Yes! According to Section 3 of PIPA: “this Act applies to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and to the use other than by automated means of personal information which form, or are intended to form, part of a structured filing system.”

Unlike some data protection regulations in other countries, which set income or size thresholds, PIPA applies to every organization using personal data. Diving further in, data processing is considered to be automated if direct human intervention is not required to carry it out. Collecting and/or using a user’s location data to give restaurant recommendations, or credit card information to initiate a transaction, are both examples of automated processing of personal data that commonly occurs on mobile apps.

Once your app is released into the wild, it’s important to note who will be able to access it. More likely than not, you have visualized a target audience for whom your app’s functionality is tailored through specific features and services. Whether through purposeful design or just by nature of having your app accessible in a store-like environment, you should keep in mind that vulnerable populations may have access to your app.

While definitions of vulnerable populations can differ across contexts, in a recently published book, entitled “Modern Socio-Technical Perspectives on Privacy,” McDonald and Forte define vulnerable individuals as “those who, because of their race, class, gender or sexual identity, religion, or other intersectional characteristics or circumstances, are more susceptible to privacy violations that result in emotional, financial, or physical harm or neglect.” Considering this definition and PIPA requirements regarding sensitive personal information, special attention should be paid when processing such information and any personal data relating to children.

It is also important to note whether your app will be available outside of Bermuda. In some countries, having your app available to their citizens and/or residents could mean you are "targeting" them, a condition that could subject you to the data protection laws in those countries.

Think about the core functionality of your app and the data you really need from users to make it come to life. Although it is tempting to collect multiple personal data types just in case you might use them later on, minimizing the data you collect (formally called “data minimization”) is a privacy best practice that will undoubtedly save you headaches. Special attention should also be paid if you plan to collect any sensitive personal information. PIPA states that use of this data may not be permitted in specific circumstances and may require an additional user consent or other action.

With your plans to collect personal data in mind, consider the Principles of Privacy by Design. These 7 principles, authored by former Information and Privacy Commissioner of Ontario Ann Cavoukian, outline important categories of privacy considerations best addressed proactively in the engineering process. The second of these principles concerns "Privacy by Default," which is a particularly important consideration for app developers. When a user downloads your app, its default state should be the most privacy-preserving. Think about it this way: if a user downloaded your app and swiftly clicked “OK” on every pop-up presented, would the settings that result represent the most privacy-protecting version of your app?

Using, storing, and deleting personal data require varying considerations when it comes to security and privacy protections. When using personal data, it is a good general rule to ensure it is only being used for the purposes your users have consented to. If the use of data involves transferring it internationally, a legal process called a data transfer mechanisms must be in place, and as previously mentioned, international data protection laws will need to be taken into account.

Both when using and storing data, you should employ encryption techniques that are current industry best practice. Data storage should involve "pseudonymization" techniques, meaning that data should be de-identified and only re-identifiable when combined with secure and separately stored data. "Access management" is also a very important consideration from an overall security perspective and with respect to subject access requests (SARs). As outlined in Part 3 of PIPA, individuals have access, rectification, blocking, erasure, and destruction rights when it comes to the personal data you hold on them, so creating storage mechanisms that prioritize security and facilitate timely responses to these requests is paramount.

You should also consider data deletion when a user stops using your app unless it is absolutely necessary to retain their data, usually for legal reasons. When kept under these circumstances, this personal data should be stored securely to avoid any unauthorized and unintended use.

When creating an app for the first time, many developers choose to start with a set of tools, usually provided by software or hardware companies, to make getting started on a particular platform easier. While these kits may simplify development and subsequently reduce time to market, they are often preprogrammed to include third party data collection and usage that can easily go unnoticed. This means that personal data may be transferred to third parties, possibly in ways that do not allow for appropriate user consent. More likely than not, these will be overseas third parties, and transfers to these entities receive special recognition under PIPA - and once again, bring international data protection laws into play. For more guidance on overseas third party data transfers, check out this previous blog post.

Great customer service is informed customer service, and letting users know what is happening to their data and how they can control its collection and use are important selling points. Documenting your work from the beginning, including all steps taken to answer the previous questions, will make creating effective privacy labels, policies, and in-app notices more streamlined and lead to more clearly conveyed privacy practices.

• Apple: Manage app privacy

• Atlassian:

o Data privacy guidelines for developers

o User privacy guide for app developers

• Australian Government: Mobile privacy: a better practice guide for mobile app developers

• International Association for Privacy Professionals (IAPP): Privacy Design Guidelines for Mobile Application Development

• UK Information Commissioner’s Office (ICO): Privacy in mobile apps: Guidance for app developers

• OWASP:

o Top 10 Web Application Security Risks

o Mobile Top 10

o Desktop App Security Risks

o Software Assurance Maturity Model (SAMM)