+8 votes
by (330 points)

2 Answers

+2 votes

Some important considerations:

  1. Data collection - the most important consideration of all. map out and document all data collection, processing, storage, and data processing lifecycle. Ensure security throughout the user lifecycle. 
  2. Vendors - Use established, well-known third-party tools that follow the top industry standards. Nothing shady.
  3. User consent - Obtain informed and unambiguous consent for the collection and use of personal data for the specific purposes for which you are collecting it. No grey areas.
  4. Necessity - Strive to use only what is absolutely necessary, Don't over-collect data just because you can.
  5. User communication - Manage and respond to users’ requests, especially consent withdrawal.
  6. Privacy policy - make sure it contains all disclosures required under the GDPR/CCPA .

All these are a must if you really want to cover yourself from all angles. 

by (660 points)
Thanks for the detailed answer!
How do you get the user consent for CCPA? With a popup the first time the user is launching the app? Do you also need to allow the user to opt-out (for instance in the app settings)?
0 votes

In practical terms of implementation, if a company is already compliant with GDPR, they are almost certainly compliant with CCPA, since GDPR is more strict. So to answer the question: the most important consideration when making an app compliant with both sets of regulations is to focus on making it compliant with GDPR, which virtually guarantees compliance with CCPA. Here's an article I wrote about GDPR compliance for mobile apps: What does GDPR mean for mobile?

The main considerations are:

  • Allowing users to make informed consent to have their data collected and shared;
  • Allowing users to delete their data, see what data is being collected about them, and to move their data from your service to another in a format that is considered standard;
  • Not sharing or collecting data beyond 1) some reasonable standard and 2) the scope that is laid out in consent;
  • Allowing users to opt-out of data collection.

In terms of differences between the regulations:

One comparison between GDPR and CCPA is that the GDPR is a door that prevents data from being collected ("privacy by default") whereas CCPA is a window that allows a person to understand what data about them is being collected. The biggest difference this creates in terms of practical compliance is that the right of prior consent that exists in GDPR and compels a company to gain consent from a user before collecting PII doesn't exist in the CCPA, and the right to opt-out that exists in the CCPA and compels a company to allow a user to opt out of data collection doesn't exist in the GDPR (because the user would have needed to give prior consent).

Note that both sets of regulations provide the right to access and the right to deletion / erasure (delete is the CCPA term but the rights are functionally identical).There are some other differences around applicability (CCPA only applies to companies of a fairly substantial size) and protections (CCPA only protects legal residents of California).

This article from the FPF provides a nice overview of the similarities and differences between the CCPA and the GDPR.

by (12.1k points)