You’ve got a mobile app and lots of happy users.
Let’s take a closer look at the consequences of non-compliance, so you can better avoid that scenario.
What are the penalties for violating privacy regulations?
If you fail to comply with the privacy regulations in each jurisdiction you do business in, you could face crippling fines. Europe’s GDPR and the California Consumer Privacy Act are two of the strictest regulations in place.
Here’s what happens if you violate the GDPR.
Any company that has contacts with European citizens must comply with the GDPR. This means it doesn’t just apply to European-based companies but any company that offers goods or services to European citizens or tracks European citizens’ data.
GDPR violations carry fines of greater than $20 million, or 4% of your worldwide revenues (whichever number is greater). These are the maximum possible fines and vary based on the severity of the infringement, but the intent of the law is that the penalties act as a strong deterrent rather than as a mere slap on the wrist.
What happens if you violate California’s upcoming privacy law?
Like the GDPR, the California Consumer Privacy Act applies to any company doing business with California residents regardless of where the company is located. There are some exemptions for small businesses based on total revenue and how much business they do with California. It goes into effect on January 1st, 2020.
The law provides two sets of penalties. First, the California Attorney General can impose a fine of up to $7,500 per violation. Further, each individual consumer who is impacted by a data breach can receive statutory damages of $100 to $750. If a consumer’s actual damages are greater than the statutory damages, they can seek to recover the full amount instead.
How can a foreign government or far-away state regulate an app developer?
We’ve called for a unified national data privacy law, but the reality is that developers must ensure compliance in each state and country they do business with. A developer can’t choose to ignore a far-away government.
From a legal standpoint, the laws are written to protect the citizens of the jurisdiction making the laws. If you want to do business with the citizens of that jurisdiction, you must follow their laws. Otherwise, your alternative is to not accept business from those citizens.
From a practical standpoint, regulators have several options to impose penalties on distant developers. First, they would obtain a judgment against you in their local courts. Next, you might have a bank account or payment processor who does substantial business within that jurisdiction that the regulator could then order to enforce the judgment. Similarly, the regulator may be able to assert authority over any web hosting or other online services that you use and shut down your business pending resolution of the alleged violations.
Beyond that, your reputation’s at stake.
Even if you aren’t governed by a jurisdiction with strict privacy laws, you should still maintain the strictest privacy standards. Even in areas without these laws, the practices mandated by the laws are becoming accepted as industry best practices.
If you have a data breach, consumers will want to know that you did everything to prevent it. If you’re perceived as having cut corners to save costs, your brand’s reputation will plummet.
Follow these steps to be compliant.
We outline the steps to being compliant in this post, but in short, you want to:
- Allow users to opt-in, and be obvious about it. Create a call-out that explicitly states your data policy.
- Be transparent about what data you’re collecting.
- Be transparent about how and why you’re using their data.
- Present the ability to opt-out or reach out to a customer service rep for any service questions.
- If there are any changes to your terms of service, disclose them.
Users like honesty. If you’re honest with them about how and why you use their data, you’re not only being compliant, you’re also inciting trust in your brand. And that’s a recipe for happy users.