IAPP-GDPR Web Banners-300x250-FINAL

Last week, the Global Privacy Enforcement Network (GPEN), a network of 27 privacy enforcement authorities from around the world, conducted its second international “Privacy Sweep.” This time, the focus was on mobile apps. From May 12 to 18, international privacy enforcement authorities examined the permissions settings of some of the most popular apps in their regions, looking to shed light on how mobile apps actually collect and use personal information. Consequently, app developers, ad networks and other participants in the mobile ecosystem who don’t make the grade are likely to find themselves the focus of close regulatory attention—or enforcement action. As some widely used apps, including Snapchat, Fandango, Path and Brightest Flashlight Free, have recently learned, their industry has been subject to intense Federal Trade Commission (FTC) scrutiny for some time now.

Even if your app escaped this year’s sweep, there are important lessons to be learned. That’s why the Westin Research Center is glad to announce the new and improved IAPP Mobile App Privacy Tool. As mobile app platforms proliferate and go global, we’re updating and expanding our comparative mobile app guidance tool to add guidance documents from three international regulators: the Information Commissioner’s Office (ICO) in the UK, the Office of the Privacy Commissioner (OPC) in Canada and the Office of the Australian Information Commissioner (OAIC).

Mobile Compliance In-Depth: A Lesson from the Sweep

With 27 regulators having just finished combing through hundreds of mobile apps’ permissions settings and data practices as part of the 2014 GPEN Sweep, the question naturally arises, what permissions settings and notices would satisfy regulators? At least in the case of the ICO, the OPC and the OAIC, app developers can look to new guidance documents and the updated Mobile App Privacy Tool for answers. To help guide you through the process, we’ll walk you through one guide from the perspective of a hypothetical UK app developer.

The ICO’s Guidance for App Developers provides the starting point for app developers trying to protect UK users’ privacy. In looking through its detailed guidelines, data minimization requirements appear first and foremost. Whether or not personal information is to be anonymized, the ICO advises that “you should make effective use of the available permissions or other mechanisms in the operating system you are developing for. Your app should only request access to the sensors, services or other data which are necessary.” Even technical restrictions should not excuse developers from this responsibility, since “if the operating system does not give you the granularity you require, then you can provide additional information to users about exactly why a specific permission is needed.”

Recognizing that navigating permissions settings may be a technical challenge to users, the ICO also embeds specific suggestions for how to provide adequate notice. Accordingly, it is important that developers “don’t just say which data you want, say why.” Developers should put in the time to ensure that they’re communicating clearly and transparently about what permissions their apps seek, because the ICO has noted that “operating system (OS) permissions on their own are unlikely to be sufficient (although future mobile OS developments may change this).” Providing a “simple means” to “access settings to configure or to view current permissions” is also specifically included in an appendix of good practices.

Finally, the ICO addresses permissions settings with regards to how developers should test and maintain their apps. Not only a good security practice, developers are instructed to “test all the platforms you’re developing for” and to remember that “the install process and the requesting of device permissions will be important areas to test.” Combining notice and accountability principles, developers should also “consider what a new user will see when they install your app and see what permissions it requests.” After any changes to the app’s code, the ICO asks developers to test their apps to ensure that they behave as expected—a concern recently highlighted in the U.S. as well through the FTC’s enforcement actions against Credit Karma and Fandango.

So what should a developer with an app in the UK market do to avoid having its permissions settings and practices swept away? Use permissions settings to minimize data collection by default. Notify users about why certain permissions are needed. Give users simple ways to view or change their permissions. Test that permissions work the way they are intended to before releasing or updating the app. By following these basic steps, app developers can help bring their apps in line with UK consumers’—and regulators’—privacy expectations.

The Guides

While the ICO’s guide provides good guidance as to what an international regulator might expect with regard to an app’s permissions settings, it also includes far more than that. The updated IAPP Mobile App Privacy Tool now incorporates all of the guidance and best practices from the ICO, as well as the following guidance from the OPC and the OAIC.

ICO:Privacy in Mobile Apps: Guidance for App Developers

To help app developers comply with the Data Protection Act of 1998, the UK Information Commissioner’s Office has added yet another highly detailed guide to its suite of codes of practice. Emphasizing a Privacy-by-Design (PbD) approach, this guide provides myriad real-world examples and detailed suggestions, particularly with regard to app security measures. While the guidance focuses primarily on smartphone and tablet apps, the ICO notes that it should also apply to smart TVs, game consoles and similar app-style technologies. The ICO also warns that any foreign organization developing apps for UK consumers “should consider that its users in the UK will clearly expect any apps they use to respect their privacy according to the DPA.”

OPC: Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps

The Office of the Privacy Commissioner of Canada report, jointly with the Offices of the Information and Privacy Commissioners of Alberta and British Columbia, is targeted specifically to app developers and “focuses on the design and development of apps and the need to keep privacy top of mind in that creative process.” This PbD approach is intended to help ensure that any organization, “from a one-person operation to a large company, can build a privacy management program.” The OPC’s guide emphasizes that the timing of certain notices and consents and appropriate data minimization are critical in the mobile space. The OPC’s guide also warns that developers “can expect increased scrutiny of the privacy practices in your industry in the years ahead—both by regulators and the market itself.”

OAIC: Mobile Privacy: A Better Practice Guide for Mobile App Developers

Based on the Canadian guidance above, the Australian approach to mobile app privacy is a combination of best practices and compliance directives under the Privacy Act. Notably, the Privacy Act applies to any business operating in the Australian market that collects or discloses personal information for a benefit, service or advantage; e.g., where PII is used to sell advertising, handles health information or has an annual turnover of more than $3 million. Speaking directly to app developers, the Office of the Australian Information Commissioner underscores the importance of adopting a PbD approach throughout the lifecycle of app development, “whether you work on your own or for a business or government agency.” The OAIC also warns that breaches of privacy may result in formal investigations and, as of March 12, 2014, civil penalties.

While these three guides are nonbinding, just as those already included in the Mobile App Privacy Tool, they provide a critical starting point for app developers seeking to break into new markets and avoid regulatory or individual enforcement actions or simply wanting to make privacy their competitive advantage. Each of these guides offers new best practices and case examples to help better protect consumers’ privacy—and minimize developers’ risks. Don’t let the prospect of foreign privacy laws and regulations steer you away from promising new shores.

We look forward to receiving your comments and input on operationalizing the Mobile App Privacy Tool through the Privacy List or via e-mail at

Written By

Kelsey Finch, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»