IAPP-GDPR Web Banners-300x250-FINAL

Only six years after the first app store opened, the mobile app ecosystem has become a multi-billion dollar industry. Need to find a coupon, catch a cab, quit your job, see in the dark, find a date, lose weight, compose a song, read a book, monitor your heart rate, turn a channel, or, at this time of year, just buy some Girl Scout cookies? Well, there’s an app for that, as the slogan goes.

With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. For example, the FTC has recently settled an enforcement action against the popular Brightest Flashlight app, while Canadian and Dutch privacy regulators concluded a joint crackdown against the ubiquitous messaging service WhatsApp. To help industry players “do the right thing,” several regulators and industry groups have released best practices or guidance papers for participants in the mobile ecosystem. Alas, you may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data.

Navigating Mobile Privacy Compliance

This week, the IAPP Westin Research Center launches a new tool to help you comply with the standards and obligations imposed by leading regulators and trade associations in both the U.S. and Europe. We realize that employing expensive consultants and law firms may not be an option for you right out of the gate. So, now you can get a head start on creating a privacy policy, providing transparency and choice, negotiating with vendors and building an app with “privacy by design.”

The IAPP’s Mobile App Privacy Tool will help you navigate through seven important guidance documents, whether you are an app developer, platform designer, operating system provider, device manufacturer, ad network or any other interested party. To simplify the various guidance documents, the tool divides the requirements in each document into nine distinct topic tabs to help you hone in on what is most relevant for your mobile work. The nine categories include data collection, data retention, notice and transparency, choice and consent, accountability and oversight, specific privacy controls, security and children’s privacy, as well as a miscellaneous category that functions as a guide-specific catch-all. In addition, each guidance note and category is divided into tabs to help distinguish between obligations imposed on different players in the ecosystem, such as app developers, platform designers or ad networks. (Not all guidance documents address each and every party).

Hence, you can “slice and dice” the guidance notes as needed, checking, for example, what notice requirements are for various players across several documents; what app developers are obligated to do in California, or what European regulators have to say about data retention limits.

The Guides

In using the Mobile App Privacy Tool, you will access the most recent, mobile app-specific guidance from seven leading regulators and industry groups. Hence, the tool reflects industry best practices, privacy advocates’ input, as well as non-binding recommendations from both U.S. and European regulators. The seven guides covered by the tool are:

California A.G., Privacy on the Go: Recommendations for the Mobile Ecosystem (January 2013)

The California Attorney General’s Privacy Office sets one of the highest standards for privacy and data protection, recommending a “surprise minimization” approach to app building. This means “supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” The guide addresses all apps originating in or targeting California users, but can also be implemented by industry players in other parts of the world.

EU Article 29 Working Party, Opinion 2/2013 on apps on smart devices (February 2013)

European data processing restrictions typically set a high standard for data protection for all players in the mobile sphere, and this guidance addresses any app developer, distributor, or mobile device data recipient operating in the EU. The opinion of the Article 29 Working Party, comprising privacy regulators from all 28 EU Member States, focuses on “the consent requirement, the principles of purpose limitation and data minimization, the need to take adequate security measures, the obligation to correctly inform end users, their rights, reasonable retention periods and specifically, fair processing of data collected from and about children.”

FTC, Mobile Privacy Disclosures: Building Trust Through Transparency (February 2013)

In this staff report, the primary federal privacy regulator in the U.S. offers “several suggestions for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures.” Recent settlements demonstrate the FTC’s focus on mobile apps and its readiness to bring enforcement actions against them. While this report is non-binding, “the FTC will view adherence to [strong mobile codes of conduct] favorably in connection with its law enforcement work.”

CDT-FPF, Best Practices for Mobile Application Developers (July 2012)

The Center for Democracy and Technology, an advocacy group, and the Future of Privacy Forum, a privacy think tank, worked jointly to release this “primer for developers who are interested in preserving their customers’ privacy but who aren’t necessarily privacy experts themselves.” The guide addresses app developers specifically and provides policy recommendations to foster privacy by design, better inform and empower end-users, and bolster consumer trust.

GSMA, Mobile and Privacy: Privacy Design Guidelines for Mobile Application Development(February 2012)

The GSM Association (GSMA), which represents mobile operators worldwide, “unites nearly 800 mobile operators with 250 companies in the broader mobile ecosystem.” Its mobile privacy principles apply to all parties in the app service and delivery chain, and seek to engender user trust and implement privacy by design. In focusing on the principles of transparency, choice and control, the GSMA provides policy guidelines, implementation recommendations and specific use cases and examples.

NAI, NAI Mobile Application Code (July 2013)

The Network Advertising Initiative (NAI) Code governs only NAI member companies and its guidance is specific to mobile advertising activities. The Code is intended to complement other mobile and industry initiatives, including those from the Digital Advertising Alliance (DAA), the Mobile Marketing Association (MMA) and the National Telecommunications and Information Administration (NTIA), as well as the NAI’s desktop Code of Conduct. The Mobile Code emphasizes high-level principles of notice, choice and transparency to set a high but flexible industry standard for mobile advertising.

NTIA, Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices (July 2013)

The NTIA’s voluntary code of conduct, created as part of the White House’s privacy strategy, incorporates guidance from multiple privacy stakeholders to describe how and when an app might use a short form notice about its collection and sharing of consumer information with third parties. The code primarily targets app developers, and does not apply to software that consumers do not directly interact with, inherent functions of a device, or apps that are solely provided or sold to enterprises for use within those businesses.


In the rapidly evolving world of app development and mobile privacy, it can be difficult to navigate the maze of regulatory requirements, industry standards and best practice recommendations. Each of the guides distilled into the Mobile App Privacy Tool emphasizes a slightly different approach to implementing commonly accepted principles in order to find the right balance between consumer privacy and mobile app entrepreneurialism. While businesses are urged to at least meet industry standards, they should pay careful attention to implementation of stricter recommendations issued by regulators to minimize the risks of a privacy violations and ensuing enforcement actions.

While these codes and guidance documents are voluntary and non-binding, they serve as a good indication for businesses of potential regulatory enforcement. Remember that if your app touches the types of information covered by specific laws or regulations (such as children’s information, credit reports, health information, or commercial communications) you will also have to comply with those laws. As ever, it is crucial to make sure that you live up to the letter and spirit of any promise you make to users about privacy and data security, to avoid liability under Section 5 of the FTC Act or potentially bruising class action litigation. Accordingly, it is important to notify users if and when you change how their information is used or collected. Last but not least, remember that your apps must also comply with the terms and conditions of any platform or app store through which they are offered, including the Apple Store, Google Play and the Facebook Platform.

We look forward to receiving your comments and input on operationalizing the Mobile App Privacy Tool through the Privacy List or via email: kfinch@privacyassociation.org.


Written By

Kelsey Finch, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»