Only six years after the first app store opened, the mobile app ecosystem has become a multi-billion dollar industry. Need to find a coupon, catch a cab, quit your job, see in the dark, find a date, lose weight, compose a song, read a book, monitor your heart rate, turn a channel, or, at this time of year, just buy some Girl Scout cookies? Well, there’s an app for that, as the slogan goes.

With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. For example, the FTC has recently settled an enforcement action against the popular Brightest Flashlight app, while Canadian and Dutch privacy regulators concluded a joint crackdown against the ubiquitous messaging service WhatsApp. To help industry players “do the right thing,” several regulators and industry groups have released best practices or guidance papers for participants in the mobile ecosystem. Alas, you may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data.

Navigating Mobile Privacy Compliance

This week, the IAPP Westin Research Center launches a new tool to help you comply with the standards and obligations imposed by leading regulators and trade associations in both the U.S. and Europe. We realize that employing expensive consultants and law firms may not be an option for you right out of the gate. So, now you can get a head start on creating a privacy policy, providing transparency and choice, negotiating with vendors and building an app with “privacy by design.”

The IAPP’s Mobile App Privacy Tool will help you navigate through seven important guidance documents, whether you are an app developer, platform designer, operating system provider, device manufacturer, ad network or any other interested party. To simplify the various guidance documents, the tool divides the requirements in each document into nine distinct topic tabs to help you hone in on what is most relevant for your mobile work. The nine categories include data collection, data retention, notice and transparency, choice and consent, accountability and oversight, specific privacy controls, security and children’s privacy, as well as a miscellaneous category that functions as a guide-specific catch-all. In addition, each guidance note and category is divided into tabs to help distinguish between obligations imposed on different players in the ecosystem, such as app developers, platform designers or ad networks. (Not all guidance documents address each and every party).

Hence, you can “slice and dice” the guidance notes as needed, checking, for example, what notice requirements are for various players across several documents; what app developers are obligated to do in California, or what European regulators have to say about data retention limits.

The Guides

In using the Mobile App Privacy Tool, you will access the most recent, mobile app-specific guidance from seven leading regulators and industry groups. Hence, the tool reflects industry best practices, privacy advocates’ input, as well as non-binding recommendations from both U.S. and European regulators. The seven guides covered by the tool are:

California A.G., Privacy on the Go: Recommendations for the Mobile Ecosystem (January 2013)

The California Attorney General’s Privacy Office sets one of the highest standards for privacy and data protection, recommending a “surprise minimization” approach to app building. This means “supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” The guide addresses all apps originating in or targeting California users, but can also be implemented by industry players in other parts of the world.

EU Article 29 Working Party, Opinion 2/2013 on apps on smart devices (February 2013)

European data processing restrictions typically set a high standard for data protection for all players in the mobile sphere, and this guidance addresses any app developer, distributor, or mobile device data recipient operating in the EU. The opinion of the Article 29 Working Party, comprising privacy regulators from all 28 EU Member States, focuses on “the consent requirement, the principles of purpose limitation and data minimization, the need to take adequate security measures, the obligation to correctly inform end users, their rights, reasonable retention periods and specifically, fair processing of data collected from and about children.”

FTC, Mobile Privacy Disclosures: Building Trust Through Transparency (February 2013)

In this staff report, the primary federal privacy regulator in the U.S. offers “several suggestions for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures.” Recent settlements demonstrate the FTC’s focus on mobile apps and its readiness to bring enforcement actions against them. While this report is non-binding, “the FTC will view adherence to [strong mobile codes of conduct] favorably in connection with its law enforcement work.”

CDT-FPF, Best Practices for Mobile Application Developers (July 2012)

The Center for Democracy and Technology, an advocacy group, and the Future of Privacy Forum, a privacy think tank, worked jointly to release this “primer for developers who are interested in preserving their customers’ privacy but who aren’t necessarily privacy experts themselves.” The guide addresses app developers specifically and provides policy recommendations to foster privacy by design, better inform and empower end-users, and bolster consumer trust.

GSMA, Mobile and Privacy: Privacy Design Guidelines for Mobile Application Development(February 2012)

The GSM Association (GSMA), which represents mobile operators worldwide, “unites nearly 800 mobile operators with 250 companies in the broader mobile ecosystem.” Its mobile privacy principles apply to all parties in the app service and delivery chain, and seek to engender user trust and implement privacy by design. In focusing on the principles of transparency, choice and control, the GSMA provides policy guidelines, implementation recommendations and specific use cases and examples.

NAI, NAI Mobile Application Code (July 2013)

The Network Advertising Initiative (NAI) Code governs only NAI member companies and its guidance is specific to mobile advertising activities. The Code is intended to complement other mobile and industry initiatives, including those from the Digital Advertising Alliance (DAA), the Mobile Marketing Association (MMA) and the National Telecommunications and Information Administration (NTIA), as well as the NAI’s desktop Code of Conduct. The Mobile Code emphasizes high-level principles of notice, choice and transparency to set a high but flexible industry standard for mobile advertising.

NTIA, Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices (July 2013)

The NTIA’s voluntary code of conduct, created as part of the White House’s privacy strategy, incorporates guidance from multiple privacy stakeholders to describe how and when an app might use a short form notice about its collection and sharing of consumer information with third parties. The code primarily targets app developers, and does not apply to software that consumers do not directly interact with, inherent functions of a device, or apps that are solely provided or sold to enterprises for use within those businesses.


In the rapidly evolving world of app development and mobile privacy, it can be difficult to navigate the maze of regulatory requirements, industry standards and best practice recommendations. Each of the guides distilled into the Mobile App Privacy Tool emphasizes a slightly different approach to implementing commonly accepted principles in order to find the right balance between consumer privacy and mobile app entrepreneurialism. While businesses are urged to at least meet industry standards, they should pay careful attention to implementation of stricter recommendations issued by regulators to minimize the risks of a privacy violations and ensuing enforcement actions.

While these codes and guidance documents are voluntary and non-binding, they serve as a good indication for businesses of potential regulatory enforcement. Remember that if your app touches the types of information covered by specific laws or regulations (such as children’s information, credit reports, health information, or commercial communications) you will also have to comply with those laws. As ever, it is crucial to make sure that you live up to the letter and spirit of any promise you make to users about privacy and data security, to avoid liability under Section 5 of the FTC Act or potentially bruising class action litigation. Accordingly, it is important to notify users if and when you change how their information is used or collected. Last but not least, remember that your apps must also comply with the terms and conditions of any platform or app store through which they are offered, including the Apple Store, Google Play and the Facebook Platform.

We look forward to receiving your comments and input on operationalizing the Mobile App Privacy Tool through the Privacy List or via email: kfinch@privacyassociation.org.


Written By

Kelsey Finch, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»