How app developers should define 'explicit authorization'

Shane Schick

For a lot of app developers, the word "explicit" might not come up a lot unless you're referring to some of the more violent content you see in certain mobile games. Apple, however, wants to make it a much bigger part of their vocabulary.

Not long after it held the event that formally launched the Apple Watch, Apple Pay and its latest MacBooks, Apple did one of its regular updates to its App Store review guidelines that will affect a lot of those creating iOS apps for those new products. None of them are particularly surprising. For example, if you're a developer who wants to take advantage of ResearchKit, Apple's open-source platform for working with medical data, you'll need to make sure users have consented to the use of their health information.

There's a similar provision for Apple Pay. If an iOS app is designed to facilitate any kind of recurring payment, Apple wants to make sure the user understands the terms of that recurring payment and how to get out of it if they choose. Finally, Apple said that "apps that include the ability to download music or video content from third party sources (e.g. YouTube, SoundCloud, Vimeo, etc) without explicit authorization from those sources will be rejected."

What does "explicit authorization" mean? Let's start with what it doesn't mean. It doesn't mean you simply use whatever links or other technologies are easily accessible and assume the third-party source has opened the floodgates to the app-developer ecosystem. It doesn't mean you put the onus of copyright infringement or any other legal issues on the consumer of the app, whether they have implicitly agreed to this in your privacy and usage agreement or not. It doesn't mean you hope that no one pays much attention to what you do because you're a one-person studio with an app that has yet to attract a sizable audience.

Explicit authorization probably means "in writing," whether that's an e-mail, a formal contract or enrollment in an app-developer program with an associated SDK or API library. It means acting like a real business instead of an artist who is somehow above these sorts of things.

Although "explicit authorization" was used to describe the kind of consent developers need from consumers regarding health data or Apple Pay terms and conditions, I suspect it won't be long until they are required for most other apps as well. As with any privacy policy or usage agreement, the world is moving away from what is sometimes referred to as a "negative opt-in"--where you agree to something unless you go to the trouble of saying "no" up front. Explicit authorization means you've done the work to ensure that there will be no misunderstanding about an app, its customers and the data that surrounds those two entities.

This won't simply be an Apple stipulation. Expect it from Google, Microsoft and any other platform provider before too long. The world is becoming too digitally interconnected for these T's not to get crossed and those I's not to get dotted. If developers aren't proactive in avoiding liabilities, they will soon be forced to make everything much more explicit.