Mobile Apps and Privacy Miniseries (4/5): Specific Issues – Payment, Children, Tracking

December 12, 2014 Leave a comment
Towards the end of its 33 page guidance document on the application of data protection law to mobile apps, the working group of German data protection authorities (Düsseldorfer Kreis) gives some specific guidance on a number of hot topics: Requirements for apps offering payment procedures, youth protection requirements (in particular regarding valid consent of minors) and issues of audience/range measurement.

Payment procedures

Online and mobile payment involves various (German) laws, such as the Telecommunications Act (TKG), Telemedia Act (TMG), Federal Data Protection Act (BDSG), Payment Services Regulation Act (ZAG), Banking Act (KWG) and the Civil Code (BGB). Some EU directives (e.g. Payment Service Directive) have to be considered as well. For personal data collected in connection with a payment transaction, a strict purpose limitation applies. Bank account data is particularly sensitive data, subject to special statutory protection. The authorities emphasize the paramount importance of specific technical and organizational measures regarding data security. In addition, Sec. 42a of the German Federal Data Protection Act obliges operators to notify the authorities and concerned users immediately of any data security breach involving banking or credit card data. Failure to do carries fines of up to EUR 300,000.

Youth Protection

Minors, because of their mental development and noteably at a young age are often not in a position to understand whether a disclosure of their data is necessary or useful, and what consequences this will have. Children under the age of 7 are legally incapacitated in Germany; the critical age in the context of data protection consent declarations is between 7 and 14. According to the Düsseldorfer Kreis, consent to data processing from a minor under 14 years of age cannot be assumed as lawful without parental approval.

Audience/range measurement

If a procedure is used for range measurement and the evaluation is or will be performed by a service provider, the app provider remains legally responsible (responsible entity). The privacy guidelines summarize the requirements for privacy-compliant tracking and audience measurement methods as follows:

  • Anonymization of the IP address
  • Effective possibility to opt out
  • No merging of pseudonyms with data on the actual data subject.
  • Information on creating pseudonymous user profiles and about the possibilities to opt out
  • Conclusion of a commissioned data processing contract (Assignment to a service provider)


Previous installments:

Application of EU Privacy Law

Privacy Policy and Consent

Privacy by Design

Print Friendly
Felix Hilgert

Felix Hilgert

Senior Associate at Osborne Clarke
Felix is a lawyer with Osborne Clarke's IT Team in Cologne, where he acts for companies of all sizes, from start-ups to market leaders.

Add a Comment: