The Article 29 Working Party Group adopted an opinion on February 27 2013 regarding data protection considerations relevant to apps on smart devices.
The Opinion is aimed at app developers, app stores, operating system and device manufacturers, and other interested third parties such as advertising and analytics service providers. It applies to apps available for any type of smart device, but is aimed particularly at apps available for smart phones.
The Opinion focuses on the risks to individuals’ privacy which can arise in the context of app use – for example, where users are not made sufficiently aware of the extent of personal data collected from their devices, where personal data is processed for purposes other than those which are strictly required for the app to function, or where users have not consented, in a free and fully informed manner, to the use of their personal data in the context of app use.
The Opinion underlines the need to make users aware of any use of the data by third parties, and indicates that stating that data will be used for broad purposes such as “product innovation” or “analytics” will not generally be sufficient to constitute valid and informed consent to the processing of personal data for those purposes.
The Opinion further recommends that granular (ie separate and specific) consents be obtained for each type of data the app will access, in particular for certain categories of data such as location data, contacts, unique device identifier and credit card/payment data. The idea is that users should be able to specifically control which personal data processing functions offered by the app they want to activate.
Additional recommendations worth noting include that users should be able to un-install apps, that users’ data should be deleted when the app is un-installed, and that a specific period of inactive app use should be defined, after which period all personal data associated with the app should be deleted.