Privacy Commissioner issues guide regarding Mobile Apps and privacy

October 1, 2013 |

The Privacy Commissioner issued a press release and guide for mobile app developers.

The press release provides:

The Office of the Australian Information Commissioner (OAIC) has today released Mobile privacy: A better practice guide for mobile app developers.

With 6 in 10 Australians choosing not to use a smartphone app because of concerns about the way personal information would be used [1], the Guide will assist mobile app developers to embed better privacy practices into their products, and to comply with Australian privacy law.

The Australian Privacy Commissioner, Timothy Pilgrim, said the growing app industry presented both potential benefits to people but also serious risks to how personal information is handled.

‘Mobile app developers operating in the Australian market need to be aware of how Australian privacy regulation applies, otherwise they risk breaching the law,’ Mr Pilgrim said.

‘I’m recommending that app developers adopt a ‘privacy by design’ approach right from the beginning of an application’s development to help make sure it is privacy-friendly.

‘It is ultimately in an app developer’s best interest to build strong privacy protections into their product. The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust and loyalty.’

The Guide recommends that app developers use short form privacy notices instead of lengthy privacy policies that are difficult to read on a small screen.

‘People are confronted with privacy policies that are increasingly lengthy, complex and time-consuming to read. Trying to read one of these on a smartphone screen is even more challenging.

‘People are increasingly expecting transparency about how their personal information is handled. It’s important to get informed consent from people so they can decide whether or not to install an app. Informed consent requires that users be told about the privacy implications of an app in a way they can understand. App developers should make it easy by using things like a privacy dashboard and in-text notices where you tell users what will happen with their information in real time,’ Mr Pilgrim said.

The guide (found here) provides, absent footnotes:

The purpose of this guide

The OAIC has developed this guide to help mobile device application (app) developers embed better privacy practices in their products and services, and help developers that are operating in the Australian market to comply with Australian privacy law and best practice. [1]

Many of the practices outlined in this guide may also assist other businesses involved in the app ecosystem, such as:

  • advertising networks
  • advertisers
  • mobile platform providers
  • app developer trade associations
  • developers of other (non-mobile) applications.

This document is a better practice guide. It is designed to provide suggestions for both privacy compliance and better practice. Your business may or may not be covered by the Privacy Act. Whether it is or not, this guide will help you make your apps more privacy-friendly.

There is a checklist to help you ensure your app is privacy friendly at Appendix A. The checklist is a summary of this guide. You can follow the checklist to help build privacy protections into your apps. There is also a list of resources at Appendix B if you need more information.

Background

People are increasingly using mobile devices for their computing needs, including to access the internet. In a 2012 Australian study:

  • 76 per cent of respondents said that they owned a smartphone, compared with 67 per cent in 2011
  • 84 per cent of respondents said that they would own a smartphone in 2013
  • 69 per cent of the mobile phone users – and 87 per cent of smartphone users – had installed an app on their phone
  • 38 per cent said that they owned a ‘tablet’ device
  • 92 per cent of tablet owners said that they used apps on their device.

The Australian community puts a high level of trust in the mobile apps they use and their expectation for privacy protection is equally high. Apps which fail to protect user privacy lose user confidence and gain negative publicity.

Failing to protect privacy could also result in a breach of the Privacy Act (see Application of the Privacy Act, below). Individuals can complain to the OAIC if they believe that their privacy has been breached by a business or government agency covered by the Act. Alternatively, the Information Commissioner can choose to investigate the way in which your app handles personal information, even if no-one has complained. The consequences of an investigation could include having to change the way your app handles personal information, having to pay compensation to affected users, or (after 12 March 2014) a civil penalty. 

Privacy by design

The mobile environment, along with the new app economy it has generated, presents both potential and risks for how personal information is handled. If you are a mobile app developer, whether you work on your own, or for a business or government agency, you should adopt a ‘privacy by design’ (PBD) approach. PBD aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles.

You can build PBD into your apps by applying privacy-enhancing practices throughout the life cycle of the personal information that you handle – that is, its collection, use (including data matching, targeted advertising and analytics), disclosure, storage and destruction. Given the growing popularity of apps, app developers can expect increased scrutiny of the privacy practices in the app industry in the years ahead – by both regulators and the market itself, driven by increasingly informed, discerning and influential consumers. Implementing a PBD approach will help you make sure you are privacy-friendly, whether or not your business is covered by the Privacy Act.

If your business must comply with the Privacy Act, implementing better privacy practice can also reduce your compliance costs.

How does the Privacy Act apply to apps and app developers?

What is ‘personal information’?

