As more local developers rush to build applications, South African law takes a dim view on apps that play loose and fast with personal data.
While it is becoming easier to build mobile applications, local developers may face serious legal hurdles to ensure their apps comply with the law, according to Alec Veitch, senior associate and Jonathan Salant, candidate attorney at Schindlers Attorneys.
Here are the laws that affect mobile application services:
Consumer Protection Act (CPA)
The CPA governs advertising as well as the selling of goods and services.
“Accordingly, a person who is launching a mobile app must be abreast of the various requirements before blindly launching it to consumers,” said Veitch.
“Advertisements must be in plain and understandable language, the price of the goods or services must be clearly displayed, and the trade description of the goods or services must not be defined in such a way as to mislead the consumer,” Salant added.
In terms of the CPA, mobile apps that offer agency services such as PriceCheck or Hippo Insurance Quotes should disclose whether they represent specific organisations.
Electronic Communications and Transactions Act (ECTA)
“A consumer has the right to a ‘cooling off period’ in terms of which they may cancel any order done through the app within seven days of receiving the goods or services, or within seven days of concluding the contract,” said Veitch.
A consumer should not incur any costs for changing his or her mind during this period, except for the cost of returning the goods. It is illegal for penalties to be levied, to be applied as in the case of a cancelled cellphone or insurance contract.
“Any payment that was made by the consumer prior to the consumer cancelling the agreement must be refunded within 30 days,” said Salant.
Suppliers may not accept direct payments from consumers for services rendered through applications and an SSL (Secure Sockets Layer) certificate is necessary to effect web-based payments.
In simple terms, a developer may not steal the idea for an application.
“It is, therefore, essential that any person who conceptualises a mobile app specifically contract terms that regulate ownership of the intellectual property associated with the app,” said Veitch.
However, in the case where the startup hires a developer to build an application, there should be careful consideration of the legal implications.
“The coder and/or developer should be made to sign a Non-Disclosure Agreement (NDA) prior to commencing work as a safeguard to prevent them from reproducing the app, or anything similar, once the mandate for work with the copyright owner has ended,” said Salant.
Protection of Personal Information Act (Popi)
Popi is a new law that is expected to come into full implementation in July 2016. It will heavily penalise organisations that don’t take adequate care with personal information.
“When a person signs up for a mobile app and personal information is given, it is crucial that the information which is provided is limited to that which is necessary for its specific purpose,” said Veitch.
The act specifically mandates that companies should not share personal data of “data subjects” such as addresses and IDs with third parties without expressed permission.
“The Protection of Personal Information Act (Popi), gives effect to a constitutional right to privacy and the unauthorised access to information regarding the educational, medical, financial, criminal or employment history of an individual as well as their personal details such as ID numbers, contact details and physical addresses is restricted by the act,” said Candice Sutherland, business development consultant at SHA Specialist Underwriters.
Identity theft has become a cybercrime priority and business organisations that are found to be negligent with personal data may be fined up to R10m.
“This steady increase in identity theft places organisations and their clients under greater risk of legal, financial and reputational repercussions and must not be taken lightly,” said Gianmarco Lorenzi, managing director of Cleardata.