On-demand apps that provide a service, meaning they link someone to a contractor and/or work as third-party integrations that link users to protected data, are subject to unique regulatory compliance whether it’s data compliance, service matters or both. Planning around the bureaucracy you’ll inevitably face is necessary otherwise, you run the risk of running a business into the ground. Data compliance laws and other legal matters from on-demand service models are sometimes as important to the longevity of an app as the UX.
Planning for data compliance is pretty straightforward – we cover this in our design sprint as these are issues my development team and I have to know or I’d be running a breakfast place and hiring a different kind of talent. However, there are other kinds of legal issues that surface beyond securing an app and meeting regulatory compliance.
Here, we’ll first touch on a few of the big data compliance agencies then look at the other side of legal issues relevant to mobile apps – specifically with on-demand apps pitfalls inherent to such services – starting with Assembly Bill 5 in California.
Overview of a few primary data regulations affecting on-demand service apps
Depending on the nature of your app and industry(s) it targets, you’ll be subjected to meeting the app legal requirements issued from the following regulatory organizations.
PCI DSS. In the past, card companies each had their own “rules” which ended up being a convoluted mess. Hence, the PCI Security Standards Council like Captain Planet but with a Juris Doctorate in digital information. Their main goal is to keep merchants and customers card transactions safe by insisting a set of 12 rules are adhered to for any merchant that offers a digital storefront.
Fortunately, portals for payment services where it’s PayPal, Stripe, Braintree or another similar service, compliance is mostly handled on their end. As such, your business shouldn’t need to store payment information as it’s unnecessary and only leaves a loose end on a knot – so to speak – that will need re-tied over time.
HIPAA. In the US, HIPAA regulation aims to keep protected health information simply put, protected. Even those with past experiences in the field often overlook certain bits of information protected by HIPAA.
Some branches of health care are subject to acute regulation. Whether it’s mental health care, neurology, urology, or any other branch of healthcare, a good rule of thumb is to understand that virtually any health parameter is likely regulated about HIPAA.
For example, the on-demand eyewear site Firmoo is obligated not only by PCI DSS to protect payment information but also by HIPAA to protect health parameters such as your script and even the measurements, such as your PD (pupillary distance measurement) and the seg height (vertical bi-focal or progressive lens placement for any given eyewear frame) under HIPAA.
Perhaps the best examples are found in HIPAA-compliant solutions like the messaging service from vendor TigerConnect. Their messaging app that can exist as a standalone solution or an integration to an EMR/EHR. It’s powered by an API that securely transmits not only messages that often contain protected health information (PHI), it can push and pull data between a vast number of medical and communication systems. It can also be used as a secure messaging service for patients to easily and contact providers in between scheduled visits.
TigerConnect has to meet HIPAA compliance by ensuring data is securely transmitted between endpoints as well as safely archived. For those planning to release a medical app, its critically important to understand all HIPAA bylaws or costly fines can easily result.
NCSL. Those creating apps for the government or for users to interface with state government data need to comply with this agency’s policies for safeguarding citizen data. As state databases hold immense amounts of personal data which could cause a major detrimental impact on people’s lives should it fall into the wrong hands.
A good example relates to monitoring equipment used on roadways that capture license plate information, a process that’s subject to NCLS regulations. A license plate can be used to identify a person and link to other data, it’s important that such information is safely transmitted back to a secure database that generally exists on the vendor’s server.
Vendors that install Automated license plate readers (ALPRs) either create their own software or use existing applications that facilitate the exchange of information among the camera and storage server as well as other valid agencies’ systems are subject to NCSL regulation. Analytics vendors like Vigilant are also subject to NCSL compliance as their analytics system uses these images to detect patterns which can help investigators identify travel patterns and ideally, thwart certain crime.
Validating user identities. One other major issue when developing apps for government and private sector use involves vetting users by analyzing past criminal activity – and there’s more to it than clicking a link in a verification email. For highly-confidential data (even outside of government), services like Chekr can be integrated to help perform background checks. This and other similar services enable service providers to thoroughly authenticate their user base.
For example, you wouldn’t hire someone at Grubhub, DoorDash or another delivery service if they had a handful of DUIs on their record!
Uber and Lyft are causing shifts in on-demand legal policies
If you’re reading this, you’ve likely summoned an Uber or Lyft (maybe just rode along) at some point. Since shortly after the release of these apps through recent times, news headlines reveal workers are not happy with conditions, causing them to strike.
