The Department for Digital, Culture, Media, and Sport ("DCMS") recently published a new 'Code of Practice for App Store Operators and Developers' ("Code"), following calls to improve app security and privacy for users. The new Code of Practice sets out eight key principles for stakeholders in the digital app space. The stakeholders who shall adhere to these principles are:

  • App Store Operators, who shall implement the right processes to ensure that the apps available on their Store are not a risk to users and privacy.
  • App Developers and Platform Developers, who shall also have a clear responsibility for ensuring that they are creating apps and platforms with appropriate security and privacy standards.

The new principles are to:

  • Ensure only apps that meet the Code's security and privacy baseline requirements are allowed on the app store;
  • Ensure apps adhere to baseline security and privacy requirements;
  • Implement a vulnerability disclosure process;
  • Keep apps updated to protect users;
  • Provide important security and privacy information to users in an accessible way;
  • Provide security and privacy guidance to developers;
  • Provide clear feedback to developers; and
  • Ensure appropriate steps are taken when a personal data breach arises.

The Code attempts to ensure that there are baseline security standards for apps that enter into the digital marketplace, as well as effective reporting processes to continuously ensure apps are complying with such standards. These standards can include using industry standard encryption and restricting requests for privileges and permissions beyond those necessary for the functional requirement of the app.

There will be a nine-month period for operators and developers to adhere to this Code, and the DCMS shall initially focus on adherence from the operators. Operators, in particular, shall be responsible for implementing vetting processes and disclosure mechanisms to ensure that certain apps with security vulnerabilities can be identified and resolved, or where necessary, removed from the store.

The DCMS shall initiate meetings with operators from early 2023 to monitor how they are enacting the necessary changes in their processes in line with the Code. App operators are requested to produce confidential written reports from spring 2023 to outline the steps they are taking, and they are also encouraged to request additional meetings for further clarity to ensure that their processes are adequate.

The Minister of the DCMS describes the new Code as a first step in a series of policy interventions intended to protect consumers from malicious and insecure apps, with the possibility of introducing regulation in the future, should these voluntary policy interventions not achieve the desired outcome.

For now, in the absence of further mandatory regulation, the DCMS encourages app developers and operators to take urgent action to adhere to the principles, and demonstrate their adoption of this Code, by affirming such compliance publicly on their company website, app website or on the app store. Whilst this Code is voluntary, adherence to such principles allows developers and operators to show users that they are delivering security as standard to protect them from malicious actors and vulnerable apps.

Find the new Code of Practice here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.