On this page
The market for mobile applications (or mobile apps for short) is growing rapidly and, as a result, people are becoming more worried about the amount of information mobile apps are able to collect and use.
The Privacy Sweep
In May 2014, a network of 26 privacy enforcement authorities from all over the world, who are concerned with data protection, known as the Global Privacy Enforcement Network or GPEN, carried out a Privacy Sweep.
It was clear that due the growth of mobile apps and their use of personal information, this "Privacy Sweep" should be centered on privacy practices for mobile apps. GPEN looked at 1,200 mobile apps from all over the world and analyzed what permissions these apps were seeking from users, e.g. use of the camera, use of location, use of the microphone.
Both mobile app marketplaces and mobile app developers should look at their current practices and how their practices can be improved based on the findings from this "Privacy Sweep" by GPEN.
Mobile apps are bought from marketplaces. The most known mobile apps marketplaces are Google Play Store or Apple's App Store.
One of our many testimonials:
This is how the Google's Play Store looks like:
This is how the Apple's App Store looks like from an iPhone:
The "Angry Birds Seasons" mobile game asks the user to access the mobile device's system tools, storage, location and phone calls. Here's how the mobile game is requesting these permissions before the user downloads the app:
Asking for permissions from the user can also come as pop-up request at the time the app needs the permission. Here's how the Skype app asks for permission to use the camera:
On iOS, the privacy permissions for each individual app can be managed from the iPhone "Settings" screen:
What GPEN wanted to find out was whether the permissions these apps were asking for were going further than what would be usually expected for that app based on what that app is used for.
For example, look at this example of permission request from the "Google Maps" app:
It's clear and expected that a mobile app focused on maps will ask permission for the user's location. But what about other apps? Do they need to ask for the user's location information?
GPEN also investigated the way the apps explained their reasons for needing particular permissions and what they were planning to do with the data they collect.
Results from the Privacy Sweep
A high proportion of the apps examined in the sweep (75%) requested one or more permissions. The permissions that were asked for most often were location, device ID, access to other accounts, camera, and contacts.
In Ireland, over half of the mobile apps analyzed were found to have not enough privacy information. Many apps were requesting data that could be considered sensitive under certain laws.
This shows how important it is that mobile apps need to become more straightforward and open about their privacy practices. Other apps were requesting location data without giving the reason for needing that data.
What this means
For mobile marketplaces
This letter was only addressed to the main marketplaces like Apple and Google, but the DPAs emphasized that their suggestions were "intended for all stakeholders that operate an app marketplace."
If you're developing a marketplace for mobile apps, these suggestions may apply to you too.
As a marketplace owner, you should make sure that you have implemented a way for mobile app developers to add the link to their agreement. Then, the link must be visible for all users.
For mobile app developers
As a mobile app developer, you should make sure that you're informing your users about your privacy practices before they download your mobile app.
Seek sensitive personal information, such as location data, only when you need it and inform users why you're requesting that information. Make sure that the legal page is properly sized for small mobile screens to readable.
GPEN's analysis over these 1,200 mobile apps found the most popular apps in marketplaces were the ones with properly explained privacy practices and permissions.
Both large and small app developers are embracing the potential to build user trust by providing clear, easy to read and timely explanations about what information they will collect and how they will use it. Others are missing that opportunity by failing to provide even the most basic privacy information.
This quote from Commissioner Therrien of the Office of the Privacy Commissioner of Canada highlights and sums up just how important having clear legal agreements is for maintaining a good and trusting relationship with your users.
However, this piece of seemingly unimportant detail can actually cost you a lot of money, or your business even. Case in point, Path.
The FTC fined the photo-sharing and messaging service Path $800,000 because of two huge mistakes: for storing third-party names and numbers from their address books without proper disclosure, and for failing to comply with the provisions of COPPA, a law that applies to every app that knowingly collects information from children who are 13 years of age and below.
The Office of the Privacy Commissioner of Canada published a list of "10 Tips for Communicating Privacy Practices to your App's Users" that covers 3 key issues:
- Be specific
- Speak to your audience
- Tailor to the environment: mobile, website etc.
Requesting and collecting data
- Describe how your mobile app uses the permissions it seeks
- Explain the data you gather through social media logins
- Permission to access is not necessarily consent to collect, use or disclose
The FTC in the US suggests a "Privacy by Design" approach. It encourages companies to consider the privacy of its user at every stage of their app's development.
This implies 3 things:
- Make sure the data you collect stays secure. Do not promise anything you don't intend to keep and avoid generic reassuring statement.
- Before you build an app or add a new feature, think about its impact on privacy
- As a marketplace, ensure that developers have a place from where they can add the necessary links to their legal agreements. Even go so far as to make it mandatory for these developers to do so.
- As a developer, make sure your legal agreements are available on your app's page on the marketplace website or app screen, on your website and throughout the app itself whenever you are requesting permissions from your users. Adapt these legal agreements for mobile screens to make it easier to read.