Fresh on the heels of a similar agreement by US app platform providers, Europe’s major mobile operators have agreed to implementing guidelines for the development and privacy of mobile apps. The GSM Association published the guidelines which have been agreed to by Vodaphone, Deutsche Telecom, France Telecom SA Orange and others. The guidelines will likely apply not only to the European operators, but will also help shape standards and guidelines for US and other operators worldwide.
The guidelines note that the technological capabilities of mobile apps are a powerful enabler for innovative business models, they may also provide a vehicle for malicious or surreptitious access to a user’s personal information. Applications that legitimately access and use personal information may fail to meet the privacy expectation of users and undermine their confidence and trust in organizations and the wider mobile industry. Problems occur when users are not given clear and transparent notice of an application’s access to and use of their personal information, or when they are not given an opportunity to express meaningful choice and control over the use of their information for secondary purposes and beyond that necessary to the operation of an application or service.
Under the guidelines, companies should effectively notify users about what personal information the mobile app will collect, store and share, as well as the purposes for using the information. The guidelines are intended for all, that means that collect and use personal information collected from mobile users, including the mobile providers, platform operators, app developers, app distributors and device makers.
Notice of the privacy practices should be made available before an app is downloaded. Users should know if the app ordered by advertisements, and advertising to the mobile user should only use information that was properly obtained in accordance with the guidelines and applicable law. The guidelines also include standards for data retention, security, consumer education, social networking, location data and use be children and adolescents.
Express opt-in permission should be obtained when the collection of personal information is not necessary for the primary purpose of the app, when information is shared with a third party, and when information is retained after use of the app. Additionally, if the company desires to modify its collection, sharing of personal information, should notify and obtain appropriate consent from the user before implementing the changes.