< Back

Share |

Drafting policies for mobile apps

May 2013

When using apps on a smartphone or tablet, we directly and indirectly give away a lot of information about ourselves and our device. This should be an entirely transparent process, yet often it is opaque - leaving us in the dark about what types of data an app may use.

This lack of transparency and user awareness was recently identified by a Working Party of EU regulators the Article 29 Working Party as a key data protection risk arising from the processing of personal data in apps on smart devices. 

Screen with files and pad lockThe view of the Working Party goes beyond issues of transparency and also considers the wider legal framework that applies to personal data when developing, distributing and using apps. A summary of the issues for app developers can be found in our recent Download article.  When considering the specific issue of transparency, the Working Party makes clear that it is the availability of information on personal data processing that is critical in order to ensure valid user consent.

In practice this means that, at the very least, every app should have a privacy policy. Even apps that are not intended for the processing of personal data should have a privacy policy that makes this fact clear. Although other tools or notices may also be needed in order to collect a valid consent, it is the privacy policy that has an important role in informing that consent.

Explaining the fundamentals

Assuming that information about a user or related to their device is collected, then the policy should, as a minimum, inform potential users before they install the app of the following:

  • who the data controller is (identity and contact details);
  • the precise categories of personal information the app will collect and use;
  • for what purposes the information will be used;
  • whether specific data will be disclosed to third parties; and
  • how users may exercise their rights in terms of withdrawing their consent, accessing or correcting their information and the deletion of data.

Highlighting the use of device features and app derived data

In addition to the fundamentals, the policy should point out whether there are specific features of the device that the app may have access to and explain when and why this may occur. This may include sensors such as proximity readers, movement detectors, compasses, gyroscopes and accelerometers which may indicate what the user is doing, the direction of their travel and speed of their movement. It may also include use of the front and rear cameras of the device to access video or take photographs or use of the microphone to capture and record audio content. Then there is also the user's location that may be fixed through geolocation services.

Health screeningThe nature of the app may also say something about the user, for example, an app relevant to users with a specific health condition, sexual orientation or political persuasion may, by implication, collect sensitive information about those users, in which case, extra caution is needed.

Presenting the policy

The Working Party view is that app privacy policies should be set out in clear and plain language and that information about why personal data is being used and whether it may be reused by others should be upfront. Care should be taken to avoid providing 'elastic purposes' to describe the reason for using personal information such as 'product innovation' which tells the user nothing.

When presenting the policy, the information should be available and easy to locate both before the app is installed, (via the app store) and also after installation in the body of the app. The Working Party recognises that the small screen of a device may be a challenge in presenting information to the user but use of visual signifiers, icons, video/audio and layered notices and links are all supported as ways in which information can be made easy for a user to access and consume information on a smart device.

The Working Party points out that designing creative and innovative solutions in this area will clearly fall within the skill set of app developers. This may be particularly important in the case of apps targeted at children where use of simple and age related language will need to be considered alongside questions as to whether parental consent can be obtained and the importance of placing strict limitations around the collection and use of any information relating to children or members of their family.

Considering the bigger picture

Picture in galleryFinally, it may be necessary to consider how consistent the policy is with those the organisation uses across other channels such as a website. Where a single policy is used across all channels, it should remain clear to the user what data about them is collected and in what context. Where data about interactions with the user are collected across different media, then this should only be on the basis of a clear notice and the user's consent.

Read more on the Article 29 Working Party Opinion on apps in smart devices.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Touchscreen with apps
Sally Annereau

Sally Annereau      

Sally looks at guidance from the EU data protection regulators relevant to drafting privacy policies for mobile applications and the importance of making these clear and easy to access.

"The policy should point out whether there are specific features of the device that the app may have access to and explain when and why this may occur."