The Global Privacy Enforcement Network recently published the results of its second annual privacy enforcement survey or “sweep” which assessed the transparency of the privacy practices of popular mobile applications. The results of the sweep suggest that the privacy policies of a high proportion of mobile applications do not adequately explain how users’ personal information is collected, used and disclosed. The general conclusion of the sweep was that clear and concise language in privacy policies builds consumer trust and is good for business.

The Office of the Privacy Commissioner of Canada (Commissioner) participated in the sweep and focused on 151 mobile applications that were popular among Canadians. The key findings of the Commissioner are as follows:

  • 28% of the applications surveyed provided a clear explanation of their collection, use and disclosure of personal information practices;
  • 26% of the applications surveyed offered either no privacy policy or one that did not explain how users’ personal information would be collected, used or disclosed; and
  • among the applications with the best privacy practices were popular applications in the e-marketplace.

Tips for mobile application privacy policies

In connection with the sweep, the Commissioner released a guide for communicating privacy practices to mobile application users. The three primary messages contained in the guide are as follows:

  • Be transparent.In order to obtain a meaningful consent from a user, a mobile application’s privacy policy must be specific, understandable and easy to read. It should provide specific notifications to users at key decision points, such as during registration or at the point of purchase, and should be written in a manner that is understandable to the application’s user base.
  • Explain the data you are requesting. A mobile application’s privacy policy should provide specific information in respect of how the application will use the permissions it seeks. If an application links to a user’s social media accounts, the privacy policy should explain what, if any, information made available by such social media services is collected by the application and how it will be used and/or disclosed.
  • Make and keep, privacy information accessible. An application’s privacy policy should also be accessible through the application’s functionality – forcing users to exit the application to link to the application’s website in order to view the privacy policy is cumbersome and unnecessary. If an application utilizes pop-ups at key decision points to convey privacy information or obtain consents, the application should contain functionality that enables a user to re-visit the information that was contained in the pop-up after the pop-up is dismissed.

Lin Cong