The Article 29 Working Party Group adopted an opinion on February 27 2013 regarding data protection considerations relevant to apps on smart devices.

The Opinion is aimed at app developers, app stores, operating system and device manufacturers, and other interested third parties such as advertising and analytics service providers. It applies to apps available for any type of smart device, but is aimed particularly at apps available for smart phones.

The Opinion focuses on the risks to individuals’ privacy which can arise in the context of app use – for example, where users are not made sufficiently aware of the extent of personal data collected from their devices, where personal data is processed for purposes other than those which are strictly required for the app to function, or where users have not consented, in a free and fully informed manner, to the use of their personal data in the context of app use.

The Opinion emphasises that, at a minimum, app users should be provided with a comprehensive privacy policy. The privacy policy should be easy to understand and readily accessible, particularly for apps which are aimed at children. It should include information as to the types of data collected from or accessed on the device, any third parties to whom data will be disclosed, the period for which data is retained, and information in relation to any transfers of personal data to countries outside of the EEA which are regarded by the EU Commission as not having adequate standards of data protection.

The Opinion underlines the need to make users aware of any use of the data by third parties, and indicates that stating that data will be used for broad purposes such as “product innovation” or “analytics” will not generally be sufficient to constitute valid and informed consent to the processing of personal data for those purposes.

The Opinion emphasises that app developers must ask for the consent of users to the processing of their personal data before the app starts to retrieve or place information on the user’s device – for example, before installation of the app. In addition, it states that such consent must be freely given, specific and informed, particularly if children will be using the app. It appears that a ‘click-wrap’ type consent – where, for example, users are informed that by downloading the app they consent to the uses and disclosures of their data - is unlikely to constitute a valid consent to the processing of personal data. This indicates that a positive action will be required from users before the app is installed or activated - for example, the user might be required to check a box consenting to the privacy policy.

The Opinion further recommends that granular (ie separate and specific) consents be obtained for each type of data the app will access, in particular for certain categories of data such as location data, contacts, unique device identifier and credit card/payment data. The idea is that users should be able to specifically control which personal data processing functions offered by the app they want to activate.

Additional recommendations worth noting include that users should be able to un-install apps, that users’ data should be deleted when the app is un-installed, and that a specific period of inactive app use should be defined, after which period all personal data associated with the app should be deleted.