OPC Issues Privacy Guidelines for Developing Mobile Apps
The offices of the Privacy Commissioners of Canada, Alberta, and B.C. have jointly issued guidelines on good privacy practices for developing mobile applications.
The guidelines highlight the need to maintain good privacy practices in the rapidly evolving world of the mobile environment. Today, cell phones enable users to do much more than simply make phone calls. This smart phone era creates many privacy challenges that mobile app developers need to be aware of, and address. For example, many mobile device are able to provide sensitive information about the user’s location; and the small size of mobile screens can make it difficult to provide users with the right information concerning privacy choices.
To help mobile application developers tackle these challengers, the guidelines raise the following five key privacy considerations:
1. Accountability of the App Developer
App developers are accountable for all personal information that is collected, used and disclosed through their app or organization. As a result, the guidelines suggest that developers:
2. Openness and Transparency of the App Developer’s Privacy Practices
- What personal information will be collected and why;
- Where and how long will the personal information be stored; and
- Who will have access to the personal information (sharing options).
3. Collecting and Keeping Only What the App Needs
Privacy laws require that the collection, disclosure and retention of personal information be limited solely to what is needed to carry out the underlying, and legitimate, purpose of an app. Therefore, app developers should ask themselves what and why the collection is needed and whether or not it goes beyond the app’s core functions. App developers may be tempted to collect more than what is necessary (for example, for research purposes in developing of new projects), but they should keep in mind that privacy laws require them to justify why they are collecting, using, disclosing and retaining personal information. As a result, app developers should consider putting in place the following features:
- Allowing users to refuse and/or opt out of any unnecessary data collection;
- Allowing users to delete the personal information they provide;
- Making sure that upon deletion of the app, the user’s personal information will be deleted as well; and
- Implementing appropriate safeguards such as encryption of collected data.
4. Obtaining Meaningful Consent on Small Screens
Smart phones have created many challenges for app developers, one being the effective communication of information to users about privacy policies and obtaining proper consent on small and limited mobile screens. The Privacy Commissioners have provided a list of various options to overcome this obstacle:
- Consider layering and making available the privacy information and important points users should be aware of right up front;
- Provide relevant links up front for more detailed information with respect to privacy information;
- Implement a privacy dashboard that displays the user’s privacy settings along with a tool to tighten or opt out of these settings, with explanations about the consequences of making such choices; and
- Provide visual cues to bring users attention to important information such, as graphics, icons, colors and sounds.
5. Timing is Critical for User Notice and Consent
For more, see these other helpful resources that have previously been issued: accountability and privacy management programs, self-assessment tools for organizations on securing personal information, and privacy responsibilities of organizations. App developers should also review Schedule 1 of PIPEDA, which provides additional privacy practices regarding accuracy (principle 6), openness (principle 8), individual access (principle 9), and the ability for a user to challenge compliance (principle 9).
app application guidelines mobile Privacy Commissioner