Mobile App Regulations & Legal Compliance

Sorting out the cluttered world of mobile app regulations can feel overwhelming. 

Various overlapping regulations originate from multiple authorities and geographical regions. It’s a lot to unpack, but understanding how each regulation impacts app development is crucial. 

This guide provides a high-level, concise guide to the major regulations affecting mobile apps — a starting point for sorting out regulatory concerns before and during development or even post-deployment.

General Data Privacy Regulation (GDPR)

GDPR applies to businesses that handle the personal data of EU residents.

The law specifies several types of protected data:

  • Identity information (name, address, phone numbers, etc.)

  • Health, genetic, and biometric data

  • Location data, IP addresses, RFID tags, and cookie data

  • Political opinions

  • Sexual orientation

  • Racial or ethnic data

GDPR affects companies that fall into one of several categories. Companies that need to comply with GDPR include those that have:

  • A presence in an EU member country

  • No presence in the EU, but process personal data belonging to EU residents

  • More than 250 employees

  • Fewer than 250 employees but process data that could impact the “rights and freedoms” of EU residents, is not occasional, or includes specific types of protected personal data

Given these broad categorizations, every company that manages any personal data related to EU residents needs to pay close attention to GDPR.  

Employee using mobile smartphone in city. Courtesy Adobe.

Courtesy Adobe.

Key GDPR rules

Here are a few GDPR rules that commonly impact U.S. companies:

  1. Companies must obtain permission to store and process personal data.

  2. Companies can only store data “no longer than is necessary for the purposes for which the personal data are processed.”

  3. Companies must erase personal data upon request (although GDPR does not supersede requirements set forth in other regulations like HIPAA).

  4. Companies must provide a “reasonable” level of privacy and data protection to EU citizens.

  5. Companies must report data breaches to affected individuals and the appropriate authorities within 72 hours of detecting a breach.

GDPR compliance

GDPR lists several key roles related to compliance. Most companies required to comply with the regulation must designate three key roles: 

  • Data controllers oversee the processing, handling and storage of personal data.

  • Data processors are liable for breaches or non-compliance (including third parties hired to conduct this work).

  • Data protection officers (DPOs) create data security strategies aligned with GDPR rules. Not all companies are required to designate a DPO.

GDPR enforcement

The Information Commissioner’s Office (ICO) enforces the GDPR, usually by responding to reported non-compliance. Fines up to €20 million or 4% of global annual turnover are the primary remedy for enforcement of GDPR.

FDA mobile regulation

The FDA first issued the Policy for Device Software Functions and Mobile Medical Applications Guidance, or “Mobile Medical Applications,” in 2013. These guidelines provide a framework for the oversight of software functions that could “impact the functionality or performance of traditional medical devices,” according to this 2019 FDA memo

Key FDA mobile rules

FDA’s rules that apply to mobile health apps are classed by the “apparent level of risk” presented. To receive FDA clearance, companies need to read through dozens of rules laid out in the policy. Two rules most likely to apply for most companies include:

  • Risky or invasive devices must be approved (this does not include those that FDA has already determined are not dangerous or invasive).

  • Manufacturer claims must be accurate.

Generally, the FDA has taken a “light touch” approach with mobile medical apps with the intention of encouraging innovation and experimentation. 

FDA mobile compliance

Complying with the FDA rules related to mobile medical apps means receiving proper clearance, depending on the “class” of the app, according to FDA: 

  • Class I apps are not medical devices, as defined by FDA and are typically cleared within a week.

  • Class II apps are similar to those that the FDA has already cleared, even if they are medical devices. Class II apps are typically reviewed within 90 days to 10 months.

  • Class III are subject to regulation, usually because they are similar to apps FDA has already determined need to be regulated. The clearance process takes about 36 months or longer and often requires extensive clinical trials.


HIPAA is shorthand for the Health Insurance Portability and Accountability Act of 1996, a law related to health care data privacy and security. 

Key HIPAA rules

The law primarily focuses on how businesses are allowed to use and store protected health information (PHI). HIPAA standards must be considered, from various angles, throughout the development and evolution of mobile medical apps. 

HIPAA primarily focuses on five components:

  • Healthcare access

  • Healthcare fraud prevention

  • Tax-related health provisions

  • Oversight of group health insurance requirements

  • Revenue offset for employees

HIPAA compliance

HIPAA compliance is based on the HIPAA Security Rule. The Security Rule sets standards for app development considerations, including:

  • Administrative functions

  • Physical safeguards like ensuring servers storing PHI are kept in secure areas

  • Organizational safeguards

On the technical side, the Security Rule identifies specific policies and procedures related to protecting ePHI across several security-related categories:

  • Access control

  • Audit controls

  • Authentication

  • Security around data transmission

  • Data integrity

HIPAA enforcement

The U.S. Department of Health and Human Services (HHA) enforces HIPAA compliance through penalties including fines for unauthorized disclosures of PHI (data breaches) or, in some cases, fines for non-compliant HIPAA apps where no breach has occurred. 

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley (SOX) Act is a federal law aimed at protecting investors from fraudulent financial reporting. Typical businesses impacted by SOX include public companies and accounting firms.

Key SOX mobile rules

SOX rules related to mobile apps revolve around accessing or transmitting corporate data from a mobile device or storing it on a mobile device. A few major provisions that may impact mobile app development and compliance include:

  • Senior corporate officers must personally certify that corporate financial statements comply with SEC disclosure requirements.

  • Companies must establish internal controls and reporting methods.

  • Strict record keeping requirements centered on three key areas: the destruction and falsification of records, retention periods for data storage, and which records must be stored, including electronic communications.

SOX mobile compliance

Complying with SOX means following the rules related to the business at hand. Mobile app developers must ensure that any financial data being transmitted, stored, or accessed is reported and managed in accordance with SOX to stay in compliance. 

SOX mobile enforcement

The U.S. Security and Exchange Commission (SEC) enforces SOX. In addition to fines and other federal sanctions, corporate officers who sign off on financial statements can be subject to criminal charges and penalties, including prison sentences. 

Other mobile regulations

Some mobile apps may be subject to other regulations, including:

  • The Federal Trade Commission (FTC) Act and State Mini-FTC Acts, guard against unfair trade practices, including consumer privacy issues, truth-in-advertising and data security. 

  • The Wiretap Act deals with intercepted mobile device communications  and prohibits the use or disclosure of illegally obtained communications.

  • The Stored Communications Act prohibits the knowing disclosure and unauthorized access of communications and systems used to transmit wire or electronic communications. 

  • The Video Privacy Protection Act (VPPA) protects video records obtained and stored by mobile apps. 

  • The Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access of prohibited information, including protected federal or financial institutions and knowingly trafficking in device passwords and extortion related to protected computers.

  • The Restore Online Shoppers’ Confidence Act (ROSTA) requires merchants to protect customer billing information from third parties, disclose transaction terms before collecting billing information, obtain customers’ informed consent before charging them, and to provide a way for customers to stop recurring charges. 

  • The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to disclose their information-sharing practices to customers and to protect sensitive data. 

Determining which regulations apply to specific mobile apps, and when, can be a time-consuming, complicated process. When in doubt, it’s best to consult with a qualified attorney or expert to reduce the risk of expensive fines and other punitive actions. 

Related articles


HIPAA, regulation, FDA, SOX, GDPR