Privacy and mobile apps

As with any other business or project, developers of mobile apps need to comply with the Data Protection Act.

A typical mobile ecosystem contains many different components, including mobile devices themselves, their operating systems, plus apps provided through an app store. In many ways these are simply developments of earlier technologies used on less portable hardware, but the mobile environment has some particular features that make privacy a particular concern.  For example:

  • Mobile devices such as smartphones and tablets are portable, personal, frequently used and commonly always on.
  • A mobile device typically has direct access to many different sensors and data, such as a microphone, camera and GPS receiver, together with the user’s combined data including email, SMS messages and contacts.
  • There are many different app configurations possible, and it is not necessarily obvious how an app deals with personal information behind its user interface.
  • Mobile devices often have small screens, typically with touch-based interfaces. This can make it more challenging for apps to effectively communicate with app users.
  • Consumers’ expectations of convenience can make it undesirable to present a user with a large privacy policy, or a large number of prompts, or both.

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used.

The key findings of the survey are:

  •  85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information.
  • More than half (59%) of the apps left users struggling to find basic privacy information.
  • Almost 1 in 3 apps appeared to request an excessive number of permissions to access additional personal information.
  • 43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print, or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages.

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more. The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection, or use, of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

The Information Commissioner’s Office (ICO) has recently published ‘Privacy in Mobile Apps’ guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the UK Data Protection Act.

As with all aspects of software, privacy is much easier to consider from the outset of a project rather than as an afterthought. This concept is often referred to as ‘privacy by design’.

If the app which you are developing may handle personal data, then you must comply with the Data Protection Act.  Personal data is not simply the usual identifier’s such as names and address, it could include a unique device identifier such as an IMEI number: even though this does not name the individual, if it is used to treat individuals differently it will fit the definition of personal data.

Some specific guidance points are as follows:

  • If you are a data controller, you need to register with the ICO.  Failure to do so is a criminal offence.
  • Carry out a privacy impact assessment to identify what personal data should be kept confidential, and a security assessment as to whether the app does in fact ensure confidentiality of the relevant data.
  • If any personal data is to be transferred outside the European Economic Area (EEA), you will have to ensure that legal safeguards are implements to provide adequate protection for it.
  • You should only collect and process the minimum data necessary for the tasks that you want your app to perform. Collecting data just in case you may need it in future is bad practice, even when the user has consented to provide that information.
  • Additionally, you must not store personal data for longer than is necessary for the task at hand. You should therefore define retention periods for the personal data you will hold.
  • If your app is aimed at children pay particular attention to what personal data you may be collecting.
  • You should allow your users to permanently delete their personal data and any account they may have set up with you. You should only make an exception if you are legally obliged to keep the data.
  • If you want to collect usage or bug report data, this is possible, but typically must be done either with informed consent from the user; or using anonymised data.
  • Users of your app must be properly informed about what will happen to their personal data if they install and use the app.
  • Privacy information is typically provided via a privacy policy. There is no requirement for this to be in one large document. In fact, in the mobile environment, this approach can be a hindrance. The relevant information can be provided in ways that better suit the small screen and touch-based interface of a typical mobile device.
  • Make relevant privacy information available as soon as practicable. Ideally this would be done before the user downloads the app, and could be done via an app store or via a link to your privacy policy. Where you provide privacy information after an app is downloaded and installed, make sure that this is done before the app processes the relevant personal data.
  • If appropriate, use a ‘layered’ approach where the most important points are summarised, with more detail easily available if the user wants to see it.
  • Give users a granular choice where possible. This allows the user to make meaningful decisions rather than giving the user a single ‘all or nothing’ choice.
  • Allow your users to easily review and change their decisions once the app is installed and in use. Give them a single and obvious place to go to configure the various settings within the app and give them privacy-friendly defaults. It should be as quick to disable a setting as it was to enable it.
  • If your app processes personal data in an unexpected way or is of a more sensitive nature you might need to consider the use of additional ‘just-in-time’ notifications or other alert systems to inform the user what’s happening. For example, if geo-location services are running in the background or you are uploading data to the internet, consider using clear and recognisable icons to indicate that this is occurring and where necessary the option to stop (e.g. to cancel an upload).
  • Take advantage of encrypted connections to ensure security of data in transit, by using SSL / TLS for instance. You should always use encrypted connections for transmitting usernames, passwords and any particularly sensitive information, including device IDs or other unique IDs.
  • You should be particularly careful if your app accesses data from other apps or locations; respect the sensitivity of the data in the context of its original purpose, not solely in the context of your app.