In a joint effort, a working group reuniting all German Data Protection Authorities (“DPAs”) has now published its long awaited guidelines for developers of mobile games and apps. The 33 page document defines legal requirements for apps and also addresses the underlying technical framework, and announces more intense enforcement action in the weeks and months ahead.The end of the ceasefire
The document does not really contain any surprises, but it is still a useful and interesting read, because for the first time ever the regulators are letting us know how they believe data privacy legislation should be interpreted for mobile games and other apps. And anyone commercializing apps in Germany would be well advised to heed these rules of the game: The DPAs have announced that they will now get down to business with non-compliant apps.
The regulators had conducted “app sweep days” before to examine apps with regard to their legal compliance. Among the recurring grievances was a lack of clarity as to what data are collected by the apps and for what purpose they are used and shared. However, until now the DPAs had only followed up with actual enforcement action in exceptional cases.
Disregarding the new guidelines can carry fines of up to EUR 300,000 and lead to considerable brand damage. We are already seeing increased activity from the DPAs, but also from consumer protection watchdog groups. The days of the legal ceasefire are over.Guidance in a nutshell
In a nutshell and amongst many other points, the guidelines require app developers to comply with the following:
- During the development process, app developers must ensure that only such personal user data is collected and processed as is absolutely necessary for the performance of the app ...