Blog

Blog

The CYA Privacy Checklist (For Developers)

Posted Aug 13, 2020

It’s official: Privacy is a big deal. In just the past five years, it has gone from something mobile game developers could handle with just a little common sense and some basic precautions to something that warrants much more concern – and resources. 

If you are a sizeable mobile publisher with a law firm on retainer, or even in-house legal counsel, you might already be well-prepared to navigate this now-even-trickier landscape. But not every app developer has access to those kinds of resources. So we asked our own trusted counsel, Alan Chapell, the founding partner of Chapell and Associates, a law firm focusing on privacy for tech companies. He shared some best practices and approaches to comply with privacy regulations as a mobile app developer.

Ideally, he said, developers should focus on getting it right the first time by using a “privacy by design” approach. This means setting up processes and procedures to think about the data that you’re collecting and the implications of that data collection, to engage in basic data governance at the start, instead of considering it later as an act of compliance. Taking it one step further, be holistic, and apply this across your entire organization, not just one app. Why? Because in most cases, every part of your company leverages the data collected by one or many apps, websites, advertising programs, etc. 

“You could, in theory, come up with something that’s new and wild and hugely innovative. But then run into challenges later because you hadn’t thought through some of the implications to bring this product or service or app into the larger marketplace.”

Alan Chapell

Here is Alan’s 5-step process for mobile app developers to get privacy right from the beginning:

Step 1: Understand which data you are collecting.
Some apps gather email addresses and telephone numbers, like those engaging in e-commerce, where you might collect a credit card. Regardless, you must understand what information you’re collecting – and why. This will be the foundation for your overall privacy statement (more on that later!) and the rationale behind your use of consumer data.

Step 2: Identify what you’re receiving from partners, service providers, vendors.
Check your supply chain of data that you use to bolster your ability to serve your user base better. Was that data properly sourced? Should it have been subject to a privacy statement? In California, for instance, under CCPA, under certain circumstances, you need to provide California consumers with notice and opt-out choice because under California’s very broad definition of sale, some of those transfers count as sales. So you need to think about the data that you’re receiving.

Step 3: Get line-of-sight into who else is collecting user data via your app.  
Some of that will be SDK-based, and some through other methods. Look carefully at who is collecting data to deliver and targets or to measure ad effectiveness. Are those all essential activities for the app? When you know what’s being collected, you can then be more effective at policing your partners, to enforce standards.

Step 4: Draft an accurate privacy statement – and update it!
It’s a simple but overlooked step; spend some time to create a privacy statement based on all of the content above. And make sure that the way you present it is easy to understand and update that periodically.

Step 5: Work with the right partners, aka equally informed allies.
When choosing a growth partner, look for those who are certified by TrustArc or one of those entities, and make sure they are certified in the important areas, not just the most benign one. Keep your eyes and ears open. Do they adhere to industry standards? Are they members of important industry groups like IAB or MMA? Do they participate in the Digital Advertising Alliance? Ask about their opt-out mechanism, too.

The definition of a really good partner, though, is one that comes to you with proactive solutions. They don’t need to provide legal advice, but they can present approaches that might work for you as a small publisher, understanding that you might be understaffed. On that note: typically in ad-tech, I would advise bringing in a third-party resource when you are in the 10-15 employee range. For a mobile app publisher, though, once you’ve hit a certain revenue threshold or about 100 employees, you should strongly consider hiring somebody with privacy expertise. The last thing you want is millions or tens of millions of users and realizing that you’re upsetting them or bringing regulatory scrutiny onto you. That’s the last thing you want because it’s a momentum killer. Build your app the right way early on, so you don’t have to go back and fix it, or worse, just keep moving forward and hope nothing happens.

Ultimately, it goes back to understanding your data flows and being aware, at least on some level, of what the rules are. For more information, check the resources from the FTC that the California Attorney General’s website has on how to comply with CCPA. There are resources out there! As Alan says, “it does require a certain amount of rolling up your sleeves. But I think we’ve moved past the time where it was a nice-to-have. It is an absolute must-have.”

This advice comes directly from a talk originally broadcast as part of GDC Summer 2020 as the “Productizing Privacy Compliance” session. To view the entire conversation between Alan and Jonathan Harrop, AdColony’s Senior Director of Marketing & Communications, check out the embed below!

Join the Conversation
Did we miss anything? Share your own additions to the privacy checklist, or ask us a question about what you read here! Tweet us at @AdColony. For the latest AdColony mobile news and updates, follow @AdColony on Twitter, like us on Facebook, or connect on Linkedin.

Ana

Latest at AdColony