In the European Union, the pertinent legal framework regarding privacy, and thus and Privacy Policies, is the Data Protection Directive and the ePrivacy Directive.
The Data Protection Directive and ePrivacy Directive guidelines would apply to all EU member states, besides each member state specific laws on privacy: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
- E-commerce websites
- Mobile apps (iOS, Android, Windows)
- Desktop apps
- Facebook apps
- SaaS apps
- Embeddable widgets
- And so on
On average, a user downloaded 37 applications on their smartphone device, but the user wasn't made fully aware of what personal information is being collected from his smartphone device.
As a mobile app developer (or as any business owner that must collect at least 1 category of personal data), if the business you're creating is not developed with the Data Protection principles and standards, you may expose users' private information.
Uninformed consent is in direct conflict with the Data Protection Principle of gaining informed consent.
The Data Protection Directive
The Data Protection Directive broadly applies where the use of a website or a mobile application includes the use of personal data of individuals/users.
The party responsible for certifying compliance with EU Data Directive (as well as any additional member state laws) is the party that directly develops, operates or distributes the website/mobile app.
Here's an example:
Mobile Application Company Alpha (MACA) is developing a social network through a mobile application platform (iOS, Android or Windows) that's being made available to users in France.
The development of MACA's application is done in Spain.
The laws of Spain are the laws that control data processing because MACA processes personal information collected through the mobile app there, in Spain, despite the application being available to users in France.
Overlapping this Data Protection Directive is the ePrivacy Directive. This directive establishes a minimum for global businesses that wish to store or access information from a user's device within the European Economic Area (EEA).
If you're operating from out EU and have users from the EU, the first requirement you need comply with is the consent requirement.
The information storing or access to stored information in the equipment of a user (equipment can be smartphones or PCs used to browse the website) is only allowed once the purpose of the information processing is communicated to the user and express consent is given.
An example of express consent is ICO.co.uk. The website is placing cookies on users' computers and itÃ•s asking for consent before doing so:
Rightmove doesn't seek express consent like ICO (clicking "I Agree") with its notification on cookies placing, but rather informed consent:
The consent requirement goes beyond what would be considered personal information (anything that can identify an individual) and applies to any type of information regardless of the nature of the data.
This consent requirement applies to all those living in the European Economic Area, regardless of the location of the service provider (the business.)
Article 10 of the Data Protection Directive notes that every data subject (user, consumer, etc.) has a right to know who is processing their personal information.
The user has the right to know what kinds of information are being taken and what that personal information's intended use is.
At a minimum, you must inform users about:
- Who the processor of the information is. This includes the business' contact information.
- The categories of personal data the business will collect and process through its website or mobile app.
- Why is the personal information collected for.
- Whether the collected information will be disclosed to third parties.
- How the user may exercise their rights further in connection to deletion of information and withdrawal of consent.
This is critical. The only way for the consent of a user to be valid is if the user has been presented with this information.
MOO places its links to the legal agreements right in the footer:
MOO is committed to protecting your personal information. We will not disclose your personally identifiable information to third parties without your consent except:
Disclosure for legal reasons
We reserve the right to communicate your personal information to third parties make a legally-compliant request for the disclosure of personal information.
Performance of our operations
The service is necessary for the performance of our operations: mail delivery, hosting services, protecting us from fraud, and payment of your account.
Changes in MOO Print Ltd.'s business
Aggregate business analyses
MOO Print Ltd also provides analyses of our customers in the aggregate (basically, one big lump of data) to prospective partners, advertisers, and other third parties. We do this so that we, along with our business partners, can understand you better, and keep bringing you great services. We may also disclose, on an anonymous basis, literal statements made by our customers. At no time, however, will we disclose personal information about specific customers.
Linked websites are not under the control of MOO Print Ltd and we are not responsible for the conduct of companies linked to our website. Before disclosing your personal information on any other website, we advise you to examine their terms and conditions of use.
The ePrivacy Directive
According to the ePrivacy directive, personal information is data related to an individual who is either directly or indirectly identifiable to the controller or to a third party.
