Small print and small screens

These essentially form a contract between the app user and the app provider, limit the app provider's liability and also provide a mechanism for compliance with data protection law. In this article, we look at the importance of each of these sets of terms and the practical and legal challenges of delivering them on a small screen.

Privacy policy

The UK's Data Protection Act 1998, provides that, in many cases, the processing of personal data will require the consent of the data subject. "Processing" is very widely defined to include disclosing as well as obtaining, holding and using data. Data controllers may process data without consent in certain circumstances (such as where the processing is necessary for the performance of a contract with the data subject). However, the 'consent' route is generally considered to be the safest way to justify the processing of personal data.

A privacy policy helps the data controller comply with its obligations to process personal data fairly and lawfully and only for "specified" purposes and to provide information regarding processing at the time when it collects the data.

In the context of apps, personal information may include:

• data collected directly from a user via an app's user interface (name, address and date of birth);
• data that is gathered indirectly such as mobile phone number, IMEI or UDID (Apple ID);
• data gathered about a user's behaviour, such as location data, web-browsing data or the apps used which are linked to a unique profile; and/or
• user-generated data such as contact lists, videos and photos, messages, emails, notes, and call logs.

To be identified, an individual need not be known by name: a user may be identified even when their information is associated only with a unique identifier such as a Unique Device Identifier, whether linked to the device or the user, and regardless of who generates it and whether it can be traced back to the device ID (in US terminology, this is called Personally Identifiable Information or 'PII').  This wide definition means that most apps collect and process personal information. In addition, there are categories of information that are considered "sensitive" and which need additional security if processed, for example, log-on credentials, registration and financial information.

End User Licence Agreement (EULA)

The EULA is a contract with the app users setting out rules on how they may use the app together with other provisions covering things like the app provider's liability, intellectual property and rules on user generated content. In many cases, app providers will rely on a 'default' EULA, such as the one provided by Apple, rather than supplying their own, despite the fact that it can leave them exposed as it is geared more towards protecting the distribution platform operator.

The need for user consent to the EULA and privacy policy

Having written a privacy policy and a EULA, it is important to get users to consent to them. The ordinary legal principle of 'incorporation of terms' applies to apps just as it does to any other contract.  This means that a party needs to have agreed to the terms of the contract, having been provided with them or, at least, having been given an opportunity to check them, before the contract is entered into.

Another reason consent is important relates to consumer laws: as mentioned in more detail in our article 'See small print for details – upcoming changes to the small print requirements', the Consumer Rights Directive is to be implemented across the EU by 13 June 2014. This law deals with (among other things) pre-contractual information which businesses need to provide to consumers. There has been particular concern in respect of the 14 day 'cooling off' period, during which a consumer can cancel and obtain a refund for the supply of digital content, which, of course, includes apps. Supply during the cooling off period can only begin where the customer has expressly consented to the supply and acknowledged that the right to cancel will be lost.  Often, however, the means of obtaining this consent and acknowledgment only exists once some content has been supplied to the consumer's device.

How to capture consent

There is, of course, no practical way to provide all of the small print on a small screen without interfering with the user experience. This is why the new consumer law provides that, where there is limited space to display all of the required information, only limited details (such as the total price of the app or in-app purchase inclusive of taxes) must be provided while the rest can be provided in "another appropriate way".  Aside from this, there are certainly no different legal principles that apply to the downloading of apps. Nevertheless, it is undoubtedly the case that the apps industry and the players involved (namely, the providers of apps, distribution platform operators like Apple and Google and users alike) all operate, in practice, as if different, more relaxed, rules applied. It does not appear that the distribution platform operators have published any formal advice on this issue.  

Of the random sample of apps we have looked at recently – even from respected names – none of them actually requires active agreement from the user to a EULA or privacy policy as a pre-condition of being able to download the app.

The way most app providers appear to deal with the subject is to include a link at the foot of the download page in the relevant app store (the page before the user clicks to install the app) either to their EULA (if they have one) or to the relevant provider's website terms of use and privacy policy.

There have been no reported cases which take a view on whether this is sufficient to bind users. Since the user is free to click on the link or to ignore it completely, it is always potentially open to users to argue that they did not consent to the terms because they never read them.

Short of going to the extreme of including a check-box prompt, with the user being forced to check the box before being able to proceed  (like the kind usually supplied on a website checkout page), we consider a cautious but pragmatic approach would be for the app provider to:

• have its own EULA (rather than any 'default' version from the relevant app store) and privacy policy;
• make both sets of terms available via a link on the download page (clearly entitled "End User Licence Agreement" or, better still "End User Licence Agreement - Please read"); and
• have the following, or similar, wording, appear at the very top of the EULA:

"By installing or using this application, you consent to the installation and you agree to the terms of this End User Licence Agreement and our privacy policy (available at www.[        ]) and agree to be bound by them. You also acknowledge that by agreeing to install this application, you lose your 14 day cancellation right. If you do not agree to the terms of this End User Licence Agreement and/or our privacy policy and/or to the loss of your cancellation right, then do not install or use this application."

Although this is not legally 'bullet-proof', it is certainly safer than ignoring the issues and, short of going down the unattractive check-box route, it is probably the most practical approach to achieving compliance. That said, certain information disclosure requirements as part of the purchase process for apps or in-app purchases, fall squarely within the remit of the distribution platform operators like Apple rather than the app providers. This is because, of course, it is the distribution platform operators who process the payments from users and interface with them rather than the app provider. It will be interesting to see how, and indeed, whether these distribution platform operators respond to the requirements to gain various consents from users.

If you have any questions on this article please contact us.

Regulatory

Privacy & Cookie Policy

Terms of Use

© 2021 Taylor Wessing LLP