On October 24, 2012, the Privacy Commissioners of Canada, Alberta and British Columbia issued a joint guidance document on mobile applications, titled Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps. The guidance conveniently summarizes general private sector privacy principles under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Protection Acts of Alberta and British Columbia in one document, with specific application to the development of mobile applications (Apps).

The Privacy Commissioners provide tips on making consent more meaningful in the mobile App environment. Suggestions include:

  • Layering Information. The first layer of privacy disclosure could be icons, labels and images that lead to more detail through hyperlinks.
  • Privacy Dashboards. Provide tools to display privacy settings in a way that encourages user action and also explains the consequence of making a choice.
  • Colour and sound. Scale colour and sound and their intensity to the importance of the decision or sensitivity of the information.
  • Timing of user notice and consent.  Users should not have to search for an Apps privacy policy. Instead, users should be provided without clear and accessible information prior to download. However, disclosure before download may not be sufficient. Further disclosure to obtain consent should occur in real time as the information is being collected so that the user can make a timely choice. For example, if location information is being collected, a symbol could be used to indicate to users that this is happening.

The Privacy Commissioners also provide specific guidance with respect to the collection and use of certain types of personal information. For example:

  • Sound, Location and Movement. Collection of sound and data from the device’s location and movement sensors requires informed consent and must be directly related to the functionality of the App.
  • Cameras. Activation of the device camera requires specific permission of the user.
  • Device Identifiers. Apps should be designed in a way that that do not require collection of unique device identifiers unless that is “essential” to the functioning of the App.
  • Third parties.  Information about third parties (e.g. from a contact list) should not be collected without consent. The Privacy Commissioners do not specify whose consent.

The Privacy Commissioners also state that data should not be associated across Apps unless it is “necessary” to do so and “obvious” to the user.

In addition to this latest guidance, Apps developers may wish to consult The Roadmap for Privacy by Design in Mobile Communications: A Practical Tool for Developers, Service Providers and Users, which was co-authored by the Information and Privacy Commissioner of Ontario and the Arizona State University Privacy by Design Research Lab and published in December 2010.