Last week, the Global Privacy Enforcement Network (GPEN), a network of 27 privacy enforcement authorities from around the world, conducted its second international “Privacy Sweep.” This time, the focus was on mobile apps. From May 12 to 18, international privacy enforcement authorities examined the permissions settings of some of the most popular apps in their regions, looking to shed light on how mobile apps actually collect and use personal information. Consequently, app developers, ad networks and other participants in the mobile ecosystem who don’t make the grade are likely to find themselves the focus of close regulatory attention—or enforcement action. As some widely used apps, including Snapchat, Fandango, Path and Brightest Flashlight Free, have recently learned, their industry has been subject to intense Federal Trade Commission (FTC) scrutiny for some time now.
Even if your app escaped this year’s sweep, there are important lessons to be learned. That’s why the Westin Research Center is glad to announce the new and improved IAPP Mobile App Privacy Tool. As mobile app platforms proliferate and go global, we’re updating and expanding our comparative mobile app guidance tool to add guidance documents from three international regulators: the Information Commissioner’s Office (ICO) in the UK, the Office of the Privacy Commissioner (OPC) in Canada and the Office of the Australian Information Commissioner (OAIC).
Mobile Compliance In-Depth: A Lesson from the Sweep
With 27 regulators having just finished combing through hundreds of mobile apps’ permissions settings and data practices as part of the 2014 GPEN Sweep, the question naturally arises, what permissions settings and notices would satisfy regulators? At least in the case of the ICO, the OPC and the OAIC, app developers can look to new guidance documents and the updated Mobile App Privacy Tool for answers. To help guide you through the process, we’ll walk you through one guide from the perspective of a hypothetical UK app developer.
The ICO’s Guidance for App Developers provides the starting point for app developers trying to protect UK users’ privacy. In looking through its detailed guidelines, data minimization requirements appear first and foremost. Whether or not personal information is to be anonymized, the ICO advises that “you should make effective use of the available permissions or other mechanisms in the operating system you are developing for. Your app should only request access to the sensors, services or other data which are necessary.” Even technical restrictions should not excuse developers from this responsibility, since “if the operating system does not give you the granularity you require, then you can provide additional information to users about exactly why a specific permission is needed.”
Recognizing that navigating permissions settings may be a technical challenge to users, the ICO also embeds specific suggestions for how to provide adequate notice. Accordingly, it is important that developers “don’t just say which data you want, say why.” Developers should put in the time to ensure that they’re communicating clearly and transparently about what permissions their apps seek, because the ICO has noted that “operating system (OS) permissions on their own are unlikely to be sufficient (although future mobile OS developments may change this).” Providing a “simple means” to “access settings to configure or to view current permissions” is also specifically included in an appendix of good practices.
Finally, the ICO addresses permissions settings with regards to how developers should test and maintain their apps. Not only a good security practice, developers are instructed to “test all the platforms you’re developing for” and to remember that “the install process and the requesting of device permissions will be important areas to test.” Combining notice and accountability principles, developers should also “consider what a new user will see when they install your app and see what permissions it requests.” After any changes to the app’s code, the ICO asks developers to test their apps to ensure that they behave as expected—a concern recently highlighted in the U.S. as well through the FTC’s enforcement actions against Credit Karma and Fandango.
So what should a developer with an app in the UK market do to avoid having its permissions settings and practices swept away? Use permissions settings to minimize data collection by default. Notify users about why certain permissions are needed. Give users simple ways to view or change their permissions. Test that permissions work the way they are intended to before releasing or updating the app. By following these basic steps, app developers can help bring their apps in line with UK consumers’—and regulators’—privacy expectations.
While the ICO’s guide provides good guidance as to what an international regulator might expect with regard to an app’s permissions settings, it also includes far more than that. The updated IAPP Mobile App Privacy Tool now incorporates all of the guidance and best practices from the ICO, as well as the following guidance from the OPC and the OAIC.
To help app developers comply with the Data Protection Act of 1998, the UK Information Commissioner’s Office has added yet another highly detailed guide to its suite of codes of practice. Emphasizing a Privacy-by-Design (PbD) approach, this guide provides myriad real-world examples and detailed suggestions, particularly with regard to app security measures. While the guidance focuses primarily on smartphone and tablet apps, the ICO notes that it should also apply to smart TVs, game consoles and similar app-style technologies. The ICO also warns that any foreign organization developing apps for UK consumers “should consider that its users in the UK will clearly expect any apps they use to respect their privacy according to the DPA.”
The Office of the Privacy Commissioner of Canada report, jointly with the Offices of the Information and Privacy Commissioners of Alberta and British Columbia, is targeted specifically to app developers and “focuses on the design and development of apps and the need to keep privacy top of mind in that creative process.” This PbD approach is intended to help ensure that any organization, “from a one-person operation to a large company, can build a privacy management program.” The OPC’s guide emphasizes that the timing of certain notices and consents and appropriate data minimization are critical in the mobile space. The OPC’s guide also warns that developers “can expect increased scrutiny of the privacy practices in your industry in the years ahead—both by regulators and the market itself.”
Based on the Canadian guidance above, the Australian approach to mobile app privacy is a combination of best practices and compliance directives under the Privacy Act. Notably, the Privacy Act applies to any business operating in the Australian market that collects or discloses personal information for a benefit, service or advantage; e.g., where PII is used to sell advertising, handles health information or has an annual turnover of more than $3 million. Speaking directly to app developers, the Office of the Australian Information Commissioner underscores the importance of adopting a PbD approach throughout the lifecycle of app development, “whether you work on your own or for a business or government agency.” The OAIC also warns that breaches of privacy may result in formal investigations and, as of March 12, 2014, civil penalties.
While these three guides are nonbinding, just as those already included in the Mobile App Privacy Tool, they provide a critical starting point for app developers seeking to break into new markets and avoid regulatory or individual enforcement actions or simply wanting to make privacy their competitive advantage. Each of these guides offers new best practices and case examples to help better protect consumers’ privacy—and minimize developers’ risks. Don’t let the prospect of foreign privacy laws and regulations steer you away from promising new shores.
We look forward to receiving your comments and input on operationalizing the Mobile App Privacy Tool through the Privacy List or via e-mail at firstname.lastname@example.org.