With the market for mobile applications (“apps”) booming, concern has increased around the amount and type of data that many apps collect and use. Recently, the Irish Data Protection Commissioner (“DPC”) along with data protection authorities from around the world (the “DPAs”) wrote an open letter to app marketplaces. The letter, dated 9 December 2014, called on app marketplace operators – like Google and Apple – to make links to app privacy policies mandatory. This letter followed the results of a global review of app privacy compliance which discovered that a significant majority of apps did not provide enough information about how consumers’ data would be used.

GPEN sweep

Earlier in 2014, the Global Privacy Enforcement Network (“GPEN”), an alliance of DPAs, conducted its second annual ‘privacy sweep’ (the “Privacy Sweep”). GPEN seeks to encourage organisations to comply with privacy legislation and to increase cooperation between privacy enforcement authorities.

The Privacy Sweep focused on mobile privacy, as apps had been specifically identified as having potentially significant privacy implications for consumers. The Privacy Sweep examined over 1,200 apps from around the world and particularly focused on the types of permissions the apps were seeking (such as location, camera and microphone, for example). GPEN wanted to discover whether or not the requested permissions exceeded what might normally be expected, based on the functionality of the particular app. The way apps explained the need for certain permissions, as well as the intended uses of data, was also reviewed.

International issues with privacy notifications

On an international level, the Privacy Sweep found that numerous apps were requesting permissions for potentially sensitive information under certain laws. In particular, certain apps were requesting access to location data without explaining the need for such data. In addition, many of the apps that did provide privacy information were found not to have tailored the information to smaller screens. This resulted in issues with legibility due to font size used in privacy policies.

How did Irish apps fare?

The Irish aspect of the Privacy Sweep took place in May 2014 with twenty apps from across various sectors being examined. These included apps for transport, banking, media and entertainment. The Irish Privacy Sweep found that more than half of the apps examined had insufficient privacy information, and only partially explained the intended use, collection and disclosure of the user’s personal data. Similar to the international results, the Irish Privacy Sweep also revealed that many of the in-app privacy notifications were not suited to smartphone-sized screens.

App stores warned

Although the open letter was addressed only to certain key app marketplaces, the DPAs were keen to stress that their recommendations were “intended for all stakeholders that operate an app marketplace.” Of “particular concern” were the numerous apps which appeared to collect personal information but which did not display a privacy policy or provide similar information. This gave rise to a concern that users, when making decisions about their personal information, were not meaningfully informed.

The DPAs particularly noted that, although most marketplaces allowed app developers to include a link to a privacy policy, such policies did not appear to be a mandatory requirement. The DPAs noted that app marketplaces already provide certain information to customers in relation to the apps that they make available. This information often includes the rating, size and version of the app. Although privacy policy links sometimes appeared in the listings provided by the marketplace, the DPAs were concerned by the absence of a consistent practice requiring the posting of such policies.

What can be learned?

The Privacy Sweep and DPAs’ open letter serves as another reminder of the growing regulatory focus on the collection and use of personal data via apps. App developers should ensure that they adequately inform potential users of their privacy practices before app download and installation. In particular, permissions should only be sought where strictly necessary and users should be given information about why each permission is needed. Finally, app developers should also tailor their privacy information for smaller, mobile-sized screens. It is not only important that the correct information is provided to users, but that it is also displayed in a legible and accessible fashion.