Navigating data regulations and privacy in 2025

Let's take a quick look back at key events in the app privacy timeline, as last year brought a renewed focus from both platform giants Apple and Google:

• March 2018 - Cambridge Analytica Exposed
• May 2018 (2020) - GDPR (UK GDPR)
• May 2018 - Apple‘s SKAdNetwork (SKAN)
• Jan 2020 - CCPA (California's GDPR)
• Dec 2020 - iOS Nutrition Labels
• April 2021 - Apple's App Tracking Transparency (ATT)
• June 2022 - iOS Account Deletion

• Nov 2022 - Berners-Lee Vision for Web 3.0 (SolidPods)
• Dec 2023 - Android Data Deletion Questions
• 2023/2024 - Chrome Privacy Sandbox
• Q2 2024 - iOS Privacy Manifests
• Q3 2024 - Android Privacy Sandbox
• Sept 2024 - Apple iOS 18 compliance with ​​DSA

As you can see it's been a whirlwind few years, with that final point being a huge change for Apple to align with EU regulations. (Read more about it here and here). To capture all this, we’ve broken down what this means for app owners and developers into three sections:

1. Commercial: any other considerations that aren’t purely technical.
2. Backend services: all the data and business logic that power the above.
3. Frontend apps: the user-focused apps that they download from the stores.

But before we get into it, what's really important is Personal Identifiable Information (PII). This is any data that establishes or identifies someone specifically in a system. This is divided into two categories: sensitive and non-sensitive, with the former requiring the most attention and careful consideration. Here are some examples:

Sensitive PII

• Health and medical information
• Government identification numbers
• Financial information
• Biometric data
• Personal demographics
• Contact information

Non-sensitive PII

• Basic identifiers e.g. username
• General contact information
• Device information
• Location data e.g. city, region
• Usage data

But there is another type - Probabilistic Data and specifically fingerprinting!

• Probabilistic Data is information that has been derived or inferred from other sources or modelled based upon probabilities rather than explicitly captured.
• Fingerprinting is a technique used to identify unique users when account information is not available. Typically from technical details of their software, device hardware or network connection.

Whilst there is nothing wrong with the use of probabilistic data for valid purposes, the use of fingerprinting (and cookies) is slowly being prevented, right down at a system level with Apple and Google proactively seeking to eradicate any attempts to use them. Whilst it isn't directly related to data protection regulations, it’s certainly something to be aware of.

As we stated in this blog, data regulations are now here to protect your users and adoption internationally is growing. For detailed insights into each region’s specific laws and a handy comparison tool, check out the following app from DLA Piper.

Since Brexit, the UK has adopted its own version of the EU’s GDPR guidelines. While there are some differences, they remain closely aligned and are among the strictest internationally, making them a strong benchmark for most app developers.

GDPR mainly focuses on user rights, consent, transparency, accountability and robust data security. To ensure compliance data custodians should consider and document the following:

• What data is collected: E.g., health conditions, prescriptions, or doctor visits.
• What consent is required: Has the user explicitly agreed you can capture their information?
• Why it’s collected: Specify the purpose, such as improving user health tracking or enabling remote medical consultations. Ensure you are only collecting the minimum amount of data to meet that purpose.
• How long is it needed: How long should the data be stored, especially if the user is inactive or left your app, should it be removed or anonymised?
• Where it’s stored: Identify the databases, cloud services, or physical storage locations.
• Who has access: Clarify the roles and entities (e.g., employees, third parties) with access to the data.

The second point is key, Apple and Google are doing their best to support this technically, by introducing guard rails to ensure consent has been given before data is accessed. Their review process and guidelines include additional checks to ensure that all data being captured is justified (but more on this in the frontend section).

GDPR outlines explicit rights for your users and their data that you need to ensure you can service through technology or offline processes.

• Right to access: Allow users to view what personal data you’ve collected.
• Right to rectification: Enable users to update or correct inaccurate data.
• Right to erasure (Right to be forgotten): Allow users to delete their account and associated data permanently.
• Right to data portability: Provide users with a way to download their data in a portable format (e.g., JSON, CSV).
• Right to restrict processing: Allow users to limit the ways their data is processed.
• Data portability: Allow users to export medical data securely.

Well it's pretty simple - you get fined (up to 4% of global turnover), and there have been some pretty massive examples in the last few years:

• Uber: €290m in 2024
• Advanced omputer Software Group (an NHS IT supplier: €6m (proposal) in 2024
• HagaZiekenhuis Hospital: €460,000 in 2019
• Hospital do Barreiro: €400,000 in 2018

Compliance also requires that you notify both users and supervisory authorities (like the ICO in the UK) within 72 hours of discovering a data breach, so make sure you have a robust Incident Response Plan to take action just in case!

Image source.

Conduct regular Data Protection Impact Assessments (DPIAs) - these demonstrate that you are considering all of the above and have a record of it. You may be asked by customers/suppliers/funders to share this, so keep it handy!

Appoint a Data Protection Officer (DPO), it doesn’t need to be a full-time role, just allocate someone to be responsible, they are maintaining your DPIAs and committing to the lengths and measures you deem necessary to comply.

Implement robust security measures like encryption and data abstractions by working with a trustworthy software app developer. They’ll ensure your commitments are seamlessly integrated into the technology choices behind your app.

