This October, the Federal, Alberta, and British Columbia privacy commissioners released guidelines to help mobile application developers comply with Canada’s federal and provincial privacy laws.

The guidelines make it clear that mobile app developers are responsible for all personal information handled by the app. As a first step to compliance, the mobile app developers should map out information flows, identify risks, and put controls in place (such as contracts and user agreements) to ensure third parties respect privacy obligations. Mobile app developers should also:

  • Be transparent about their information handling practices, and have a privacy policy that is easily found and simply and clearly describes the practices.
  • Monitor and audit their practices to ensure the privacy policy continues to accurately describe what is actually happening.
  • Distribute updates of the app with notices of associated changes in information handling practices, and allow the user to refuse the update.
  • Limit collection of information to what is needed now and allow users to opt out of collection of information for additional, peripheral services.
  • Use encryption when storing and transmitting data.

Mobile app users should be notified of information handling practices (i) when they download the app, (ii) when they first use the app, and (iii) throughout their app experience. Mobile app developers need to be creative and thoughtful to try to capture users’ attention, without causing notice fatigue.

The guidelines recognize the challenges to obtaining meaningful consent on the small screen, and suggest a number of strategies, including:

  • layering privacy information, placing important points up front and providing links to more detailed explanations;
  • using a privacy dashboard that displays a user’s privacy settings and provides a convenient means of changing them;
  • using visual cues and symbols such as graphics, colour, and sound as cues to draw user attention to what is happening with their personal information, the reasons for it, and choices available to the user.

Further guidance on obtaining meaningful consent to computer programs that impact on user’s privacy may be found in the Canadian Radio-television and Telecommunications Commission’s (CRTC) guidelines on complying with Canada’s anti-spam act.

Lastly, the guidelines state that if a user deletes the app, then their information should also be deleted.

In the U.S., the Federal Trade Commission (FTC) has also introduced guidelines for mobile app developers, which address truth-in-advertising, as well as privacy issues.