Simon Bates is MEF’s Senior Advisor for Policy & Initiatives – here he shares his thoughts on a recently published guide to Mobile privacy from the Australian Information Commissioner. Simon and other MEF members are hosting a free privacy workshop on October 23rd at Apps World Europe in London, that will explore best practice for data collection in mobile apps, featuring mobile industry privacy experts and the creators of MEF’s online tool – AppPrivacy™.
In September, the Australian Information Commissioner published a better practice document for mobile app developers. I know what you’re thinking: does the world really need another privacy-by-design guide? This one is actually really useful, however, and well worth a read regardless of whether you’re new to privacy or an old hand. Plus, if Australia is a big market for your app business you’ll need to know how you’re affected by its Privacy Act.
The first thing you notice reading through the guide is that they’ve really done their homework. The research is relevant and up-to-date, and the links to further resources show they understand who the major players are. The ICO shares our view that privacy can be a competitive advantage – they say up front “The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust and loyalty.”
The Australian Privacy Act covers any business that “collects or discloses personal information for a benefit, service or advantage – or which handles health information.” Essentially, you are likely to be covered if you use personal information to sell advertising which accounts for most apps. If your app is used to facilitate direct marketing, you’ll need to comply with Australia’s Privacy Principles.
The Australian ICO defines personal information as:
- Photos
- Unique identifiers (e.g. IP address, UDID)
- Contact lists and social connections
- Biometrics
- Location information
They’ve assembled a very helpful checklist (below) that sets out their main points. A lot of it has been rehearsed in various other best practice guides over the last couple of years and, indeed, in our own approach to privacy. There are, though, a couple of new ideas and reminders to the app community that I found interesting and/or useful.
First, devs are encouraged to implement a “privacy management programme”. This includes a reminder to instruct data handling suppliers to respect privacy obligations via contracts and to understand the implications of using third party code. Quite how many developers will write a Privacy Impact Assessment for each app as the guide suggests I’m not so sure…(besides, that’s what AppPrivacy is there for!)…but it’s a good idea in theory.
They also suggest that apps should have a “privacy dashboard” to allow users to tighten their settings. A great suggestion but this would likely impact the business model behind the app which might be unfair on businesses. Mark it under ‘nice-to-have’.
There’s a useful plug for “contextual notices” – i.e. apps should tell users what’s happening to their information at a point when it actually resonates. For example, if an app tags photos with location data, this info should flash up the first time the user activates the camera.
An obvious point – but not one that’s actually listed in many guides that I’ve seen – is around use of handset recording equipment. The guide says “Don’t collect sound or activate the device camera without the specific permission of the user.” Users don’t yet picture a dystopian future where every conversation is recorded and intimate photos and videos shot without their knowledge. If an app did this on a wide scale, and it was reported in the media, trust in the apps market would plummet.
The Australian Information Commissioner’s report is a valuable and welcome addition to the global repository of best practice guides. Even if there’s nothing particularly new, it’s a brief and easy-to-understand resource . I liked the way it was laid out, and the checklist that follows is a great ‘print-out and keep’ summary that should be of use to developers down under and all around the world.
Privacy and mobile apps: a checklist for app developers
Your privacy responsibilities
Your agency or organisation (which may just be you) is responsible for all personal information collected, used and disclosed by your mobile app.
- Identify someone to be responsible for privacy protection.
- Use a Privacy Impact Assessment 33 to map where the information is going, identify potential privacy risks, and assist with privacy planning (including ‘privacy by design’).
- Put in place controls, such as conditions of contract or user agreements, to ensure that third parties accessing personal information through your app respect their privacy obligations.
Be open and transparent about your privacy practices
- Develop a privacy policy that clearly and simply informs users what your app is doing with their personal information.
- Make your app’s privacy policy easy for users and potential users to find.
- Put in place a monitoring process to ensure that personal information is being handled in the way described in your privacy policy.
- When updating an app, inform users of any changes to the way their personal information is handled, and seek express consent to any changes that could impact on their privacy.
Obtain meaningful consent despite the small screen challenge
Select the right strategy to convey privacy rules in a way that is meaningful on the small screen. This could include:
- ‘short form notices’, with important points up front and links to more detailed explanations
- a privacy dashboard that displays a user’s privacy settings and provides a convenient means of changing them
- cues such as graphics, colour and sound to draw user attention to what is happening with their personal information, the reasons for it, and choices available to the user.
Timing of user notice and consent is critical
- Obtain consent at the point of download.
- Tell users how their personal information is being handled at the time they download the app and in-context when they use the app to ensure that their consent is meaningful and relevant.
- Consider how best to deliver privacy messages to most effectively capture users’ attention and achieve the most impact at the right time, without causing notice fatigue.
Only collect personal information that your app needs to function
- Limit data collection to what is needed to carry out legitimate purposes.
- Do not collect data just because you think it may be useful in the future.
- Allow users to opt out of the collection of their personal information, or if that is not practicable, clearly explain they cannot opt out so they can make an informed decision whether to use the app.
- Delete or de-identify personal information that you no longer need for a lawful purpose.
Secure what you collect
- Put in place appropriate safeguards to protect the personal information you are handling. Use encryption when storing and transmitting data.
- Give users the ability to delete or request the deletion of all of the data that your app has collected about them.
- Publish clear policies about how long it will take to delete personal information once a user stops using your app.
- Delete personal information that you no longer need for a lawful purpose.
Simon Bates is MEF’s Senior Advisor for Policy & Initiatives, you can contact him here. MEF is hosting a free privacy workshop on October 23rd at Apps World Europe that will explore best practice for data collection in mobile apps, also featuring mobile industry privacy experts and the creators of MEFs online tool – AppPrivacy™.