The Global Privacy Enforcement Network recently published the results of its second annual privacy enforcement survey or "sweep" which assessed the transparency of the privacy practices of popular mobile applications. The results of the sweep suggest that the privacy policies of a high proportion of mobile applications do not adequately explain how users' personal information is collected, used and disclosed. The general conclusion of the sweep was that clear and concise language in privacy policies builds consumer trust and is good for business.
The Office of the Privacy Commissioner of Canada (Commissioner) participated in the sweep and focused on 151 mobile applications that were popular among Canadians. The key findings of the Commissioner are as follows:
- 28% of the applications surveyed provided a clear explanation of their collection, use and disclosure of personal information practices;
- 26% of the applications surveyed offered either no privacy policy or one that did not explain how users' personal information would be collected, used or disclosed; and
- among the applications with the best privacy practices were popular applications in the e-marketplace.
Tips for mobile application privacy policies
In connection with the sweep, the Commissioner released a guide for communicating privacy practices to mobile application users. The three primary messages contained in the guide are as follows:
- Be transparent.In
order to obtain a meaningful consent from a user, a mobile
application's privacy policy must be specific, understandable
and easy to read. It should provide specific notifications to users
at key decision points, such as during registration or at the point
of purchase, and should be written in a manner that is
understandable to the application's user base.
- Explain the data you are
requesting. A mobile application's privacy policy
should provide specific information in respect of how the
application will use the permissions it seeks. If an application
links to a user's social media accounts, the privacy policy
should explain what, if any, information made available by such
social media services is collected by the application and how it
will be used and/or disclosed.
- Make, and keep, privacy information accessible. An application's privacy policy should also be accessible through the application's functionality – forcing users to exit the application to link to the application's website in order to view the privacy policy is cumbersome and unnecessary. If an application utilizes pop-ups at key decision points to convey privacy information or obtain consents, the application should contain functionality that enables a user to re-visit the information that was contained in the pop-up after the pop-up is dismissed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.