As previously announced, the Global Privacy Enforcement Network (GPEN) recently released the results of the global privacy sweep of mobile applications it conducted in May 2014.
More than 25 privacy commissions around the world examined a total of 1,211 mobile apps. The sweep targeted both Apple and Android apps, both free and paying apps, both public and private sector apps and covered a variety of different types of apps, ranging from games over health apps to banking apps. The privacy commissions’ reviews focused in particular on transparency and consent.
GPEN’s key findings include the following:
- Three quarters of the apps requested at least one permission from its users, usually relating to location, device ID, access to other accounts, camera and contacts;
- Nearly one third of the apps appeared to request access to information which seemed irrelevant to the functionalities of the app;
- In almost 60% of the cases, it was difficult to find any privacy related information before installing the app;
- Over 40% of the apps’ privacy policies were not easily readable on small screens;
- The majority of apps, 85%) fails to provide clear information on the collection, use and disclosure of personal data.
- The report praises the use of pop-ups, layered information (putting important information up front with links embedded to more details) and just-in-time notification (informing the users of potential collections or uses of information when they are about to happen).
The most popular apps were among those that received the best ratings. This confirms the general conclusion of the sweep: clear, concise privacy language builds consumer trust and is good for business.
Top tips for your mobile apps
The Office of the Privacy Commissioner of Canada, which coordinated the sweep, released ten tips for communicating privacy practices to app users. They can be summarised in the following three commandments:
- Be transparent
Privacy information should be specific, comprehensible and easily readable. In practice, this implies that rather than providing long legalistic privacy policies, specific notifications should be given at key decision points, e.g. the moment of purchase. Any information should be written in an understandable manner, taking into account the language and level of sophistication of your audience. Also, any information should be presented in a way that takes into account the mobile device context, including smaller screens.
- Explain the data you are requesting and collecting
Secondly, sufficient information must be given to allow users to make an informed consent decision. Specific information should be given on how the app will use the permissions it seeks. Information should also cover data collected through social media logins such as Facebook, and the manner in which such externally collected data will be used. When asking permission, you should also make sure that you ask permission for all data usage envisaged: permission to access information does not as such imply permission to collect, use or disclose such information.
- Make, and keep, privacy information accessible
Users should not be left guessing if and to which extent an app collects personal data. Even if your app does not collect any personal data, the user should be informed of this. You should also avoid users having to exit the app to access privacy information as this is an unnecessary and cumbersome extra step. It is indeed preferable to make privacy information available via integration with the app’s functions. When using pop-ups or similar mechanisms at key decision points, make sure you do not forget to include a functionality that allows users to re-visit the information after the pop-up is dismissed.