caveat legal logo

Mobile App and Software Developers: A Guide to Regulatory Compliance

In this age of technological innovation, with growing numbers of start-ups developing software and mobile apps, conditions are absolutely prime for emerging players to flourish. For the developer looking to enter the market, an appreciation of the regulatory landscape is vital to ensure that you operate within the parameters of the law and are properly protected against the adverse consequences of non-compliance.

Step 1: What are you offering and to whom?

A proper understanding of your product offering and market context is necessary to determine what regulatory requirements apply to you. For example:

  • Unpacking the functional aspects of the offering will point to whether the product will entail the performance of a regulated activity, for instance, the processing personal information, requiring compliance with the (partially in force) Protection of Personal Information Act, 2013 (POPI)) or offering financial advice and/or services requiring compliance with the Financial Advisory and Intermediary Services Act, 2002.
  • Defining the target market (in particular whether the product is going to be sold to government) will determine whether compliance with the extensive government public-procurement framework is required; and

Step 2: Are you approaching government?

If you intend to engage the government market there is a complex procurement framework that will regulate your relationship with the state. The following key questions should be in the mind of every developer:

  • Are you responding to a Request for Proposals (RFP) or will you be approaching government directly on an unsolicited basis?

If it is the former, then you will need to submit a bid responding to the invitation to tender and strict adherence to the tender conditions will be required. In the absence of an RFP it is likely that you will be approaching government with an unsolicited offering (one that is received by a public body outside of a normal procurement process) and compliance with the applicable legal framework will be important. Read more detail on this topic here.

  • Are you targeting government at national, provincial and/or local level?

There are subtle differences in the various legislative frameworks governing procurement at each level of government. In respect of unsolicited offerings specifically the Public Finance Management Act, 1999 together with the relevant Treasury Regulations, practice notes and circulars comprise the applicable legal framework in respect of all provincial and national departments whereas the Local Government: Municipal Finance Management Act, 2003; the Local Government: Municipal Systems Act, 2000 and the relevant municipal regulations apply only to local government.

  • Rather than approaching government unsolicited, have you considered marketing your offering to public bodies in the hope that they initiate engagement with you?

To avoid the complications associated with unsolicited offerings, an alternative option would be to engage in a marketing campaign designed to persuade a particular public body to initiate engagement with you. In doing so, that public body may elect to depart from the competitive-bidding process or solicit written quotations directly from you – which may or may not eventuate in the formation of a contractual relationship with your company. The point is that the regulatory burden of compliance shifts to the state since it will be expected to satisfy the legal requirements for deviation from competitive-bidding or solicitation of written quotations.

  • What are the pros and cons of these alternatives?

While the law recognises the potential benefits of unsolicited offerings – greater innovation, improved service delivery and a generally enhanced quality of service to the public – the absence of an assessment of comparative value means that there is a strong constitutional preference against contracting outside of a competitive bidding process. In particular, section 217 of the Constitution requires public bodies to procure goods and services in a manner that is “fair, equitable, transparent, competitive and cost-effective”. The marketing approach may thus carry some underestimated advantages since for example, it permits extensive informal engagement with the public sector outside of the unsolicited-offerings’ framework (social media, informal conversations and even presentations to public bodies).

What is required by the applicable procurement framework and how best to use these mechanisms is far from clear, calling for the engagement of legal specialists in the field.

Step 3: Are there any industry-specific legal requirements that apply?

The market context will determine whether there are any industry-specific requirements that need to be met. For example, there is a suite of healthcare legislation, regulations and guidelines that frame the regulatory scheme in the medical context (for instance, the National Health Act, 2003 and the HPCSA Guidelines). Although much of this legislation is outdated in that, amongst other things, it has not kept up with technological development in this field, government is working towards a comprehensive e-health strategy that will meet the needs of a changing world. It seems likely, therefore, that software and app developers will be confronted with a more regulated industry in the future.

  • Will you be operating in an area that is highly regulated?

The financial services’ area is heavily regulated and if you are operating in the banking industry, regulatory demands are that much greater. For instance, if you are carrying on the business of a bank for the purposes of the Banks Act, 1990 you need to obtain a banking license.

  • And even if you are not operating in a regulated environment, a question developers should be asking is whether their proposed solution is likely to provoke regulation.

Technology-driven services such as Uber, Airbnb and WhatsApp have revolutionised the way their industries operate. What are the policy reasons for regulation in each case? How do we best promote innovation, stimulate competition and also, for example, protect the safety, security and personal information of users? These are the kinds of questions that influence government’s approach to regulation.