Examples can be any of the following:
- User's location
- A unique device identifier (which includes the mobile number)
- Identity of the data subject
- Identity of the phone (name of the device)
- Credit card and banking data
- Call logs
- Text messages or other forms of messaging
- Browsing history
- Pictures and videos
- Biometrics data
Consent prior to installation and processing of personal data is the ultimate mark for whether a business may process personal information.
For a mobile app to access a users' contacts, pictures, and other personal documents, Article 5(3) of the ePrivacy Directive requires freely given, informed, specific, consent from the user.
To be "freely given", the user must have had a choice of whether to accept or refuse and may not be presented with a single box stating, "I accept." Option to cancel must be available to users.
Airbnb presented two choices for users: Disagree or Agree.
If users agreed to the updated agreements, they had to perform 2 steps:
- Click I Agree to the updated Terms
- Then click Agree
Without checking the I Agree to the updated Terms checkbox, users couldn't use the updated version of Airbnb's mobile app.
To be "informed", the user must have the necessary information at their disposal to form an accurate judgment. To be "specific", the expression of consent must be related to the limited category of data being processed at that moment.
This can be the mobile app or the website asking for a user's geolocation data:
Consent given by a user for the use of phone numbers from their contacts directory does not correlate to consent to use other types of information from their mobile devices.
Besides basic consent, the fundamental principles underlying the Data Protection Direction are purpose limitation and data minimization.
Purpose limitation is:
Enabling of users to make a deliberate choice to trust a party with their personal data as they will learn how their data is being used, and will be able to rely on the limited description of purpose to understand for what purposes their data will be used.
Data minimization means that businesses must narrow the personal information they need to collect for their website or mobile app to function to a minimum to prevent excessive and potentially illicit data processing.
Another aspect that's required by the Data Protection Directive is security.
Parties who are involved with the transference or handling of personal information must certify that they are taking into account data protection principles to reduce risks.
Security, storage and transfer of information
We follow strict security procedures to ensure that your personal information is not damaged, destroyed, or disclosed to a third party without your permission (unless they are providing services as outlined in the 'who has access to Your Information' section above) and to prevent unauthorized access to it. The computers that store the information are kept in a secure facility with restricted physical access and we use secure firewalls and other measures to restrict electronic access. If we are working with third parties we will require them to have in place similar measures to protect Your Information.
All of the information we collect or record is restricted to our offices. Only employees who need the information to perform a specific job are granted access to personally identifiable information. We will explicitly ask you when we need information to identify you. We may require you to co-operate with our security checks before we disclose information to you. You can update the personal information that you give us at any time by viewing your my details page.
As a business, you must ensure proper levels of security over data collected. Consider implementing the following:
- Choose appropriately secure places to store users' personal information.
- Checks to exclude data that could be compromised or stolen.
- Design the website and/or the mobile app in such a way as to prevent unauthorized access.
- Develop a clear policy procedure on how the website and/or the mobile app is to going to be developed and how users' personal information are collected and used.
All these practices reduce the risk regarding personal information of their users. Applying any of these methods means taking what personal information you need, when you need it and only for what you need it.
The Cookies law
EU online businesses must inform users about cookies and get their informed consent, according to the Cookies Law effective from 26 May 2012.
The Cookies Law was introduced via amendments to the ePrivacy directive and it requires websites and mobile apps to to get user consent for the use of tracking technologies.
You can place this kind of notification on your website using any of the most popular methods to do so:
- The fixed notification in the footer.This is what ICO does, placing a fixed notification about cookies on all pages until the user clicks "Don't show this message again":
- The top notification in the header.Another common place for this notification is at the top, like BBC does:
This checklist might help:
- Respect and comply with the obligations of being a data controller when you process data from and about your users. Read the The Data Protective Directive guidelines and the The ePrivacy Directive guidelines.
- Have the same level of compliance when you use third parties involving personal information.
- Ask for consent before the your website or mobile app retrieves or places data on users' mobile devices or PCs. This consent must be freely given and informed.Mirror will notify users about placing cookies:
- Be aware that consent doesn't allow for excessive or unreasonable data processing.Asking permissions from users to share geolocation data doesn't imply permission to contact them via email:
The same best practice would apply for any other platform, such as Facebook:
And from the mobile app itself:
- Provide ways for users to exercise their rights when it comes to deletion of their personal information or withdrawal of consent.
The other guides: for United States, for Canada or for Australia