Office of the Privacy Commissioner of Canada Releases Guidance Document for Developing Mobile Apps

On October 24, 2012, the Office of the Privacy Commissioner of Canada released the guidance document “Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps,” which was developed in conjunction with the Offices of the Information and Privacy Commissioner of Alberta and British Columbia. This OPC guidance document is aimed at assisting app developers in Canada address the unique characteristics of the mobile space and the special challenges related to protecting privacy in this environment, such as the potential for comprehensive surveillance of individuals and the difficulty of conveying meaningful information about privacy on the small screen with intermittent user attention.

The OPC guidance document highlights the fact that privacy protection is not only the law, it makes good business sense. For instance, some surveys suggest that good privacy practices can be a competitive advantage, helping gain user trust and loyalty. In fact, it may even be a necessity — one survey showed that 57 per cent of app users in the United States either uninstalled an app or declined to install an app due to concerns with respect to sharing their personal information. In Canada, it appears that the majority of Canadians agree that protecting personal information will be one of the most important issues facing Canada in the next 10 years, with the overriding opinion being that businesses are requesting too much personal information, not keeping this information secure and selling the information to other organizations.

Key Privacy Considerations

Simply put: you are responsible for the personal information collected, used and disclosed through your app, regardless of the type of app you develop. Generally speaking, “personal information” means “information about an identifiable individual.” According to the Federal Court, where there is a serious possibility that an individual could be identified through the use of the information, whether alone or in combination with other available information, the information is about an identifiable individual.

Where you will be collecting, using and/or disclosing personal information through your app, the following considerations are particularly relevant according to the OPC guidance document:

  1. Be accountable. Build a privacy management program, including a privacy policy, and identify someone within your company to be responsible for privacy protection. Ensure and insist on compliance with privacy laws not only internally, but in all of your business arrangements and contracts with third parties.
  2. Be transparent. Before users download your app, provide clear and accessible information with respect to what personal information you will be collecting, why you are collecting it, where it will be stored, whom it will be shared with and why, how long you will keep it, and any other relevant privacy issues. Should you make any updates or changes to your app’s privacy policy after it has been downloaded by a user, provide advance notice about these changes and allow reasonable time for feedback before these changes take effect. Do not make updates that will lessen a user’s privacy without notifying users. Ever.
  3. Be selective and secure. Limit the collection of personal information to what is needed to carry out legitimate purposes — you may not need to collect personal information at all. If you are having difficulty explaining how a piece of information relates to the functioning of your app, rethink collecting it. Data should not be collected simply because it may be useful in the future and data should be deleted when it is no longer necessary for the original purpose identified. After deciding what information will be collected, have controls in place, appropriate to the sensitivity of the information, to ensure its security. Provide users with a clear and easy way to refuse an update, deactivate the app and delete all the data collected about them. Delete data automatically on deactivation or deletion of the app by a user.
  4. Obtain meaningful consent. In addition to the difficulty of conveying information on a small screen, users can often suffer from “notice fatigue” and ignore notices or warnings they see too often. To reach users with the necessary information, put important details up front and embed links to the details. Also use visual cues such as graphics, colour and sound to draw a user’s attention to important information.
  5. Timing is critical. Again, user attention in the smart phone world is intermittent and limited. Moreover, with so many apps available, users cannot be expected to remember information they were provided upon downloading an app. Therefore, it is important to be thoughtful and creative with respect to the timing of your privacy messages, not only telling users in advance what will happen with their information, but also informing users when they first use the app and throughout their app experience.

According to the Office of the Privacy Commissioner of Canada, with the increasing popularity of apps will likely come the increased scrutiny of the privacy practices of businesses operating in the mobile space, not only by regulators but also by consumers who are becoming increasingly informed, perceptive and influential. Therefore, implementing the recommendations set out in the OPC guidance document not only makes sense from a legal and business perspective, it may soon become a necessity.

The full OPC guidance document can be viewed at: http://www.priv.gc.ca/information/pub/gd_app_201210_e.asp