure that your marketing practices comply with regulations: This is perhaps more of a point for the future. But when you do launch your app, collecting a user’s email address doesn’t give you automatic permission to email them with special offers and marketing materials. You’ll usually need to abide by the ‘double opt in’ rule before you’re able to reach out to users.

Children’s Online Privacy Protection Act (US) (COPPA)

According to the Federal Trade Commission:

COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

Under COPPA, you’re collecting information if you:

• request, prompt, or encourage the submission of information, even if it’s optional;
• let information be made publicly available (for example, with an open chat or posting function) unless you take reasonable measures to delete all or virtually all personal information before postings are public and delete all information from your records; or
• passively track a child online.

So what should you do to be COPPA compliant?

In a nutshell, ensure that your privacy policy reflects COPPA regulations and that you’re strictly abiding by the FTC’s COPPA ruling. It must clearly and comprehensively describe how personal information collected online from kids under 13 is handled.

You might also consider getting an official COPPA certification (in the form of a stamp), which will give parents an at-a-glance view of the fact that you’re compliant.

Finally, if your target audience is children, you could consider getting parents’ verifiable consent before collecting personal data on their children, in the form of a required government-issue ID and facial recognition technology.

Checklist for protecting user data from a technical perspective

Here are some practical tips for how you can manage the development and functionality of your digital product in a way that complies with the above regulations:

• Acquire active, informed consent from your users before collecting or processing their personal information.
• Make sure that your privacy policy is up to date, and that it gives users clear guidance on how you will use their data.
• Collect only the data you need for your app to run. The greater the amount of data you collect, the more difficult it is to comply with data regulations, and the larger the barrier to entry for your users.
• Ensure that access to data is limited to only the people authorised to view it and process it.
• Before beginning the development of your app, it’s worth thinking about how you’ll put in place the mechanisms for data deletion at the customer's request and / or anonymization (particularly if user-related data is needed for stats or testing).
• You should also think about where all your data is stored - i.e. if you are on AWS and you planning to process the data of European customers, then you should choose a storage location in the EU (all suppliers have this option).

5. Your app’s Terms and Conditions

Unlike the Privacy Policy, the Terms and Conditions of your app are not legally required, and the App Store and Google Play Store do not ask for them. Still, it’s definitely best practice to have them.

Your terms and conditions will vary depending on the nature of your app and the country in which it will be used, but broadly the following items should be contained in them:

Basic company information

Give the name and address of your business, as well as a preferred method of contact.

Conditions of service provision

State any rules pertaining to user behaviour and accessibility of your app, including those relating to safe use.

State any copyright or intellectual property license that applies.

How to cancel/terminate an account

Highlight the instances in which you have the right to legally terminate a user account - e.g. abusive behaviour, bullying, violating rules. You should also state how a user can terminate their own account, how the refund process works, and other important points related to account termination.

Any disclaimers

Here, you’ll be looking to state that the user is using the product at their own risk and that you will not be held liable for any damages that arise from the use of your app.

Governing law

This is particularly important for owners of apps that are distributed globally. This clause tells your users what laws your Terms & Conditions will fall under if a dispute arises. Usually, this will be the place in which you’re headquartered. It will mean that if you have a dispute from a client on the other side of the world, there is no debate about which laws will be used to resolve it.

Start planning your legal documents at the start of the development process

There you have it - the key documents that you’ll need to safely launch your app into the world. We hope that our guidance will be useful in helping you prepare everything you need. And if we could leave you with one piece of advice it would be to start planning for all of these requirements from the very start of the development process. That way you won’t get halfway through building a feature only to later realise it isn’t compliant with GDPR or another legal requirement. Good luck!

Looking for an experienced team to bring your digital product to life?

Get in touch for a free consultation on hello@10Clouds.com. Our friendly team will get back to you within one working day!