Data is the most valuable asset for any entrepreneur as it helps predict the customers’ behavior, evaluate the state of business and develop a strategy for further growth. But how does one legally obtain the data?

The issue of data security and customer privacy is trending these days. With the new GDPR regulation coming in a full force a few years back, companies still seem to get their heads around the legal and, at the same time, efficient ways of data collection. This is especially important for companies that develop mobile applications. With thousands of users logging in and entering their data on a daily basis, every mobile startup must know the essential rules of legally collecting the customers’ data.

In this article, we will have a look at the most burning questions regarding data security, including access to the device’s functionality, data collection from the device, proper data storage and the key GDPR requirements.

What is personal data and why do you need it?

Personal data includes lots of information about the user: name and family name, address, email, telephone, gender, etc. For marketers, personal data is a priceless source of information on the user’s profile, online habits, and preferences. By learning about their target audience, marketers can better align their strategy and ensure the user is interested in the offer.

However, some companies sell personal data to other companies, i.e. a phone services provider can actually sell one’s personal data to a marketing agency. This third-party company will then use the personal data without the owner’s consent and this is a serious law violation.

To better protect online users and their personal data, the EU introduced GDPR, which became the gold standard for data protection and management.

GDPR and its key elements to consider

The General Data Protection Regulation was introduced by the EU in 2016 and remains the primary thing to consider when thinking about the users’ privacy. This regulation has a strict focus on data collection and management as well as on the users’ rights in regard to their personal data.

You have to keep GDPR in mind even at the stage of prototyping and designing the UX/UI. For example, one of its primary elements is the user’s consent for the data collection. That means the user has to understand that the data is collected and understand the purpose of its collection.

Here are the main things to keep in mind when designing a GDPR-friendly mobile application.

Get informed consent from the user

Informed consent about the data collection means that the user is aware of it and agrees to share the data. In mobile apps, this regulation is usually under the “Terms and Conditions” or ‘Privacy Policy’ sections.

In order to do it right, you will need to follow the rules:

Make the section extremely visible. It should not be written in a tiny and unclear font.

Explain why you collect the data and how it will be used. For that, include a hyperlink to the corresponding page to the “Terms and Conditions”.

The user’s right to access the data and delete it

One of the GDPR’s primary statements is that users have their full right to access and manage their personal data that your company stores. In the “Data Policy” (or similar) section, explain how exactly the user can request and receive access to the data. For example, it may be the listing of the contact email or a company’s address. As well, explain the further steps that the user will have to take in order to access the data.

Another important right that the users have is the right to request a company to delete their personal data. Same as with the data access, explain how the users can get their data deleted from your database.

Things to remember:

Make data-related sections visible.

Ensure the user can easily find and navigate these sections.

A big mistake that many companies make

In an attempt to make the application more user-friendly and save a bit of the user’s time, some mobile developers pre-select the checkboxes for the users. Unfortunately, they tend to do so with the data collection boxes and this is another regulatory violation.

Remember what we said about the user’s consent for the data collection? By pre-selecting the checkbox, you are taking away the user’s right to agree to share their data. So when designing a mobile application, never pre-select any checkboxes and especially the ones that are related to the personal data collection.

Permission to access the user’s data

Another common case is when the application requests access for the user’s geolocation, camera, photo gallery, etc. While people are used to it (think about Snapchat as an example), there are still some rules to follow in order not to get in trouble.

First, always ask for the user’s consent. Before accessing the device, the application should always ask the user’s permission.

Second, ensure the app has visible sections on the data usage and management. This is similar to the points discussed above.

An obligatory practice that mobile developers should follow is not letting the app to access the device without permission. Instead, when the app needs access to a certain functional e.g. geolocation, it requests the user for it, thus, granting the user more control.

Data collection by the mobile app: how far can it go?

There are dozens of ways how a mobile app can collect the data from a device: by recording calls, tracking screen time, using GPS to identify the location, tracking the screen activity, and much more.

On one hand, mobile developers want to constantly improve the user experience so they use this personal data to optimize the app and tailor it for the user. On the other hand, this is really creepy and seems like a privacy violation.

So the burning question is: can an app really collect and store the personal data?

It actually depends, and the first thing to consider is the platform of an app. The privacy policies of Google and Apple differ quite a lot: while according to Apple they do not store your data and anonymizes it, Google immediately links your Google accounts to your device and starts logging all sorts of personal data.

Luckily, users can manage the app’s permissions in the device’s settings by going to the Apps and choosing the needed ones. From there, the user can also see what kind of access the app requires (i.e. camera or GPS). However, for more advanced information on the app’s behavior, one should study the app’s Terms and Conditions. In this document, developers usually state what kind of permissions the application has, what kind of data it may collect and for what purposes.

Getting back to the question: yes, mobile applications can collect one’s personal data and use it for their purposes while users can decide what kind of access to provide for an app. On the other hand, it’s the developers’ task to design an app in such a way that it requests all the needed permissions and has visible Terms and Conditions sections so users can manage the app’s settings any time.

A checklist for lawful data collection

In order to collect the data in a proper manner, make sure to follow this checklist:

Optimize the app’s design in such a way that the checkboxes and “Terms of Service” elements can be easily seen and accessed.

Never pre-select the checkboxes related to the data collection.

Always request access to the device’s functionality.

Write down the information on why you collect the user’s data, how you intend to use it and how the user can access or delete it.

Remember that every time the user inputs data in the application, it falls under the sharing of personal data. Therefore, your application should be fully compliant with the GDPR and inform the user about your intentions on data collection right away.