DCMS publishes new Code of Practice for app developers and app store operators

Published on 31 March 2023

The question

What do app developers and app store operators need to do to comply with the new Code of Practice published by the Department for Digital, Culture, Media and Sport (DCMS)?

The key takeaway

The DCMS has published a new Code of Practice for app store operators and app developers (the Code). The Code sets out eight voluntary principles which aim to protect the security and privacy of app users. While the Code itself is voluntary (ie there is no legal requirement for app developers and app store operators to comply with it), the DCMS anticipates that compliance with the Code may become an expectation of users in a competitive app store and app downloads market. 

The background

The DCMS introduced the new Code to better protect app users from online threats given the integral role that apps now play in the work and personal lives of users. The DCMS undertook a review of the app store ecosystem between December 2020 and March 2022 and found that users could still access poorly developed and malicious apps and that some developers were not following best practice. In May 2022, the DCMS issued a public consultation seeking the views of organisations and individuals on whether a code of practice would be effective and which principles should be included in a code of practice if one were introduced. The review and subsequent activity is part of a broader programme under the UK Government’s National Cyber Strategy.

The development

The Code sets out eight principles and applies to three groups:

  1. App Store Operators: Individuals and organisations responsible for running app stores, with the ability to vet and add or remove apps.
  2. App Developers: Individuals and organisations which create or maintain the apps distributed through an app store.
  3. Platform Developers: Individuals or organisations responsible for producing the operating system and interface of a device.

Note that the “App Developers” category will include all organisations that produce apps. Organisations which produce apps, run an app store and provide an operating system on which apps can run can fall into all three categories. 

The eight principles contained in the Code are summarised below:

  • Principles 1 and 2: These require app stores to set out a clear security policy to developers, vet apps that are submitted to them, and remove any app within 48 hours of discovering that it is malicious. Developers are required to use industry-standard encryption within their apps, provide a means for users to delete personal data gathered by the app, and ensure that the permissions requested by an app are only those required to help the app function (and, in any case, ensure that an app still functions even if the user disables optional functionalities and permissions). 
  • Principle 3: This principle requires app developers to introduce a vulnerability disclosure process for their apps, and for app store operators to ensure that all apps on their platform have a vulnerability disclosure process, and that their app stores themselves have a vulnerability disclosure process. 
  • Principles 4 and 5: These require that apps are kept updated to protect users and that security information is provided to users in an accessible fashion. Specifically, developers are required to release updates to fix vulnerabilities in their apps and provide app stores with clear information as to the permissions (eg use of the device’s camera) and personal data used by an app. App stores are required to prompt users to update apps when an update is released and display relevant security information about an app to users.
  • Principles 6 and 7: These require a degree of communication and openness between app stores and developers. App store operators are required to signpost developers to the Code, publicise any changes to their developer policies and provide clear feedback to developers when they either remove an app or reject an app for publication on their store. 
  • Principle 8: This principle sets out obligations for app stores and developers where a personal data breach occurs. Where either party becomes aware of a personal data breach involving an app, they must notify stakeholders. In addition to existing obligations under data protection law, developers must signpost users on how to protect themselves and app stores must consider whether they should continue to distribute the app. 

Why is this important?

While the Code, in its current state, is voluntary, the follow-up to the public consultation states that the Code is intended to be a first step in improving security in app distribution, and that there are further steps that the Government might take forward in the future. As such, the introduction of the Code may set the tone for further regulation and/or intervention in this area. 

The DCMS states that, even though the Code is not mandatory, there is likely to be public pressure on developers and app stores to comply with it, and compliance with the Code will become a differentiating factor in a competitive market. The follow-up to the consultation makes reference to the possibility of introducing a certification scheme, which would make it easy for consumers to identify which businesses are complying with the Code and would be likely to increase the pressure on businesses to comply. More generally, complying with the terms of the Code is likely to help ensure that apps and app stores are safer environments for users, and so help to avoid any reputationally-damaging security breaches. 

It goes without saying that there will be some pressure from the DCMS and the Government to comply. The DCMS has already said that it will give businesses nine months to comply with the Code and will stage meetings with the major players in the industry to assess how they have begun to change their processes to comply. As the Code is not mandatory, it is not clear what, if any, enforcement measures the DCMS could take against a business refusing to comply with the Code. 

Any practical tips?

Given the focus which the regulators, and the wider market, are likely to put on compliance with the Code, it makes sense for app stores, app developers and platform developers alike to get to grips with the applicable principles as quickly as possible. For example, app stores should ensure that they display all the information to users required by the Code (eg security information) and that they have means of communicating the required information to developers (eg reasons for removing an app). They should also review their internal processes to identify whether they can comply with some of the specific requirements under the Code (eg the requirement for app stores to remove any apps identified as malicious within 48 hours of discovering that they are malicious). 


Spring 2023

Stay connected and subscribe to our latest insights and views 

Subscribe Here