This is where it gets tricky with respect to law and ethics. Both companies rely on their workers to work as contractors for a few key reasons. The work they offer isn’t guaranteed (especially in some markets), it allows them to keep costs low by paying a percentage of the trip fee to the driver and perhaps the most salient point is that it keeps liability low for the company and absolves them from needing to offer benefits.
However, this is changing for at least one state.
A law based on Assembly Bill 5 (AB5) went into effect in California that is designed to help people in various industries by ensuring they get their piece of the pie. They realize that investors are making a decent living. Some drivers are making excellent money, but others aren’t so fortunate for a variety of reasons – new laws will attempt to make this model and other contract work more stable to keep the gig economy a viable way for people to make a living.
Of course, don’t feel obligated to pay out absurd wages and risk ruining your business. However, do keep their interests in mind, run the numbers, and provide what you can. After all, this is a huge part of developing a great culture.
If you’re employing contractors, keeping them solvent is as important as treating regular employees well and your customers. Just don’t let ‘being nice’ run you into the ground or everyone loses.
Legal caveats of on-demand apps
The human element is what makes legal obstacles with on-demand apps a bit obscure. Glaring issues should seem obvious but there are also “unknown-unknowns” in the equation – it’s a lot like going in to have the brake pads or drums on your vehicle replaced then learning you have a seized caliper. And the caliper is seized because the master cylinder is leaking brake fluid.
Whether your app intends to take advantage of the gig economy – in the most ethical way, of course – or sell products and services, it needs to be understood that no one is infallible. Even with planning, something is bound to go wrong at some point and someone will be pissed off.
To prevent on-demand legal issues from turning into fines or a loss of your user base, there are a few simple tips that help with most models.
However, just because you slip something in a contract doesn’t mean it will hold up in court and the right person can put an egg on your face as a result. Consider condensing the information into more digestible language and try your best to make legal docs easy to read so expectations are clear.
Adapt to feedback from your workforce and users. Workers and users will find a way to tell you when they’re not happy, whether it’s through Yelp, Glassdoor or some other medium like a Medium blog. Grievances that resonate with others can often churn into something much bigger than a bad review.
Take time to listen to feedback and criticism then figure out how to present the information to stakeholders so these matters can be resolved. You or your investors might have fronted the bill and may attempt to circumvent such issues but understand that it’s only a matter of time before a ship taking on water either sinks or stops in its own wake.
Buy and provide insurance for your business and whatever else is eligible. Just like a vehicle or the bones and guts beneath your skin, insuring your people and business is just as necessary as insuring your transportation and health. If you’re employing contractors this is almost always a tenuous bond, much like someone you date for months but never get into that relationship category. Attempt to find a way to transition giggers into employees that you can invest in them. The culture this helps cultivate is invaluable.
As far as data is concerned, it’s a good idea to make sure a plan is in place in the event all hell breaks loose. Sometimes internal employees fly off the handle as they walk out, bad guys lurking the web may have found a vulnerability your team didn’t catch, or any other number of things could expose data. Saying, “Oops, sorry,” to your users isn’t acceptable.
We literally just witnessed a major circus with the Iowa Caucus due. There’s truly no reason for such problems as the app should be designed well enough to easily (and securely) transfer data via an API and the UX should be tuned such that operator error is all but eradicated.
In any case, money talks – it’s virtually the only way to have a shot at an apology being accepted.
Learn about data compliance with Blue Label Labs
We at Blue Label Labs have a lot of experience in developing and launching on-demand service marketplaces. We’ve learned from the good and bad over the years and only get better after every successfully completed project like Hyer and Hello Sitter.
When you get in touch with us at Blue Label Labs for your mobile app project, we’ll cover the scope of on-demand legal obstacles you’ll need to address during our design sprint. We’ll help you understand data compliance regulations as well as brainstorm around potential technological and business pitfalls of your design then build a phenomenal product.
Get the latest from the Blue Label Labs’ blog in your inbox
More in App Marketing and Business Trends, News & Announcements
App Rundown: DoorDash
Apps are what we do here at Blue Label Labs. Every so often, we like to do a deep dive and discuss the finer (and not so fine points) of…
New Features Coming to iOS 15
Roughly every year, a major update is released for iOS that packages new features for users and tools for developers to leverage these services in the apps they develop –…
A Walk Through the App Graveyard
Some say that after an app leaves this world, it enters another dimension of the web where they wander in search of their old servers. Others say some apps never…