Developers should take note of the privacy guidelines at all stages of the design and offering of mobile apps.
The Office of the Australian Privacy Commissioner (OAIC) has asked for comments on its draft privacy guidelines on developing mobile phone apps. The draft guidelines set out what the OAIC considers better privacy practice for app development. The due date for comments is 13May 2013. As a result, industry now has:
a chance to comment on what is better privacy practice for mobile phone apps; and
an insight into how OAIC will handle privacy complaints and investigations about these apps (this will be particularly important when the OAIC is given increased powers from March 2014).
Who and what is covered?
The OAIC says that an app developer is likely to be bound by the Privacy Act if the developer's business model relies on using personal information to sell advertising.
App developers are also bound if:
- their annual turnover is more than $3 million; or
- they handle health information; or
- they otherwise collect or disclose personal information for a benefit, service or advantage.
App developers are regulated by the OAIC in their handling of personal information. "Personal information" is information about an individual whose identity is apparent, or can reasonably be ascertained, from the information. App developers need to be mindful of this, as a lot of the information collected through mobile phone apps has the potential to be linked to the identity of the user (including IP addresses and unique device identifiers in certain circumstances).
When designing an app, it is important to identify:
- what sort of personal information will be collected;
- how that personal information will be used and disclosed; and
- the security policies under which personal information will be collected, used, accessed, stored and deleted.
By considering these issues from the outset and referring back to them during development, any privacy problems can be identified more easily during development of the app.
The draft guidelines encourage developers to undertake a "privacy impact assessment" (PIA) for each app. A PIA will describe how personal information "flows" in a project and analyse how that affects an individual's privacy. Publishing a PIA is a useful tool for developers to show users that they have a commitment to privacy. This in turn will help to build user trust.
The OAIC warns developers to be cautious when using third party code or software development kits, which may embed aggressive adware or malware in the app.
Only collect what you need
The Privacy Act requires organisations only to collect personal information that is necessary for their functions or activities. The draft guidelines suggest that developers should be able to explain how each piece of personal information they collect is related to the functions or activities of the app. Best practice would be to allow users to opt in to the collection of personal information (or, where impractical, at least allow them to opt out). If this is not possible, users should be told this upfront so that they can make an informed decision whether to install the app.
The OAIC gives guidance on a number of specific points, including that:
apps should avoid collecting information about a user's location unless it relates directly to the app and the user has given informed consent;
apps should be designed so that device-unique identifiers should not be collected unless that is essential for the functioning of the app; and
data should not be associated across apps unless it is obvious to the user and necessary to do so.
The draft guidelines see "meaningful consent" as the appropriate standard for any consent users need to give for the handling of their personal information. This means that a user should have a proper understanding of what data they will provide to the app and how that data will be used. The need for comprehensive information needs to be balanced against the risk of "notice fatigue", where a user ignores a notice they see too often. The guidelines suggest several strategies for avoiding this, some of which are outlined below.
The guidelines emphasise the importance of informing users of what is happening with their information in real time. This means giving clear notice (and obtaining any necessary consent) at the time of download, and then providing "in-context notices" when collecting information while the app is in use.
The guidelines make a number of suggestions on how to ensure meaningful consent and disclosure despite the small screens on mobile phones. These include preparing short-form notices that:
- are ideally no longer than a single screen; and
- focus on what data will be collected from users and how and why it will be shared with third parties; and
The guidelines also suggest using:
- a "privacy dashboard" with information to help users to understand and manage their privacy settings; and
- graphics and technology to provide visual cues to users about privacy (such as a dial, different colours or sounds to indicate different privacy settings).
Users are likely to respond positively to an app that presents their privacy choices in an accessible way.
App developers should note the opportunity to make submissions on the draft guidelines. The OAIC's statements about better practice, when finalised, are likely to influence the approach the OAIC takes in dealing with complaints and investigations about the handling of personal information collected through mobile phone apps. As a result, developers should take note of the guidelines at all stages of the design and offering of mobile apps.