On December 9, 2022, the UK Government’s Department for Digital, Culture, Media, and Sport (DCMS) published a voluntary Code of Practice for App Store Operators and App Developers (Code). The Code sets out eight core principles to be followed by in-scope entities and is intended to help protect end users from malicious and poorly designed apps by setting minimum security and privacy requirements. These principles have been arrived at following a public consultation launched in May 2022.

Scope of Application of the Code

The Code’s principles apply to stakeholders in the app ecosystem including:

  • App Store Operators, who have the capability to add and remove apps, and determine the requirements apps need to meet to be included in a store;
  • App Developers, who create or maintain apps, and are responsible for ensuring their app meets the requirements of app stores in addition to legal requirements; and
  • Platform Developers, who produce operating systems and default functionalities.

The Code’s Principles

The Code sets out eight core principles, which in places reflect mandatory requirements from well-established areas of law (e.g., the requirement to notify individuals in the event of a personal data breach, which is a feature of the UK General Data Protection Regulation (UK GDPR)). There will therefore be a degree of overlap between compliance with the Code and compliance with existing legal obligations. The principles encourage stakeholders to:

  1. Ensure only apps that meet the Code’s security and privacy baseline requirements are allowed on an app store. This requires that app stores implement vetting processes, end-user reporting systems, and takedown procedures for apps that are clearly malicious.
  2. Ensure apps adhere to baseline security and privacy requirements, such as through using industry standard encryption, limiting permission requests, and adhering to the principle of data protection by design.
  3. Implement a vulnerability disclosure process, so that vulnerabilities can be reported to the App Store Operator without them becoming publicly known to malicious actors.
  4. Keep apps updated to protect users, including by fixing known security vulnerabilities.
  5. Provide important security and privacy information to users in an accessible way, such as the jurisdictions in which user data is stored, and details of the stakeholders that will have access to data.
  6. Provide security and privacy guidance to developers, including by providing information on what is considered best security and privacy practice.
  7. Provide clear feedback to developers where an app submission is rejected, or where an app is removed for security or privacy reasons.
  8. Ensure appropriate steps are taken when a personal data breach arises, including the steps required to be taken under the UK GDPR.

Monitoring Compliance with the Code

There will be a nine-month period for in-scope stakeholders to adhere to the Code. DCMS has stated that its initial focus is on App Store Operators, and that it will commence meetings with these stakeholders beginning in early 2023 to assess whether they have started to enact changes to their processes. Written reports will be requested from App Store Operators in Spring 2023, which will be treated as confidential, but should state how adherence with the Code’s principles is achieved. Stakeholders should approach the preparation of these written reports with caution, so as to avoid inadvertently revealing areas of noncompliance with current legal obligations, and also in view of DCMS’s press release which states that it will “explore what current laws could be extended to cover apps and app stores and whether regulation is needed to mandate the code in future.”

The Code will be reviewed and may be updated after two years.

The Code’s Place Among Wider Developments in the UK

In addition to the Code, companies operating in the UK market are likely to face a number of changes in the regulatory landscape in 2023:

  • The UK GDPR, which currently largely mirrors the EU GDPR, is likely to be revised in the near term. The UK Government is reportedly planning to launch a further limited consultation on the Data Protection and Digital Information Bill before seeking to progress it through the parliamentary process.
  • The long-awaited Online Safety Bill, which will apply to companies hosting user-generated content and providing search engines, is expected to progress through the parliamentary process early in 2023 and introduce new duties to protect users from illegal content.
  • The UK Government has declared its intention to reform the regulation of digital markets and the existing competition and consumer law regimes through introducing a new Digital Markets, Competition, and Consumer Bill. The Bill is expected to face its first reading in parliament in Spring 2023 and will be supplemented by enforceable codes of conduct.

For more information, please contact Cédric Burton, Laura De Boel, Lydia Parnes, or another member of the firm’s privacy and cybersecurity practice. Tom Evans contributed to the preparation of this Wilson Sonsini blog post.