Developers of mobile applications accessed by British users should take note: the U.K.'s privacy and data protection agency, the Information Commissioner's Office (ICO), has released new privacy guidelines for app developers emphasizing the need for "privacy by design" and detailing the types of notices and design features that apps should integrate in order to comply with the country's Data Protection Act.
The guidance (available here ) describes in general terms how mobile app developers should incorporate privacy protections into the user experience, with protections and "opt out" functions tailored to the nature of the data collected. Although the guidelines illuminate the ICO's overall "privacy by design" approach, they don't actually provide a blueprint or "safe harbor" for individual app developers. Instead, the guidelines suggest that companies making their apps available to British users should scrutinize their data collection practices and privacy features beginning with the initial design phase and, where necessary, should consider revising privacy features for apps they have already launched. Among the determinations the guidelines suggest are whether the app deals with personal data, exactly what data the app collects and uses, who controls the data, and how the app will advise users and gain consent for data collection and use.
The guidelines note that ICO possesses substantial authority to interpret the Data Protection Act, issue industry guidelines, and enforce the Act through audits and enforcement actions (including the imposition of financial penalties). They also specifically note that developers outside of the U.K. that make apps available to the U.K. market should understand and anticipate that users in the U.K. will expect the app to comply with the Data Protection Act.
While the ICO has published a more complete guide to the Data Protection Act (available here), compliance with the Act may rest on fairly technical determinations. Specifically, companies must consider the nature of the personal data the app may access and use, how "intrusively" and intuitively the data is used, how it is being stored (if at all), and how clearly and transparently the app presents the user with control over privacy functions. In an evolving regulatory environment, where poor design and disclosure decisions can result in fairly serious financial penalties, companies offering apps in the U.K. market should seek legal guidance to ensure that their data collection and privacy practices fully comply with the Act.