With the market for mobile applications (“apps”) booming, concern has increased around the amount and type of data that many apps collect and use. Recently, the Irish Data Protection Commissioner (“DPC”) along with data protection authorities from around the world (the “DPAs”) wrote an open letter to app marketplaces. The letter, dated 9 December 2014, called on app marketplace operators – like Google and Apple – to make links to app privacy policies mandatory. This letter followed the results of a global review of app privacy compliance which discovered that a significant majority of apps did not provide enough information about how consumers’ data would be used.
Earlier in 2014, the Global Privacy Enforcement Network (“GPEN”), an alliance of DPAs, conducted its second annual ‘privacy sweep’ (the “Privacy Sweep”). GPEN seeks to encourage organisations to comply with privacy legislation and to increase cooperation between privacy enforcement authorities.
The Privacy Sweep focused on mobile privacy, as apps had been specifically identified as having potentially significant privacy implications for consumers. The Privacy Sweep examined over 1,200 apps from around the world and particularly focused on the types of permissions the apps were seeking (such as location, camera and microphone, for example). GPEN wanted to discover whether or not the requested permissions exceeded what might normally be expected, based on the functionality of the particular app. The way apps explained the need for certain permissions, as well as the intended uses of data, was also reviewed.
International issues with privacy notifications
On an international level, the Privacy Sweep found that numerous apps were requesting permissions for potentially sensitive information under certain laws. In particular, certain apps were requesting access to location data without explaining the need for such data. In addition, many of the apps that did provide privacy information were found not to have tailored the information to smaller screens. This resulted in issues with legibility due to font size used in privacy policies.
How did Irish apps fare?
The Irish aspect of the Privacy Sweep took place in May 2014 with twenty apps from across various sectors being examined. These included apps for transport, banking, media and entertainment. The Irish Privacy Sweep found that more than half of the apps examined had insufficient privacy information, and only partially explained the intended use, collection and disclosure of the user’s personal data. Similar to the international results, the Irish Privacy Sweep also revealed that many of the in-app privacy notifications were not suited to smartphone-sized screens.
App stores warned
What can be learned?
The Privacy Sweep and DPAs’ open letter serves as another reminder of the growing regulatory focus on the collection and use of personal data via apps. App developers should ensure that they adequately inform potential users of their privacy practices before app download and installation. In particular, permissions should only be sought where strictly necessary and users should be given information about why each permission is needed. Finally, app developers should also tailor their privacy information for smaller, mobile-sized screens. It is not only important that the correct information is provided to users, but that it is also displayed in a legible and accessible fashion.