Communicating privacy practices to users of mobile apps can be challenging, especially given small screen sizes and the difficulty of capturing app user attention. The Office of the Privacy Commissioner of Canada (OPC) has acknowledged these challenges and, in September 2014, published Ten Tips for Communicating Privacy Practices to Your App’s Users.
These tips were provided in connection with the findings of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which the OPC participated in along with twenty-five other privacy enforcement authorities from around the world.
The GPEN Privacy Sweep assessed 1,211 apps with a focus on the information provided and consents request with respect to the collection, use and disclosure of personal information. Certain findings of the GPEN Privacy Sweep are summarized in a news release issued by the OPC on September 10, 2014.
The Ten Tips for Communicating Privacy Practices to Your App’s Users build on the guidelines on good privacy practices for developing mobile applications jointly issued by the OPC and the offices of the Privacy Commissioners of Alberta and B.C. in 2012.
The key takeaways from the Ten Tips for Communicating Privacy Practices to Your App’s Users are:
- Be Transparent. Issues and complaints arise when there is a lack of transparency around the collection, use and disclosure of personal information. Privacy practice information should be clear and specific (rather than generic or broad), taking into account the sophistication of the audience and “small screen challenge” of mobile devices. Where personal information is not being collected, that fact should be clearly indicated.
- Explain the Data Being Requested and Collected. To obtain meaningful consent from app users, they need to be informed not just of the app’s ability to access personal information (including information made available through logins to third party social media accounts, such as Facebook), but also why that information is needed and how it will be used if consent is provided. When requesting consent, the request needs to specifically cover the full scope of use (e.g. consent to access does not necessarily constitute consent for the collection, use or disclosure of personal information).
- Make, and Keep, Privacy Information Accessible. It is recommended that privacy practice information be provided just-in-time (when it is most relevant, such as at a key decision point) and be included in the app itself rather than by providing a link to a website that has that information. Users should be able to easily re-visit privacy practice information at any time (e.g. if an explanation is provided in a pop-up, the same explanation should be available in a location that is accessible after the pop-up has been dismissed).
To ensure compliance with Canadian privacy laws, app providers should take into consideration these tips provided by the OPC when developing and implementing privacy practices for their apps.