The new craze, Pokémon Go, is a mobile App that makes use of augmented reality to catch virtual creatures in the real-world space. Whilst the App is still set to be released in South Africa, many users have already taken to the streets to ‘catch ‘em all’. This means that many users have resorted to bypassing their phones security measures or downloading an unauthorised or unsafe version.

Like many mobile Apps, when downloading the App, users must consent to it accessing certain personal information on the phone including, the contact details, Google account information, photos and GPS location. Consumers often accept the terms and conditions without understanding the extent of what the consumer has just consented to.

Since most Apps are available to users for free, many App manufacturers make a profit by selling the data collected from the users to third parties such as businesses. Businesses (advertisers) thrive on knowing the basic information of consumers, such as where consumers spend their time, what interests consumers have, places consumers most visit. This information helps businesses develop advertisements to target their specific consumers.

The concern, however, is that the data collected amounts to personal information. POPI, the Protection of Personal Information Act (although not in effect yet), regulates the collection and dissemination of personal information and broadly defines it as any information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. Section 50 and section 51 of the Electronic Communications and Transactions Act (ECTA) also sets out principles on how personal information is to be obtained in an electronic transaction. Both ECTA and POPI would require App manufacturers to bear in mind the following when developing Apps:

  • To obtained the express written permission of the App user for the collection, collation, processing or disclosure of personal information;
  • Request personal information that is only necessary for the specific purpose for which the personal information is required and if further processed, such further process must be lawful and compatible with the purpose for which the personal information has been requested and allow the App user to amended any personal information that has been collected and processed;
  • Keep a record of the personal information used or disclosed to a third party and the specific purpose it was used or disclosed for the period the personal information is used and ensure sufficient security safeguards are in place to protect the personal information gathered; and
  • Ensure the personal information collected is of good quality and delete or destroy all personal information which has become obsolete.

The above principles and conditions means that it is unlawful for App manufacturers to collect, collate, process, or disclose your personal information that is not required for the specific purpose it was collected, collated, processed or disclosed. For example, a torch App on an i-phone requires consent from the user to access the user’s contact list. There is no purpose for the collection of the user’s contact list in relation to the functionality of the App. On the other hand, the Pokémon App requires access to a user’s personal information such as the user’s GPS location, but the collection, collation, processing or disclosure of such personal information is justified because the App requires access to your personal information in order to alert you when you are in close proximity to a Pokémon.

App users must therefore be mindful of the App requirements and permissions before accepting the terms and conditions. Furthermore, App users that are using their mobile phones for both private and business purposes should also take special precautions to ensure that their businesses confidential and sensitive information is not easily accessed when downloading and using certain Apps. In this case employers should ensure that they have firm online or internet user and social media policies that all employees are aware of their data privacy rights and advise their employees of the dangers of downloading unknown or unsecure Apps.