Is Your App Data Compliant? | Data Compliances For Mobile Apps | Part 2

7 min read
Is Your App Data Compliant?

Every time an electronic device connects to a network, data is being collected. Not everyone is comfortable with that, but since our phones, tablets, laptops, watches, TVs, medical devices, refrigerators and most other household appliances are being linked to the internet, it’s getting impossible to avoid.

Governments are typically slow to adapt to rapid technological changes, which has led to a Wild West scenario when it comes to personal data collection practice online.

Few people understand exactly what data is actually being collected, who has access to it, and how it is being used. Most of us are also in the dark about how valuable our information really is.

However, there are a few signs it’s worth a lot more than a cup of coffee.

For example, Facebook has built its business as one of the largest collectors of personal data in the world, with a market cap of roughly $760 billion that’s worth more than Disney and Procter & Gamble combined. This is a lot of money for a business that generates most of its revenue just from personal data.

After multiple high-profile data breaches across industries, which have included Target, Experian, Adobe, Microsoft, Facebook and many more multinational corporations, a new era of data privacy regulations is upon us.

If you want to build an app, it’s vital now that you pay attention to how the regulatory landscape is changing. Aside from the negative attention data compliance problems can bring, the fines have become too expensive to ignore.


Get Familiar With The Big Data Compliance Regulations

The list below covers some of the most expansive data compliance regulations enacted in the US and around the world. One important point to remember is that just because a law has been passed in a country your organization does not operate in, doesn’t mean it doesn’t apply to your data collection practices.

Regulations apply to data collected from the citizens of countries, not where a business is located. Since most countries have international business agreements, even if you unknowingly collect data from a person outside your country, the laws where they live can still affect you.

GDPR: The General Data Protection Regulation (GDPR) was enacted in the UK in 2018. Of all the regulations on this list, this one has really made businesses around the world take notice. To put it simply, it allows UK citizens to have a say in who can control their personal data and what that information looks like.

A central part of the law is that individuals have the right for their personal information to be “forgotten.” This means they must have a way to contact a business that has collected their personal information and request that it be deleted. The law also requires that this be done quickly, so developers must create databases that are easy to search, review, and delete entries from in order to stay compliant.

Fines can total up to 4% or $20 million Euros of global revenue (whichever is higher) for a business found to be in violation.

This regulation is why every website you visit now has a popup that asks you to agree that it can collect your personal information.

Everything You Should Know About GDPR

HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) applies to personal data tied to medical records. For mobile app developers, this means they must build safeguards into their software to ensure data is stored and retrieved in a secure way. The key point to remember with this law is that almost any app that connects medical professionals to their patients is going to fall under HIPAA rules.

If you need to build an app that relates in any way to medical services, you should work with a developer that has extensive experience in this area. The guidelines are not clear for how to be HIPAA compliant, so the only way to know how to do it is to go through the process multiple times. And even then, the law changes regularly, so it is never 100% clear what you can and can’t do for every situation.

Develop An App With HIPPA

COPPA: The Children’s Online Privacy Protection Act (COPPA) prevents organizations from collecting personal information about children without a parent’s consent. It applies to children below the age of 13 and any content that is produced specifically for them.

The best way to avoid problems with COPPA is to require a payment for services. Collecting credit card information from parents is an ideal way to ensure you have consent for their children to use your app. It’s also a good idea to use a multi-step process to create accounts, with a requirement for parents to verify their identities through their personal email accounts.

CCPA: The California Consumer Privacy Act (CCPA) is closely aligned with GDPR. Residents of California can request that an organization tell them what information it has collected about them, all them to review their data, make corrections to it, opt-out, and ask that it all be deleted. People who are affected by data breaches also have the right to sue the business at fault.

PCI-DSS: The Payment Card Industry Data Security Standards (PCI-DSS) is a group of requirements created by major credit card companies. These are not government regulations, but they affect all businesses that accept credit card transactions.

There are 2 levels of compliance, and how a business is categorized depends on the number of credit card transitions it has each year. All the guidelines relate to how data is stored, network security, and a requirement to regularly conduct vulnerability tests.

Noncompliance can result in excessively high transaction fees and possibly all credit card transaction abilities being revoked.

Stay Current With Global Data Compliance Developments

Aside from the regulations with the biggest scope, it’s important to be aware of and monitor the smaller ones as well. Several worth reviewing are summarized below.

PIPEDA: The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that applies to how businesses based there can collect personal data. Specifically, these organizations must ask for consent before collecting data, and only collect what is necessary.

CDR: Australia introduced its Consumer Data Right (CDR) in 2017. Consumers in the telecommunications, financial and energy industries may request what data has been collected about them, why it was collected, and who it has been shared with.

LGPD: The Brazilian General Data Protection (LGPD) Act is expected to come into effect in 2021. Any organization that collects data about its citizens must appoint a Data Protection Officer (DPO) that manages data and interacts with the ANPD, which is Brazil’s federal regulatory agency for data privacy. Also, like GDPR, Brazilian citizens will be able to request what data has been collected about them, review it, opt-out and have their data deleted.

POPI: The Protection of Personal Information (POPI) Act is a South African law that is similar to GDPR and applies to all organizations operating within the country. Beyond allowing citizens to access their data and have it removed, it also requires organizations to maintain compliance procedures to prevent data breaches.

Follow Best Practices For Data Compliance

Based on regulatory trends, it seems most countries are going to enact laws similar to GDPR that require strict compliance procedures for data compliance. A shortcut to achieving the level GDPR and other current laws require is to follow ISO/IEC 27000 guidelines.

The International Organization for Standardization (ISO) is composed of experts from around the world who create international standards for businesses. There is no obligation to adopt its standards, they’re all voluntary, but many organizations do because they’re highly-detailed and comprehensive.

ISO/IEC 27000 applies to information security management, and includes clear processes for safely handling financial, medical and personal information.

Blue Whale Apps Can Guide You Through The Data Compliance Process

Blue Whale Apps has extensive experience building compliant apps that exceed GDPR, HIPAA, PCI-DSS and many other international standards. Some examples include Mobilears, a HIPAA-complaint app for hearing tests, and SpiriLite, a health and wellness app that gives medical providers and their patients a simple way to communicate and coordinate payments.

Develop An App Compliant With GDPR

Our team specializes in end-to-end development for Fortune 1000 businesses and government agencies. Recent projects have included apps within the healthcare, technology, public utilities, entertainment, retail, consumer products and automotive industries. And last year, Blue Whale Apps was named the #1 Mobile App Developers by AppFutura, Clutch, and Good Firms in 2019.

We can manage all parts of your app development process, from conducting audience and market research to UX design and custom coding solutions. Contact us today to build a compliant app for your organization.


Striving to be a purposeful leader. Passionate about delivering phenomenal user experience through technology. A father, a husband and a cook!

Subscribe To Our Newsletters

Get our stories in your inbox

Articles, news, infographics, tips and expert talks about mobile apps.