The Privacy Act regulates the way in which ‘personal information’ is handled by Australian, ACT and Norfolk Island government agencies,  and by many private sector businesses.

‘Personal information’ is any information about an individual whose identity is apparent, or can reasonably be ascertained, from the information.  What constitutes personal information will vary, depending on what can reasonably be ascertained in a particular circumstance, but may include:

  • photographs
  • Internet Protocol (IP) addresses, Unique Device Identifiers (UDIDs) and other unique identifiers in specific circumstances
  • contact lists, which reveal details about the contacts themselves and also a user’s social connections
  • voice print and facial recognition biometrics, because they collect characteristics that make an individual’s voice or face unique
  • location information, because it can reveal user activity patterns and habits.

Application of the Privacy Act

The Privacy Act covers:

  • any business that:
  1. collects or discloses personal information for a benefit, service or advantage
  2. handles health information,  or
  3. has an annual turnover of more than $3 million
  • credit providers and credit reporting agencies
  • most Australian, ACT and Norfolk Island Government agencies (Government agencies).

You are likely to be covered by the Privacy Act if you use personal information to sell advertising, including through an app.

Businesses and government agencies covered by the Privacy Act must comply with the Privacy Principles contained in the Act.

The National Privacy Principles  apply to businesses and the Information Privacy Principles  apply to government agencies covered by the Privacy Act. However, from 12 March 2014 those principles will be replaced by a single set of http://www.oaic.gov.au/news-and-events/privacy-awareness-week/resources#heading_8“>Australian Privacy Principles (APPs) which will apply to both businesses and government agencies.  Implementing the steps in this guide will help you to comply with the current principles and the APPs.

If your business is covered by the Privacy Act, it is important that you understand whether your app is used for direct marketing and make sure it complies with the direct marketing requirements of the Privacy Principles.

Make user privacy your competitive advantage

Whether or not you are covered by the Privacy Act, as an app developer, it’s ultimately in your best interests to build strong privacy protections into your apps. The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust and loyalty:

  • A 2013 survey by the Pew Research Centre found that 51 per cent of teenage app users had avoided certain apps over privacy concerns, and 26 per cent had uninstalled an app because it was collecting personal information that they did not wish to share.
  • A 2012 survey by the Pew Research Centre found that 57 per cent of app users in the United States have either uninstalled an app over concerns about having to share their personal information or declined to install an app in the first place for similar reasons.
  • A 2012 UK study found that 27 per cent of consumers were more concerned about their privacy on smartphones than on their computer, and that 68 per cent of people choose not to download an app that they didn’t trust.
  • A 2012 Australian study found that 56 per cent of Australians do not approve of websites showing specific advertising based on information that the websites have collected in the background about their interests. Further, 69 per cent of respondents reported they had refused to use an application or website because it collected too much personal information. 75 per cent of the respondents said they needed to know more about the ways in which companies collected personal information.

App privacy essentials

This section covers the essential information you need to know when designing, implementing and managing your app. There is a checklist to help you ensure your app is privacy friendly at Appendix A. Remember – think ‘privacy by design’!

1. Your privacy responsibilities

It is important to integrate good privacy protections into your day-to-day business practice. You should also ensure that your business arrangements and contracts protect privacy and comply with your obligations under the Privacy Act.

Putting in place a privacy management program for your business will help you manage risks up front. Given the potentially high number of users of your app, it can also help you to respond to requests for access to their personal information and complaints in an organised manner.

Developing and managing your privacy management program

Managing privacy doesn’t need to be complicated or difficult. Anyone, from a one-person operation to a large company, can build a privacy management program.

  • Identify someone within your business to be responsible for privacy protection and dealing with privacy complaints, even if you only have a small team.
  • When you are in the planning stages for an app, conduct a Privacy Impact Assessment (PIA) to help ensure you have considered all the relevant privacy issues (see below for more information).
  • Have controls in place (such as contracts) to ensure that third parties process personal information in accordance with their obligations under privacy law and facilitate your compliance with your own obligations, and make sure the controls are aligned with user expectations. Be cautious when using third party code or software development kits — such as those from advertising networks or analytics providers – which could contain code you aren’t aware of, such as aggressive adware or malware. A PIA can help establish what kind of controls may be appropriate.

Privacy Impact Assessments

You should consider carrying out a PIA for each app you develop, whether or not your business is covered by the Privacy Act.

A PIA is a tool that ‘tells the story’ of a project from a privacy perspective. A PIA:

  • describes how personal information ‘flows’ in a project – how it is collected,   used, disclosed, accessed, stored and deleted
  • analyses the possible privacy impacts of the project on individual privacy
  • through that analysis, helps find potential ways to manage, minimise, or avoid privacy impacts while achieving or enhancing project goals
  • encourages good privacy practice and underpins good risk management.

