Mobile apps are the new “must have” tool in any mobile marketing strategy, particularly for consumer brands. Cost effective to develop and operate, apps provide an ease and immediacy of interaction with consumers that is not available through traditional marketing channels.

They also have the potential to gather extensive amounts of personal information about the consumer. For organisations bound by the Australian Privacy Act, including the Australian Privacy Principles, this presents a legal compliance risk that needs to be balanced against the marketing strategy.


A global sweep of 1,200 mobile apps earlier this year by the Global Privacy Enforcement Network (GPEN) which is made up of international privacy authorities including the Office of the Australian Privacy Commissioner, found that the majority of mobile apps have privacy issues.

Most of the apps included in the annual sweep seek to access the user’s contact details, social media accounts and other personal information, without providing the user with sufficient information security protocols or properly advising the user of how their personal information will be used (and how they can protect their privacy).

A similar picture was painted by the US Federal Trade Commission (FTC) in its recent report on mobile shopping apps. The FTC found these apps often failed to clearly advise consumers of how their personal information would be used or handled.

The recommendation of the GPEN, following its annual sweep, is that “clear, concise information about privacy practices builds customer trust and is good for business”. This sentiment is echoed by the FTC and reflected in the OAIC’s privacy guidance for mobile app developers in the OAIC’s “Mobile privacy: a better practice guide for mobile app developers”. (Although the OAIC Guide was developed prior to the privacy law reforms earlier this year, it still provides useful guidance as to better privacy practice for mobile app developers and providers.)

Privacy best practice for mobile apps

If you’re looking to develop or use a mobile app to interact with consumers in Australia, and you’re bound by the Australian Privacy Act[1], you will need to:

1. Avoid over-collecting personal information 

The golden rule: “if you don’t need to know, don’t collect it”. This goes hand-in hand with another golden rule: “the more you know, the more you’re responsible for”. Some tips:

  • Avoid collecting sensitive information (such as health information) through the app, if possible.
  • If you’re using WiFi analytics or the app seeks to access the user’s personal information (such as the user’s location, MAC address/IP address, social media accounts, camera and contacts), consider whether you really need all this data and how the user can turn off these functions.

2. Conduct a privacy risk assessment as part of the planning phase

  • Understand how the data will flow through your organisation (the “data lifecycle”). This means knowing what personal information the app collects, what you’ll do with it, where the data goes, how it is stored and your processes for deleting data at the end of its lifecycle.
  • If you’re intending to use the mobile app to send direct marketing or you will share personal information collected through the app with others (particularly where they are overseas), ensure you can do so lawfully and be transparent about this in your privacy policy.
  • Conduct a Privacy Impact Assessment to help you map the data lifecycle. It will highlight privacy risk “hotspots” and whether your data handling processes need updating.

3. Be transparent about what data is being collected

Provide the user with:

  • clear Terms of Use that deal with privacy, prior to the app being downloaded (or first launched) that are easy to find and to understand; and
  • easy access to your privacy policy and collection notice. This should be up-to-date and set out (in plain English) what personal information the mobile app collects and how you will handle that personal information (see APPs 1 and 5 for further detail). If you must link to another site that hosts your privacy policy, ensure the link works and can be accessed through the app.

4. Tailor your privacy policy, collection notice and other privacy-related communications to the small-screen

The OAIC’s Guide contains an extensive list of recommendations for meeting the “small screen” challenge. This includes:

  • incorporating short form notices for privacy policies that are no longer than a single screen (if possible);
  • drawing the users’ attention to any collection, use or disclosure of information that they would not otherwise reasonably expect; and
  • using pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of personal information when they are about to happen.

5. Adopt a “privacy-by-design” approach, wherever possible

This means building in privacy and security settings into the app’s architecture from the beginning, rather than trying to “bolt it on” later.

6. Have a written contract in place with your mobile app developer

The contract should reflect your privacy compliance (as well as commercial, technical and legal) requirements, such as the required privacy features and settings. It should also deal with the level of access the developer will have to consumer data collected through the app (if any) during development and testing and on completion.

The bottom line is, if you’re using a mobile app to engage with consumers in Australia or to otherwise collect personal information, then you will need to ensure it complies with the Australian Privacy Principles.

You must be transparent about what personal information you’re collecting and your privacy practices, as well as complying with your other privacy obligations under the Australian Privacy Principles. The risk of non-compliance could be a fine of up to $1.7 million for an organisation, which would put a big hole in any marketing budget.