The offices of the Privacy Commissioners of Canada, Alberta, and B.C. have jointly issued guidelines on good privacy practices for developing mobile applications.

The guidelines highlight the need to maintain good privacy practices in the rapidly evolving world of the mobile environment. Today, cell phones enable users to do much more than simply make phone calls. This smart phone era creates many privacy challenges that mobile app developers need to be aware of, and address. For example, many mobile device are able to provide sensitive information about the user's location; and the small size of mobile screens can make it difficult to provide users with the right information concerning privacy choices.

To help mobile application developers tackle these challengers, the guidelines raise the following five key privacy considerations:

1. Accountability of the App Developer

App developers are accountable for all personal information that is collected, used and disclosed through their app or organization. As a result, the guidelines suggest that developers:

  • Build a privacy management program that includes assigning one person, or a team of persons, to be responsible for privacy protections; establish a privacy policy; and create a description of the data collection, usage and flow that can be mapped and evaluated in accordance with your privacy policy; and
  • Institute proper controls such as contracts or user agreements in accordance with your privacy policy to ensure that third parties accessing collected data are bound to comply with the privacy requirements.

2. Openness and Transparency of the App Developer's Privacy Practices

Make sure users are well aware of, and are able to understand, what is being done with the personal information they provide while using the app – this is key and required by the various privacy laws. Users should have easy access to the app's privacy policy and related information. App developers should make sure users can easily locate the privacy policy and related information before any downloads, but also after they have downloaded and started using the app. This information should be drafted in simple and clear language and should consist of the following:

  • What personal information will be collected and why;
  • Where and how long will the personal information be stored; and
  • Who will have access to the personal information (sharing options).

App developers should also notify users of any changes to the privacy policy when users are updating the app and allow users to opt-out of receiving these notifications.

3. Collecting and Keeping Only What the App Needs

Privacy laws require that the collection, disclosure and retention of personal information be limited solely to what is needed to carry out the underlying, and legitimate, purpose of an app. Therefore, app developers should ask themselves what and why the collection is needed and whether or not it goes beyond the app's core functions. App developers may be tempted to collect more than what is necessary (for example, for research purposes in developing of new projects), but they should keep in mind that privacy laws require them to justify why they are collecting, using, disclosing and retaining personal information. As a result, app developers should consider putting in place the following features:

  • Allowing users to refuse and/or opt out of any unnecessary data collection;
  • Allowing users to delete the personal information they provide;
  • Making sure that upon deletion of the app, the user's personal information will be deleted as well; and
  • Implementing appropriate safeguards such as encryption of collected data.

4. Obtaining Meaningful Consent on Small Screens

Smart phones have created many challenges for app developers, one being the effective communication of information to users about privacy policies and obtaining proper consent on small and limited mobile screens. The Privacy Commissioners have provided a list of various options to overcome this obstacle:

  • Consider layering and making available the privacy information and important points users should be aware of right up front;
  • Provide relevant links up front for more detailed information with respect to privacy information;
  • Implement a privacy dashboard that displays the user's privacy settings along with a tool to tighten or opt out of these settings, with explanations about the consequences of making such choices; and
  • Provide visual cues to bring users attention to important information such, as graphics, icons, colors and sounds.

5. Timing is Critical for User Notice and Consent

Informing users of the privacy policy and what use will be made of their personal information is not enough according to the Privacy Commissioners. Users should be notified at the right times, such as at the time of download, at the time of their first use of the app, and throughout the time they are using or updating the app. App developers will then be able to ensure that they have obtained necessary consents from users. Additionally, app developers should ensure visual notifications and cues, as described above, are sent to users at the right time without causing "notice fatigue" or completely losing the users' interest.

For more, see these other helpful resources that have previously been issued: accountability and privacy management programs, self-assessment tools for organizations on securing personal information, and privacy responsibilities of organizations. App developers should also review Schedule 1 of PIPEDA, which provides additional privacy practices regarding accuracy (principle 6), openness (principle 8), individual access (principle 9), and the ability for a user to challenge compliance (principle 9).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.