More than half of all New Zealanders now use smartphones, according to government statistics released last year [1] Most, if not all, of these users will be using mobile apps as a way of conducting business, accessing information or entertainment and interacting with others. Whatever their principal function, most mobile apps will collect, or are capable of collecting information from their users.

While the information is often used to personalise a user's experience of an app, the information a user provides can also be used for a variety of other purposes such as helping the mobile app developer fine-tune existing products, promoting related products of the app developer or owner to the user, or making the information available to third parties, often advertisers.

None of this is particularly new in that the same could be said of information collected from websites accessed via a desktop or laptop computer. However, with smartphones and other similar mobile devices, apps often collect information in the background, rather than by a user manually uploading information. What is more, the information that is collected may not always be needed for the app to run (for example, location data about a user may be collected when playing a game that does not otherwise require the user's location). Developers and owners of mobile apps still need to comply with the Privacy Act 1993 (Privacy Act) and be clear about what information is being collected, who is collecting the information, why its being collected and how it may be used.

The Privacy Act 1993 Principles

The Privacy Act sets out 12 Information Privacy Principles (IPPs) which regulate the collection, accuracy, retention, use, disclosure, storage and security of personal information. The Privacy Act applies to the public and private sector with a few exceptions.[2] For the purposes of the Privacy Act, personal information is any information that relates to a living, identifiable human being.

What should users be told?

If you intend to make available a mobile app that will collect personal information about the user, you are required to take reasonable steps (prior to collection of the personal information, or if this is not practicable, as soon as practicable after collection) to ensure that a user of the app is aware of the following:

  • the fact that the information is being collected;the purpose for which the information is being collected;
  • the intended recipients of the information;
  • the name and address of who is collecting the information, and who will hold the information;
  • the consequences (if any) for that individual if all or any part of the information is not provided; and
  • the rights of access to, and correction of, personal information provided.

When and where to say it

Fitting the appropriate information regarding the collection, use and disclosure of information into the condensed space of a smartphone screen can be problematic for developers. One option is to display pop-ups or alerts prior to downloading, on the first launch of the app or when location data may be collected (as the Google mobile app does). This pop-up or alert can contain some, all, or hyperlinks to, the information required to be provided to users and give them the option as to whether certain information is collected. Users can then acknowledge the pop-up or alert and remove it from their screen by clicking 'Okay' or 'Don't accept'/'Don't allow'.

The pop-up or alert should not be a substitute for a full privacy policy. A full privacy policy that is appropriate for how the app works should be available to users via the app's settings.

Who else will see your users' information

It is important to consider who will have access to the personal information that will be collected from a mobile app. It may be useful to share the information collected with other related companies (if you belong to a group of companies), or other organisations or entities with whom you share synergies.

It's not unusual for mobile app developers or owners to use the services of an analytics service provider to process the information that is collected via mobile apps. An analytics service provider analyses how your users interact with your mobile app. This information can then be used and shared to improve engagement and retention of users, as well as provide more information to those wanting to place advertisements on your mobile app.

If you intend to allow others to view information that has been collected, we recommend that a reference to those third parties be made in the initial pop-up or alert, as well as in any privacy policy in the app. The Privacy Act prohibits the disclosure of personal information unless it is believed, on reasonable grounds, that one of the specified exceptions applies. The exceptions include where:

  • the disclosure is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or
  • the disclosure is authorised by the individual concerned.

This means that, for example, if you choose to share information with an analytics service provider, users of the app should be informed that part of the purpose of collecting the information is for analytics, and that the intended recipients of the information include that analytics service provider.

How to deal with aggregated information

Some analytics service providers aggregate the information that you collect from your app with other information that other apps provide to it. These service providers often 'hash' your users' information first - a process that involves turning the pieces of personal information that you provide to it into a value or key that represents the original piece of information. Service providers can then analyse this anonymised data against other anonymised data sets that they have collected, and are able to provide you with insights as to how your app's performance compares to other apps in your industry.

When information that you provide to an analytics service provider is aggregated into a data set, that data may not in itself be considered personal information for the purposes of the Privacy Act. However, if that data set is combined with other data sets that could identify an individual, it could fall within the definition of personal information in the Privacy Act. It is important therefore to ensure that any contract between you and an analytics services provider adequately deals with your privacy obligations towards the users of your app.

Summary

If you are developing a mobile app for your business, it is important to have regard for the privacy of the potential users of your app and your obligations under the Privacy Act.