Resources
What You Need to Know about App Security Laws

There’s a lot of customer information out there, and if you have an app, you know exactly how much of that information is available for access. From dates of birth to real names and addresses, apps take on a lot of data to work the way they’re intended, and that’s kind of the point: for customers, that information is the difference between an app that has an idea of them and an app that knows them.
For developers, that data is both an asset and a liability. It’s an asset because you need that data – you need the idea of your customer before you can invest in where the app goes.
It’s a liability because if you don’t protect that data, there’s a problem, and that problem is expensive to fix, for time, money, and reputation. Data protection is not anything new to the internet: we’ve had similar data protection laws created for other industries.
Why is app security important?
What makes data protection for apps different is the sheer amount of data it covers. From the last ten or so years of app development, data protection for internet services has become more stringent because there’s so much more data to deal with – and because for the first time in human history, we’re dealing with data on a global scale and in quantities that make what we had before look like a drop in the ocean.
Like we said before: protecting your data is important. The fines attached to it make renting a mega-mansion in Los Angeles look cheap, but there’s an upside: it’s kind of easy to know what to protect if you know what laws to pay attention to.
What is the California Consumer Privacy Act?
We’re based in Orange County, so we’ll start with the familiar: the California Consumer Privacy Act was ratified in 2018 as a way to protect the privacy of Californian consumers and give them control over the data that businesses collect. As of 2023, there’s been a new addition to the laws which also stipulate that consumers can limit the information that businesses use and disclose about them: a big step forward for consumer privacy rights.
The way it works is this: if you’re living in California, by rights, you can ask any businesses to tell you what information they have and what they do with it. If you’re not happy with the answer, you can ask them to delete that information, to not sell or share that information, to correct inaccurate information, or to share some of it but not all of it. You can ask them to delete information.
You can ask them to tell you when they collect this information.
The CCPA fits information into two categories: personal information, so information that can be tied to you and ‘sensitive’ personal information that includes government identifiers, such as social security numbers. Either way, businesses who maintain poor security practices and experience a data breach in California open themselves up to legal action and usually have to pay a fine.
However, this only covers the state of California – but it doesn’t mean all other consumers have no protection.
For that, there’s GDPR.
What is GDPR?
If you’ve been seeing a lot of pop ups talking about cookies and consent, you’ve seen an idea of GDPR. GDPR, or the General Data Protection Regulation, is the other side of data protection regulation: a worldwide privacy and security law that protects consumers based anywhere, not just in Europe where it was ratified. It covers a lot of what CCPA does, but the fines that come from GDPR go into the tens of millions, and the privacy and security standards to meet are high.
Why do we have so many data security laws?
Data breaches happen, and they happen to everyone – but with so many people now putting all their data into the cloud, the breaches that happen to companies who don’t protect their data have a much greater impact on those consumers. Data security laws are there to make sure that the companies entrusted with that data protects it – and that any breaches that happen are dealt with quickly and efficiently.
What does this mean for app security?
Apps aren’t excluded from complying with data security laws – in fact, with the rising popularity of apps worldwide, it’s even more important now to adhere to data security laws, especially given that data breaches are increasing, not decreasing, as we go on.
For the developers that make apps, none of what has to be done to comply with GDPR, CCPA, or other security laws is new. You still have to process that data. You still have to have a data use policy. You still have to protect that data.
Everything that comes with the GDPR and CCPA territory is something that app developers have been dealing with for a while. Now, it’s taken on new importance, and as the internet continues to grow and change, we’re probably going to see more of these laws come into effect.
Staying on the right side of data protection is worth the extra effort.