Data transference requires careful consideration, including where and how your data moves through systems and across regional jurisdictions. Especially with regard to the use of 3rd party software suppliers (e.g. Google Analytics) and how they will use and process your data (responsibly).

Maintain transparent privacy policies to ensure transparency and detail of these promises to your users - companies may have potential fines reduced if they can demonstrate accountability and a commitment to compliance.

Provide ongoing privacy training for your team to ensure they understand the requirements and how to handle sensitive data responsibly.

The backend services of your app are likely to be the most important to consider when it comes to data security, as it is likely the storage area for ALL your users’ data both personal and otherwise. Therefore careful consideration needs to be given to ensure the system architecture is suitable, data is stored securely and transfers are managed.

To enhance security, enforce best-practice authentication techniques such as OAuth or OpenID and set suitable timeouts on session tokens. Ensure that only data relevant to the authorised user is exposed, eliminating the need for client-side filtering.

Always sanitise incoming data requests to protect against potential injection attacks.

Implement API gateways and introduce rate limiting to safeguard against large-scale attacks.

Define policies and roles that encapsulate your individual use cases, then ensure suitable provision is put in place to minimise the data and system access each has.

Implement multi-factor authentication workflows such as passkeys, SMS or email, to prevent the chances of accounts being compromised by attackers.

Regularly update your systems and code base to the latest software versions to reduce bugs and potential security issues that may be included from 3rd party libraries.

GDPR recommends that all data is encrypted, both at rest (e.g. stored in a database or files) and in transit (e.g. during API requests or when being processed across systems). Therefore ensure your databases and other file stores have encryption enabled and you implement modern standards such as TLS 1.3.

Use row-level security on databases to ensure roles are only allowed access to their own data rather than filtering in your application layer.

Where possible partition the personal data from any other app-related data into separate databases, using pseudonymisation or anonymisation wherever possible to reduce attribution if compromised.

Aim to use automated processes to ensure data validity, where deletion or anonymisation processes can minimise data and detach long-tail data from personal attribution.

Depending on the jurisdiction and your user's location, you may need to consider broader data protection regulations. Some may require that user data be stored in their home country or region, such as the EU.

If possible, track an audit log of changes to data and which users made them, ensuring log files are sanitised of any personal user data wherever possible.

Proactively monitor the system and its endpoints for anomalies in behaviour in order to identify potential attacks, such as access from IP addresses outside of your jurisdiction.

Certain jurisdictions, such as America, insist on further formal certification of compliance with HIPAA standards governing system design for any health and medical solutions. It is often worth considering this level of validation even if you are not serving American users as it further demonstrates your commitment to best practices.

Ensure you have an Incident Response Plan as part of your DPIA so there is a clear process in place should there be a breach or corruption of data. Support this with a regularly tested backup and restoration process, ensuring encrypted backups are stored in a geographically redundant manner.

Utilise automated security testing as well as 3rd party penetration tests to identify any weaknesses in the system design and architecture.

Your frontend will deliver most of the data services and promises outlined in your privacy policies directly to the user. Therefore, the experience should be carefully designed to ensure it is suitable, clear and comprehensive enough to remain compliant.

Both Google and Apple require privacy policies to be provided in order to host an app in the stores, so direct links will be available there. However, it is still best practice to make them easily accessible to your users within your app.

Where possible, implement OAuth authentication workflows and enforce local session timeouts, even if managed at a server level.

Leverage device security features, such as biometrics, to add additional levels of protection.

Both Apple and Google provide additional authentication processes that can speed up authentication processes such as shared web credentials and SMS capture for multi-factor workflows.

Ensure your apps comply with both data protection and platform guidelines by requesting explicit user consent when capturing data automatically. This includes opting into cookies (which may soon be a thing of the past). Both Apple and Google provide workflows for this in their SDKs to ensure you comply, otherwise, your app won’t get approved or worse, removed from the app stores.

Be transparent and clear when asking users to complete forms, requesting only the data necessary to fulfill the app’s purpose. For example, don’t ask for a user's Date of Birth unless you have a reason to. Understanding your user demographic for marketing purposes is not reason enough.

Image source.

Ensure your apps do not create an attack vector to your API by sanitising user input fields to prevent injection attacks and ensure data quality.

Where possible try to reduce the amount of data that is stored locally. If that isn’t possible, ensure it is encrypted at rest and where possible anonymised.

Avoid storing sensitive data, such as passwords or API keys, in readable forms to prevent malicious access. Where possible, refrain from hardcoding them into your codebase.

Utilise encrypted stores such as the iOS Keychain or Android Key Store to store any such information if required.

Avoid displaying technical information from local or remote sources so attackers don’t gain crucial information that may compromise the system.

As we move further into 2025, staying on top of data regulations and privacy requirements has never been more crucial for app owners. With the evolution of privacy laws and the ongoing updates from platform giants such as Apple and Google, app developers must ensure they are compliant with both regional laws and platform guidelines. From securing user data to maintaining transparent privacy practices, these steps are essential in safeguarding your app and protecting your users’ trust.

At The Distance, we specialise in helping businesses navigate these complex requirements. We’re here to help you build secure, compliant, and successful apps. If you need any expert guidance or technical support to ensure your app meets the latest data privacy standards, reach out to us today!