Mobile applications, commonly known as apps, are tools for smartphones or tablets, which take advantage of the features of these devices such as the touch screen, internet connection, camera or GPS. These apps are usually games, office tools, social networks, tools for editing photos, videos or music, etc. and they are usually free or for a very low price.
However, just because apps are cheap or free does not exempt them from compliance with the law. The European Data Protection Authorities have adopted the first joint opinion regarding mobile applications analysing the effects and risks apps pose for data protection, elaborating on the obligations of app developers and everyone involved in their creation, and paying special attention to the use of these apps by minors.
The types of existing apps are as follows:
According to the external resources the app accesses:
- Online Apps: These are apps that require access to online or location resources: apps for news, games, social networks, bank consultations, specialized consultations, forums, betting, maps, radar notifications, geographic location, etc.
- Offline Apps: These are apps that do not require any online or location resources, for example, games that do not access data networks, informative applications, automation tools, etc.
According to the internal features they access:
- Invasive Apps: These gain access to the device calendar, the identification number of the terminal, geographic location, and stored photos, they display advertisements, manipulate the user’s profile in a certain social network or require that the user register and submit their data.
- Non-invasive Apps: These do not gain access to any internal or confidential feature of the device; neither do they need any personal information from the user.
Most apps are the Online and Invasive type. Depending on the type of application, compliance with different laws is required. In the following chart, we have summarised the main laws in Spain that one must considered when launching an app in the market.
Invasive Apps | Non-invasive Apps | |
Online Apps | OLPDLSSI | LSSI |
Offline Apps | OLPD | Does not apply |
Below we shall briefly summarise the main obligations pursuant to these laws.
LOPD: The current regulation in Spain requires compliance with the following obligations:
- Quality: The information should be adequate, relevant and not excessive to the purpose for which it is collected. This obligation shall be more strictly applied to apps aimed at youth.
The European Authorities recommend not registering data of minors for advertising purposes, not collecting information about parents and other family members and removing all personal information when uninstalling the app. - Information: It is necessary to inform the user in advance about the data that will be obtained through the app and which has not been provided directly by the user himself.
Information about the identity and domicile of the person responsible for the app is also to be provided, as well as the purpose of the collected or accessed information, the possibility of the user to exercise their rights, if there is an interconnection with third parties, etc. In the case of apps aimed at youth, this information is to be transmitted in a simple and comprehensive manner.
- Consent: If the user goes forward with the installation after being informed of the previous points, they will have given their consent. Still, the consent given by children under the age of 14 is not valid. This is why there should be a mechanism preventing minors from using such apps or which allows the obtaining of the consent of their parents or guardians.
- The rest of the principles and obligations in the LOPD also apply to the data collected through the apps.
LSSI: The current regulation in Spain requires compliance with the following obligations:
- General Information: A report is to be composed, indicating the identity of the person responsible for the app, their domicile, NIF, register details, contact details, details of the administrative authorizations for exercising their activity and ethical codes they are affiliated with.
- Commercial Information: It is advisable to obtain express consent about sending advertisement materials. This objective should be left as an option for the user.
Whenever communication with a commercial purpose takes place, it must be marked as Advertisement or Advert and must allow the user to oppose receiving such messages in the future.
Cristina Sandoval & Jesús Sánchez
For further information,