Privacy AdvisorIAPP Westin Research Center

The All-New IAPP Mobile App Privacy Tool

January 28, 2014

Kelsey Finch, Westin Research Fellow

Only six years after the first app store opened, the mobile app ecosystem has become a multi-billion dollar industry. Need to find a coupon, catch a cab, quit your job, see in the dark, find a date, lose weight, compose a song, read a book, monitor your heart rate, turn a channel, or, at this time of year, just buy some Girl Scout cookies? Well, there’s an app for that, as the slogan goes.

With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps. For example, the FTC has recently settled an enforcement action against the popular Brightest Flashlight app, while Canadian and Dutch privacy regulators concluded a joint crackdown against the ubiquitous messaging service WhatsApp. To help industry players “do the right thing,” several regulators and industry groups have released best practices or guidance papers for participants in the mobile ecosystem. Alas, you may now find it difficult to navigate the numerous guidance documents in order to understand what your app or mobile platform can and can’t do with users’ data.

Navigating Mobile Privacy Compliance

This week, the IAPP Westin Research Center launches a new tool to help you comply with the standards and obligations imposed by leading regulators and trade associations in both the U.S. and Europe. We realize that employing expensive consultants and law firms may not be an option for you right out of the gate. So, now you can get a head start on creating a privacy policy, providing transparency and choice, negotiating with vendors and building an app with “privacy by design.”

The IAPP’s Mobile App Privacy Tool will help you navigate through seven important guidance documents, whether you are an app developer, platform designer, operating system provider, device manufacturer, ad network or any other interested party. To simplify the various guidance documents, the tool divides the requirements in each document into nine distinct topic tabs to help you hone in on what is most relevant for your mobile work. The nine categories include data collection, data retention, notice and transparency, choice and consent, accountability and oversight, specific privacy controls, security and children’s privacy, as well as a miscellaneous category that functions as a guide-specific catch-all. In addition, each guidance note and category is divided into tabs to help distinguish between obligations imposed on different players in the ecosystem, such as app developers, platform designers or ad networks. (Not all guidance documents address each and every party).

Hence, you can “slice and dice” the guidance notes as needed, checking, for example, what notice requirements are for various players across several documents; what app developers are obligated to do in California, or what European regulators have to say about data retention limits.

The Guides

In using the Mobile App Privacy Tool, you will access the most recent, mobile app-specific guidance from seven leading regulators and industry groups. Hence, the tool reflects industry best practices, privacy advocates’ input, as well as non-binding recommendations from both U.S. and European regulators. The seven guides covered by the tool are:

California A.G., Privacy on the Go: Recommendations for the Mobile Ecosystem (January 2013)

The California Attorney General’s Privacy Office sets one of the highest standards for privacy and data protection, recommending a “surprise minimization” approach to app building. This means “supplementing the general privacy policy with enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” The guide addresses all apps originating in or targeting California users, but can also be implemented by industry players in other parts of the world.

EU Article 29 Working Party, Opinion 2/2013 on apps on smart devices (February 2013)

European data processing restrictions typically set a high standard for data protection for all players in the mobile sphere, and this guidance addresses any app developer, distributor, or mobile device data recipient operating in the EU. The opinion of the Article 29 Working Party, comprising privacy regulators from all 28 EU Member States, focuses on “the consent requirement, the principles of purpose limitation and data minimization, the need to take adequate security measures, the obligation to correctly inform end users, their rights, reasonable retention periods and specifically, fair processing of data collected from and about children.”

FTC, Mobile Privacy Disclosures: Building Trust Through Transparency (February 2013)

In this staff report, the primary federal privacy regulator in the U.S. offers “several suggestions for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures.” Recent settlements demonstrate the FTC’s focus on mobile apps and its readiness to bring enforcement actions against them. While this report is non-binding, “the FTC will view adherence to [strong mobile codes of conduct] favorably in connection with its law enforcement work.”

CDT-FPF, Best Practices for Mobile Application Developers (July 2012)

The Center for Democracy and Technology, an advocacy group, and the Future of Privacy Forum, a privacy think tank, worked jointly to release this “primer for developers who are interested in preserving their customers’ privacy but who aren’t necessarily privacy experts themselves.” The guide addresses app developers specifically and provides policy recommendations to foster privacy by design, better inform and empower end-users, and bolster consumer trust.

GSMA, Mobile and Privacy: Privacy Design Guidelines for Mobile Application Development (February 2012)

The GSM Association (GSMA), which represents mobile operators worldwide, “unites nearly 800 mobile operators with 250 companies in the broader mobile ecosystem.” Its mobile privacy principles apply to all parties in the app service and delivery chain, and seek to engender user trust and implement privacy by design. In focusing on the principles of transparency, choice and control, the GSMA provides policy guidelines, implementation recommendations and specific use cases and examples.

NAI, NAI Mobile Application Code (July 2013)

The Network Advertising Initiative (NAI) Code governs only NAI member companies and its guidance is specific to mobile advertising activities. The Code is intended to complement other mobile and industry initiatives, including those from the Digital Advertising Alliance (DAA), the Mobile Marketing Association (MMA) and the National Telecommunications and Information Administration (NTIA), as well as the NAI’s desktop Code of Conduct. The Mobile Code emphasizes high-level principles of notice, choice and transparency to set a high but flexible industry standard for mobile advertising.

NTIA, Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices (July 2013)

The NTIA’s voluntary code of conduct, created as part of the White House’s privacy strategy, incorporates guidance from multiple privacy stakeholders to describe how and when an app might use a short form notice about its collection and sharing of consumer information with third parties. The code primarily targets app developers, and does not apply to software that consumers do not directly interact with, inherent functions of a device, or apps that are solely provided or sold to enterprises for use within those businesses.

Conclusion

In the rapidly evolving world of app development and mobile privacy, it can be difficult to navigate the maze of regulatory requirements, industry standards and best practice recommendations. Each of the guides distilled into the Mobile App Privacy Tool emphasizes a slightly different approach to implementing commonly accepted principles in order to find the right balance between consumer privacy and mobile app entrepreneurialism. While businesses are urged to at least meet industry standards, they should pay careful attention to implementation of stricter recommendations issued by regulators to minimize the risks of a privacy violations and ensuing enforcement actions.

While these codes and guidance documents are voluntary and non-binding, they serve as a good indication for businesses of potential regulatory enforcement. Remember that if your app touches the types of information covered by specific laws or regulations (such as children’s information, credit reports, health information, or commercial communications) you will also have to comply with those laws. As ever, it is crucial to make sure that you live up to the letter and spirit of any promise you make to users about privacy and data security, to avoid liability under Section 5 of the FTC Act or potentially bruising class action litigation. Accordingly, it is important to notify users if and when you change how their information is used or collected. Last but not least, remember that your apps must also comply with the terms and conditions of any platform or app store through which they are offered, including the Apple Store, Google Play and the Facebook Platform.

We look forward to receiving your comments and input on operationalizing the Mobile App Privacy Tool through the Privacy List or via email: kfinch@privacyassociation.org.

Read More By Kelsey Finch:
Cookie Monsters of Silicon Valley Come to Brussels
FTC v. Wyndham: Round One
Straight from the Pacific Ocean: A Tidal Wave of California Privacy Laws