You may choose to publish your PIA so that members of the public are aware of your commitment to privacy. You might even wish to encourage privacy organisations or members of the public to consult on your draft PIA. Both actions will help build user trust in your app.

The OAIC has published a PIA guide which you may find useful.  Additional resources and tools can be found in Appendix B.

2. Be open and transparent about your privacy practices

The process of developing a privacy policy will help you to inspect your own practices in a systematic way. Users increasingly expect transparency about how their personal information is handled; businesses which clearly explain this are rewarded with user trust and loyalty. You should tell users what your app does with their personal information, why it does it, and what their choices are. This is the case even if you choose to offer benefits – such as convenience or free downloads – to your customers in return for access to their personal information.

For suggestions about how to implement these ideas, see Communicating privacy rules on small screens in Appendix B.

Your privacy policy

Make your app’s privacy policy easy to find; users should not have to search for it. It’s best to make the privacy policy (or at least a summary of it, easy to access through your app; see 3. Obtain meaningful consent – the small screen challenge below).

If you want the collection of personal information by your app to be covered by the same privacy policy as your other activities (such as your website), make sure that the privacy policy adequately covers your app and its functions.

Your privacy policy should, at a minimum, clearly and accessibly  notify potential users:

  • who you are and how to contact you
  • what kinds of personal information your app collects
  • how your apps collects personal information, and where it will be stored (on the device or elsewhere)
  • the purposes for which your app collects the personal information
  • how users may access their personal information, and correct it or seek to have it corrected
  • how users may complain about a breach of the Privacy Principles, and how you will deal with such a complaint
  • whether you are likely to disclose the information outside Australia and, if it is practicable, which countries you are likely to disclose the information to.
Sending information overseas

The Privacy Act imposes specific obligations about sending personal information outside of Australia. If your app sends your customers’ personal information overseas, you should make sure that the personal information is still handled in a way which protects your customers’ privacy.

As a matter of best practice, you may also want to tell users

  • how long you will keep the personal information that your app collects
  • whether the users will be ‘trading’ access to their personal information for benefits such as convenience or free downloads, and
  • any other issues that will affect user privacy.

You should have a monitoring process in place to make sure that you and your app handles personal information as described in your privacy policy.

Making changes to your privacy policy, or to how you collect, use or disclose personal information

  • Inform users in advance about updates to your app’s privacy policy. 
  • Give users reasonable time to provide feedback before you implement changes.
  • Tell users exactly what rules you are changing so they don’t have to compare the new and old policies to understand what’s happening.
  • If you are including new features, especially features that involve disclosing information to third parties, make the changes easy to find and understand through the update process.
  • Wherever possible, seek express consent from users to any changes that could impact on their privacy.
  • Never make silent app updates that will diminish the user’s privacy.
Sensitive information

If your app collects sensitive information, you are likely to have additional privacy obligations under the Privacy Act. ‘Sensitive information’ includes an individual’s health information, their membership of a union or political association, their sexual preferences or practices, and more.

3. Obtain meaningful consent – the small screen challenge

Your customers need to know about your privacy practices to be able to provide you with informed consent to handle their personal information  – but it can be difficult and unpleasant to read a lengthy privacy policy on a small screen. Getting the balance right between providing information and avoiding ‘notice fatigue’ (where people ignore notices or warnings because of over-exposure) is critical. We list some suggestions below.

  • Use short form notices
  1. These are notices that are no longer than a single screen (if possible) and that explain what data will be collected from users, and any third party data sharing practices – they also link to the full privacy policy and/or terms of use.
  2. Provide specific, targeted notices to users when they need to make a decision about whether to consent to the collection of their personal information. These notices should contain the same sorts of information listed in your privacy policy so that users can make an informed decision.
  3. Make sure that the short form notice draws user attention particularly to any collection, use or disclosure of information that they would not otherwise reasonably expect.
  • Provide a privacy dashboard
  1. Display user privacy settings with a tool that allows users to tighten their settings. The tool should be easy and straightforward to use.
  2. Instead of just using an on/off button, explain the consequences of making a choice to provide data so users can make an informed decision.
  • Adapt existing mobile privacy policy template language or generators
  1. See Resources in Appendix B – but make sure the result meets any obligations you have in Australia under the Privacy Act.

Give users a way to modify their information, opt out of any tracking and delete their profile entirely if they wish. Rather than just using text, your privacy policy can make more of an impact by using the techniques listed below.