  • Uber has fundamentally changed the local-passenger transport industry in South Africa by gaining a competitive advantage over traditional metered taxis. Why should it be penalised for being innovative? One argument is that government cannot ignore the socio-economic consequences of technological development such as the resultant marginalisation of traditional service providers. As a consequence of immense global and local pressure, the South African government has now taken the decision to regulate Uber as a part of the meter taxi industry. The National Land Transport Amendment Bill, 2015 will soon be debated before the National Assembly.
  • Over-the-Top services (OTTs) such as WhatsApp, Skype and Facebook Messenger have revolutionised the way in which we communicate. They are essentially third-party mobile apps that depend on the network a user is connected to (such as Vodacom or MTN) and are generally free to use (apart from data charges). Late last year, the powerful cell phone operators called for regulatory intervention contending that these OTTs were essentially ‘freeloading’ by using network operators’ infrastructure without paying for it. OTTs have retaliated stating that they are in fact paying through data charges. They also question why they should be penalised for offering a more competitive option for consumers. The jury is still out on whether OTTs will be regulated but an understanding of the current climate will be important for app developers seeking to enter this market.
  • Airbnb, an internet-accommodation service, is not regulated in South Africa at present. Although the regulatory debates surrounding this service have not come to a head here, there is a definite move towards regulation in jurisdictions such as the United States.

Considering the worldwide attention given to regulation in the context of mobile apps, it is both legally and commercially expedient for developers to be cognisant and responsive to this ever-changing regulatory environment.

Step 4: What are the general regulatory issues confronting tech start-ups?

Certain regulatory frameworks are likely to affect all software developers. For example, POPI, although not fully operational, will apply whenever personal information is processed. And, since mobile app developers are almost certainly going to be collecting personal information (which POPI defines exceptionally broadly), compliance with this cumbersome piece of legislation will, in most cases, be required. Of significance is that POPI is the general legislation regulating data protection in South Africa and therefore provides the benchmark upon which to gauge all data-processing compliance. Specific industries may, however, impose more stringent requirements for data protection, which would need to be complied with over and above what POPI requires. One of the key ways of complying is by having a POPI-compliant privacy policy drafted. This will ensure, for example, that the requisite consent of the data subject is obtained before any of their personal information is processed.

The Consumer Protection Act, 2008 (CPA) is another example of legislation that will affect developers and comes into play whenever developers (‘service providers’) market and supply goods and services to users (‘consumers’). Compliance with the CPA’s consumer-welfare standards will be important.

Step 5: What are the consequences of non-compliance?

  • Fines and possible imprisonment: For example, non-compliance with POPI prescripts could expose a developer to a fine of up to R10 million and/or a maximum of 10 years imprisonment. There may also be further industry specific penalties for non-compliance. The CPA also imposes heavy administrative fines on improper business conduct, such as an administrative fine of not more than 10% of a company’s annual turnover.
  • Reputational harm: It is bad for business for developers to be operating illegally (that is, not ensuring that they are properly compliant), and can have a negative, if not fatal effect on the company’s sale or investment value.
  • Invalidation of your contract: In relations with government, a failure to comply with, for example, the conditions of the tender could result in your contract being set aside if its validity is challenged in court.

Although intellectual property (IP) does not fall within the realm of regulatory compliance, the importance of ensuring that your IP is properly protected cannot be overstated. Developers depend on innovation for their survival – and protection of a product’s IP is vital.


This guide has endeavoured to provide an understanding of the key regulatory concerns confronting mobile app and software developers in South Africa. In the course of developing your solution, ensure that you are cognisant of how the regulatory climate affects you and that you remain responsive to the changes around you.

By Raisa Cachalia and Lauren Kohn


Lauren Kohn

Lauren has a BBusSci (cum laude) and an LLB and LLM (both magna cum laude) from UCT and was admitted as an attorney in 2010 after having completed articles at Webber Wentzel. She rose to the level of associate in the public law department at Webber Wentzel before leaving to complete her LLM at UCT in 2012. She has since joined the faculty as a lecturer and teaches constitutional and administrative law. Lauren has also published widely in the fields of constitutional, administrative, environmental, public procurement and contract law. Lauren joined Caveat Legal in 2014.

Raisa Cachalia

Raisa has a BA and LLB (both cum laude) and is currently completing her LLM. She was admitted as an attorney in 2013 after having completed articles at Bowman Gilfillan, and proceeded to take up a position as research clerk to Justice Zondo and Justice Froneman at the Constitutional Court. Raisa specialises in constitutional law and administrative law, which incorporates public procurement law and general regulatory advice. She is currently working as a researcher at the South African Institute for Advanced Constitutional, Public, Human Rights and International Law, a Centre of the University of Johannesburg. She joined Caveat Legal in 2014.






Share this article on: 

Optimized by Optimole