Mobile apps are the new “must have” tool in any mobile marketing strategy, particularly for consumer brands. Cost effective to develop and operate, apps provide an ease and immediacy of interaction with consumers that is not available through traditional marketing channels.
They also have the potential to gather extensive amounts of personal information about the consumer. For organisations bound by the Australian Privacy Act, including the Australian Privacy Principles, this presents a legal compliance risk that needs to be balanced against the marketing strategy.
MOBILE APPS HAVE PRIVACY “ISSUES”
A global sweep of 1,200 mobile apps earlier this year by the Global Privacy Enforcement Network (GPEN) which is made up of international privacy authorities including the Office of the Australian Privacy Commissioner, found that the majority of mobile apps have privacy issues.
Most of the apps included in the annual sweep seek to access the user’s contact details, social media accounts and other personal information, without providing the user with sufficient information security protocols or properly advising the user of how their personal information will be used (and how they can protect their privacy).
A similar picture was painted by the US Federal Trade Commission (FTC) in its recent report on mobile shopping apps. The FTC found these apps often failed to clearly advise consumers of how their personal information would be used or handled.
The recommendation of the GPEN, following its annual sweep, is that “clear, concise information about privacy practices builds customer trust and is good for business”. This sentiment is echoed by the FTC and reflected in the OAIC’s privacy guidance for mobile app developers in the OAIC’s “Mobile privacy: a better practice guide for mobile app developers”. (Although the OAIC Guide was developed prior to the privacy law reforms earlier this year, it still provides useful guidance as to better privacy practice for mobile app developers and providers.)
Privacy best practice for mobile apps
If you’re looking to develop or use a mobile app to interact with consumers in Australia, and you’re bound by the Australian Privacy Act, you will need to:
1. Avoid over-collecting personal information
The golden rule: “if you don’t need to know, don’t collect it”. This goes hand-in hand with another golden rule: “the more you know, the more you’re responsible for”. Some tips:
- Avoid collecting sensitive information (such as health information) through the app, if possible.
- If you’re using WiFi analytics or the app seeks to access the user’s personal information (such as the user’s location, MAC address/IP address, social media accounts, camera and contacts), consider whether you really need all this data and how the user can turn off these functions.
2. Conduct a privacy risk assessment as part of the planning phase
- Understand how the data will flow through your organisation (the “data lifecycle”). This means knowing what personal information the app collects, what you’ll do with it, where the data goes, how it is stored and your processes for deleting data at the end of its lifecycle.
- Conduct a Privacy Impact Assessment to help you map the data lifecycle. It will highlight privacy risk “hotspots” and whether your data handling processes need updating.
3. Be transparent about what data is being collected
Provide the user with:
The OAIC’s Guide contains an extensive list of recommendations for meeting the “small screen” challenge. This includes:
- incorporating short form notices for privacy policies that are no longer than a single screen (if possible);
- drawing the users’ attention to any collection, use or disclosure of information that they would not otherwise reasonably expect; and
- using pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of personal information when they are about to happen.
5. Adopt a “privacy-by-design” approach, wherever possible
This means building in privacy and security settings into the app’s architecture from the beginning, rather than trying to “bolt it on” later.
6. Have a written contract in place with your mobile app developer
The contract should reflect your privacy compliance (as well as commercial, technical and legal) requirements, such as the required privacy features and settings. It should also deal with the level of access the developer will have to consumer data collected through the app (if any) during development and testing and on completion.
The bottom line is, if you’re using a mobile app to engage with consumers in Australia or to otherwise collect personal information, then you will need to ensure it complies with the Australian Privacy Principles.
You must be transparent about what personal information you’re collecting and your privacy practices, as well as complying with your other privacy obligations under the Australian Privacy Principles. The risk of non-compliance could be a fine of up to $1.7 million for an organisation, which would put a big hole in any marketing budget.