Communicating privacy practices to users of mobile apps can be
challenging, especially given small screen sizes and the difficulty
of capturing app user attention. The Office of the Privacy
Commissioner of Canada (OPC) has acknowledged these challenges and,
in September 2014, published Ten Tips for Communicating Privacy Practices to
Your App's Users.
These tips were provided in connection with the findings of the
second annual Global Privacy Enforcement Network (GPEN) Privacy
Sweep, which the OPC participated in along with twenty-five other
privacy enforcement authorities from around the world.
The GPEN Privacy Sweep assessed 1,211 apps with a focus on the
information provided and consents request with respect to the
collection, use and disclosure of personal information. Certain
findings of the GPEN Privacy Sweep are summarized in a news release issued by the OPC on September 10,
The Ten Tips for Communicating Privacy Practices to Your
App's Users build on the guidelines on good privacy practices for
developing mobile applications jointly issued by the OPC and the
offices of the Privacy Commissioners of Alberta and B.C. in
The key takeaways from the Ten Tips for Communicating Privacy
Practices to Your App's Users are:
Issues and complaints arise when there is a lack of transparency
around the collection, use and disclosure of personal information.
Privacy practice information should be clear and specific (rather
than generic or broad), taking into account the sophistication of
the audience and "small screen challenge" of mobile
devices. Where personal information is not being collected, that
fact should be clearly indicated.
Explain the Data Being
Requested and Collected. To obtain meaningful consent from
app users, they need to be informed not just of the app's
ability to access personal information (including information made
available through logins to third party social media accounts, such
as Facebook), but also why that information is needed and how it
will be used if consent is provided. When requesting consent, the
request needs to specifically cover the full scope of use (e.g.
consent to access does not necessarily constitute consent for the
collection, use or disclosure of personal information).
Make, and Keep, Privacy
Information Accessible. It is recommended that privacy
practice information be provided just-in-time (when it is most
relevant, such as at a key decision point) and be included in the
app itself rather than by providing a link to a website that has
that information. Users should be able to easily re-visit privacy
practice information at any time (e.g. if an explanation is
provided in a pop-up, the same explanation should be available in a
location that is accessible after the pop-up has been
To ensure compliance with Canadian privacy laws, app providers
should take into consideration these tips provided by the OPC when
developing and implementing privacy practices for their apps.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).