New Development: Government makes changes to voluntary code of practice for app store operators and developers

In our Spring 2023 Snapshots, we reported on the Department for Digital, Culture, Media and Sport’s (DCMS) voluntary Code of Practice for app store operators and developers (the Code). 

In October 2023, the Department for Science, Innovation and Technology (DSIT) made amendments to the Code, notably extending the implementation period of the Code by nine months following concerns regarding barriers to implementation and lack of clarity for some of the Code’s provisions. The eight principles stipulated by the Code must now be implemented by June 2024. DSIT has said that it shall use the extended implementation period to improve monitoring and increase engagement.

Other key changes include:

• a reformed appeals process allowing developers one week to challenge the removal of a malicious app from an app store (Principle 1)
• the requirement for users to be able to delete their data on an app is removed; now developers must only provide means for users to request deletion (Principle 2)
• all vulnerability disclosure processes must now be accessible from the app store. The 15-day time limit for the developer to acknowledge a vulnerability report has been removed (Principle 3)
• it is no longer mandatory for operators to remove an app which has not been updated for two years (Principle 4)
• if a developer challenges the removal of an app not considered malicious, users shall not be notified of the removal until the appeals process ends (Principle 5)
• a reformed process for personal data security incidents (Principle 8).

Winter 2023