Global privacy authorities issue communique regarding apps and privacy policies
December 11, 2014 |
The Privacy Commissioner has issued a statement titled Global privacy authorities urge app marketplaces to make links to privacy policies mandatory. The laxity in privacy protections and compliance with data protection laws, including proper privacy policies and consents have been a long standing concern. The Federal Trade Commission has been active in addressing this problem (see post here for example). The Australian Privacy Commissioner, amongst others, less so.
The statement provides:
Privacy enforcement authorities from around the world are calling on app marketplaces to make it mandatory for mobile app developers to post links to privacy policies prior to download if they’re going to collect personal information.
Twenty three privacy authorities are raising the issue in an open letter today to seven key players in the app marketplace: Google, Apple, Samsung, Microsoft, Nokia, Blackberry and Amazon.
Australian Privacy Commissioner, Timothy Pilgrim said that making links to privacy policies mandatory would improve transparency and trust with customers.
‘Directing users to where they can easily access an apps privacy policy will allow people to make a meaningfully informed decision about the collection and use of their data before making the decision to download the app,’ Mr Pilgrim said.
Having privacy information prior to download is critical as it allows individuals to decide whether they are comfortable with the collection and use of their personal information before the app is even on their device. Without this information, it is difficult for individuals to provide meaningful consent.
‘Under Australian privacy laws, organisations must have a clearly expressed and up to date privacy policy that tells people how their personal information will be managed,’ Mr Pilgrim said.‘We are continuing to educate mobile app developers to adopt a privacy by design approach –to incorporate privacy considerations at the beginning of projects. However, if mobile app marketplaces also require apps to provide users with easy access to the privacy policy then I believe that will be making progress towards improving the customer’s privacy experience.’
The joint recommendation follows a mobile app privacy sweep in May 2014 by the Global Privacy Enforcement Network (GPEN) that found many popular mobile apps were seeking access to large amounts of personal information without adequately explaining how that information would be used.
Sweep partners examined 1,211 mobile apps and found that 85 per cent of them failed to clearly explain how they would collect, use and disclose personal information.
Background
App developers are encouraged to consider the OAIC’s Mobile privacy: a better practice guide for mobile app developers.
The Sweep, which took place from 12 to 18 May 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.
The Sweep did not involve an in-depth analysis of the privacy practices of each mobile app, but the exercise sought to replicate the consumer experience by spending a few minutes per site checking for performance against a set of criteria.
The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. The GPEN initiative is aimed at encouraging organisations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities.
2014 Sweep highlights — Global and Australian results
- Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlights the need for apps to be more transparent.
- Some 59% (Global result) and 67.9% (Australian result) of apps left sweepers scrambling to find pre-installation privacy communications. Many offered little information about why the data was being collected or how it was being used prior to download, or provided links to webpages with privacy policies that were not tailored to the app itself. In other cases, the links led to social media pages that didn’t work or required the user to log in. Sometimes it was difficult to determine who the developer or data controller was.
- For 31% (Global result) and 11.3% (Australian result), of the apps, sweepers expressed concern about the nature of the permissions being sought. Sweepers felt the apps requested access to information that exceeded their functionality, at least based on the sweepers’ own understanding of the app and the associated privacy policy.
- Some 43% (Global result) and 22.6% (Australian result) of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.
- Just a fraction of apps examined, 15% (Global result) and 15% (Australian result), provided a clear explanation of how it would collect, use and disclose personal information. The most ‘privacy friendly’ apps offered brief, easy to understand explanations of what the app would and would not collect and use pursuant to each permission.
[…] Global privacy authorities issue communique regarding apps and privacy policies […]