  • Graphics
  1. The first layer of your mobile privacy policy could primarily be icons, labels or images, as long they are linked to text that provides more detail.
  2. You could also make use of graphics in the app at the moment when sensitive information is about to be transmitted and user consent is required. For example, if your app is about to access the user’s location data, you could activate a symbol or icon to raise user awareness of what is happening and the reason for it, as well as the user’s choices.
  • Colour
  1. You can alert the user by using colour and altering its intensity. The intensity of the colour could be scaled to the importance of the decision or sensitivity of the information.
  • Sound
  1. Selective use of sounds, and scaling the device’s volume, can draw attention to a privacy-related decision that needs to be made in a timely way.

For further information, including on the use of symbols and icons, see Communicating privacy rules on small screens in Appendix B .

Users with disability

Almost 20% of the Australian population has a disability.  Your privacy policy and notices need to be accessible to people with disability, such as people who are blind and use screenreaders,  people who are colourblind, and people who are Deaf or hard of hearing. If you use tools (such as graphics or sound, like those listed below) which are not accessible to people with disability, make sure you offer an alternative way for these users to get the information. For information on ensuring that your app – including your privacy processes – is accessible to people with disability, see Making your privacy practices accessible to customers with disability in Appendix B .

4. Timing of user notice and consent is critical

When people use mobile devices, their attention can be intermittent and limited. So it’s important to be thoughtful and creative about the timing of user notice and consent. To get the most impact, consider the following:

  • Highlight privacy practices during the download/purchase process and also upon first use.
  • Obtain consent at the point of download.
  • Tell users what will happen with their information in real time – this is sometimes known as providing ‘in-context notices’. Users must be able to make timely and meaningful choices. For example, if your app takes photos or video, the first time that the user activates the photo or video function, clearly state if your app will tag the images with location data and allow the user to opt out of this feature.

5. Only collect personal information that your app needs to function

The Privacy Act requires that you only collect the personal information that is necessary.  Consider whether you need to collect personal information at all.

  • If you cannot explain how a piece of personal information is related to the functions or activities of your app, then you probably should not be collecting it. Don’t collect personal information just because you believe it may be useful in the future.
  • Delete or de-identify personal information that you no longer need for a lawful purpose.
  • As best practice, allow users to opt in to the collection or use of their personal information. If that is not practicable, allow users to opt out of data collection. If you cannot enable users to opt in or out, explain this to users first so they can make an informed decision about whether to install your app.
  • Don’t collect sensitive information about a user at all, unless the user has expressly consented.
  • If you are sharing behavioural information or device identifiers with third parties (such as an ad network), your privacy policy should identify those third parties and link to information about how users can contact those parties. Ideally, users should be able to opt out of sharing their personal information with third parties.
  • Avoid collecting information about a user’s movements and activities through the use of integrated location and movement sensors unless it relates directly to the app and you have the user’s informed consent.
  • Don’t collect sound or activate the device camera without the specific permission of the user.
  • It is best privacy practice not to collect and store personal information about third parties from a user’s device unless you can obtain the consent of those parties. For example, do not collect and store your user’s address book.
  • Apps should be designed in a way that does not require you to collect any persistent identifiers if it is not essential to the functioning of the app.
  • Avoid associating personal information across apps, or between your app and a user’s social media account, unless it is obvious to the user and necessary to do so. If you must make links, ensure that personal information is not linked to a user’s identifier for longer than it needs to be. For example, if your app transmits personal information, you should not keep a copy of it unless it is necessary.
  • Allow users to change their minds about giving you access to their personal information. If this means that they have to uninstall the app, explain this clearly and simply.
  • Make someone in your business responsible for security.
  • Have appropriate controls in place both on the mobile device and on the backend systems to store personal information securely. For example, you should encrypt user information when it is transferred via the internet or stored.
  • Adapt your code to allow for differences in mobile platforms.
  • Generate credentials securely.
  • Do your due diligence on libraries and other third-party code.
  • Don’t store passwords in plain text on your server.
  • Give users the ability to request the deletion of all of the personal information about them that your app has collected.
  • Delete or de-identify personal information that you don’t need. Be transparent (for example, in your privacy policy) about how long it will take to delete personal information once a user stops using your app.

6. Secure what you collect

See the OAIC’s Guide to information security for more information.

Data breaches

A data breach is when personal information your app holds is lost or subjected to unauthorised access, use, modification, disclosure or other misuse. If your app experiences a data breach, you may need to inform your users – and the OAIC. See our guide to data breach notification for more information about how to handle a data breach, and about any obligations you may have under the Privacy Act.

Leave a Reply