The guidelines make it clear that mobile app developers are
responsible for all personal information handled by the app. As a
first step to compliance, the mobile app developers should map out
information flows, identify risks, and put controls in place (such
as contracts and user agreements) to ensure third parties respect
privacy obligations. Mobile app developers should also:
Be transparent about their information handling practices, and
describes the practices.
continues to accurately describe what is actually happening.
Distribute updates of the app with notices of associated
changes in information handling practices, and allow the user to
refuse the update.
Limit collection of information to what is needed now and allow
users to opt out of collection of information for additional,
Use encryption when storing and transmitting data.
Mobile app users should be notified of information handling
practices (i) when they download the app, (ii) when they first use
the app, and (iii) throughout their app experience. Mobile app
developers need to be creative and thoughtful to try to capture
users' attention, without causing notice fatigue.
The guidelines recognize the challenges to obtaining meaningful
consent on the small screen, and suggest a number of strategies,
layering privacy information, placing important points up front
and providing links to more detailed explanations;
using a privacy dashboard that displays a user's privacy
settings and provides a convenient means of changing them;
using visual cues and symbols such as graphics, colour, and
sound as cues to draw user attention to what is happening with
their personal information, the reasons for it, and choices
available to the user.
Further guidance on obtaining meaningful consent to computer
programs that impact on user's privacy may be found in the
Canadian Radio-television and Telecommunications Commission's
(CRTC) guidelines on complying with Canada's anti-spam
Lastly, the guidelines state that if a user deletes the app, then
their information should also be deleted.
In the U.S., the Federal Trade Commission (FTC) has also
introduced guidelines for mobile app developers, which address
truth-in-advertising, as well as privacy issues.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Personal Information Protection and Electronic Documents Act ("PIPEDA") does not prevent organizations from transferring personal information out of Canada, but instead leaves the decision – and accountability – up to the organization transferring the information.