- The issues and recommendations outlined in guidelines published by the OAIC provide a useful starting point from which to engage with the development of privacy regimes in the context of mobile application development.
- Ultimately, adopting a ‘privacy by design’ approach, in line with the recommendations set out in these guidelines, will assist developers in integrating privacy protections into their apps.
On 6 July 2016, The Pokémon Company and Niantic released Pokémon Go in Australia, New Zealand and the United States. Pokémon Go is a location-based mobile game that makes use of ‘augmented reality’ (AR), by overlaying elements of the original, 20-year old Pokémon game onto a user’s existing environment through the use of a smartphone’s built-in camera, internet and location services. The speed of its adoption has been ground-breaking; within one week, Pokémon Go became the most actively used game in the United States, topped Apple’s App Store charts, and increased Nintendo’s share price by as much as 50%.
Although the scale and speed of Pokémon Go’s adoption is unprecedented, it provides a useful opportunity to consider the key privacy concerns that arise in respect of novel mobile apps.
How does the Privacy Act apply to Pokémon Go and other mobile app developers?
The Privacy Act 1988 (Cth) (the Act) and the Office of the Australian Information Commissioner’s ‘Mobile privacy: a better practice guide for mobile app developers’ (the Guide)3 provide useful guidance for developers retailing mobile apps in Australia.
If the Act applies to an app developer, that developer must ensure that it collects, uses, discloses and otherwise deals with individuals’ personal information—that is, information or opinion (regardless of how it is recorded or whether or not it is true) ‘about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’—in accordance with the requirements of the Act and of the Australian Privacy Principles contained within the Act.7
The Guide, and its recommendations, constitutes an important reference tool for app developers who are covered by the Act so that they are able to ensure compliance with its provisions. Even if not covered by the Act, app developers are encouraged to follow the practices recommended in the Guide in order to ‘stand out from the crowd and gain user trust and loyalty’.8
What privacy practices are recommended for app developers?
Ultimately, developers should be conscious of privacy at all stages of the app development process, and focus on timely, transparent and meaningful privacy practices. Companies involved in app development should consider:
- conducting a Privacy Impact Assessment, which considers and describes the impact and effect of a project on an individual’s privacy, and how this can be managed;9
- ensuring that the app itself only collects and makes use of information that it actually needs in order to function (for example, although AR apps require access to geolocation data in order to operate as intended, they are unlikely to need access to a user’s Google Calendar), and never collects and makes use of sensitive information without the express consent of the user;
- ensuring that any personal information collected is appropriately secured and, if possible, allowing users a mechanism to delete all data collected (particularly upon their deletion of the app);
- providing timely, effective and meaningful disclosures to users and obtaining their express consent when collecting personal information or sharing such data with third parties. Some proposed methods for improving such disclosures have included:
- providing information in ‘layers’, where the top layer provides high-level detail that is able to fit on a single screen but includes links or other methods of access to additional detail;
- providing privacy information in a ‘dashboard’ format, where users are allowed to select and later modify their privacy settings;
- creative use of graphics (these might include icons and symbols that are activated when information is being collected or used), colour and sound to better inform consumers; and
- in terms of timely disclosures, providing both advance notice and ‘real time’ or ‘just in time’ notification and allowing users to opt out when each disclosure is made;
- forming a better understanding of the particular functions of the code provided for use in the app by advertising networks and other third party service providers, in order to ensure that disclosures to consumers are truthful.10
Pokémon Go highlights the challenges of managing user expectations, legal requirements under the Act, and the technical and commercial imperatives of mobile apps. In particular, in light of the Act and Guide, Pokémon Go provides a number of key lessons for Australian app developers.
For example, in contrast with the Guide, Pokémon Go’s initial settings requested access to a broad range of data, much of which was not strictly necessary. If a ‘privacy by design’ approach were taken to Pokémon Go, it would have instead adopted the principle of least privilege and not requested access to user data without an identifiable technical or business need. Even then, apps should aim to request an appropriate level of access that it requires that is consistent with these needs. In the case of Pokémon Go, it may have been the case that the developers envisaged an increased need for access to data in future; however, developers should always consider whether a pre-emptively wide request is reasonable and appropriate.
Ultimately, Pokémon Go reflects the tension between the legitimate technical and commercial imperatives to gather data, and application of privacy-conscious principles such as data minimisation. Companies should aim to deeply integrate privacy into app development, and can make valuable use of the Guide to assist with this process.