Its two months since the ICO released some advice to app developers regarding the use of privacy policies within “apps”. The release of the advice was timely given the huge surge in apps downloaded during the run up to Christmas (including 328 million apps downloaded on Christmas Day 2012 alone).
Apps and privacy collide
However, the practice of linking to a set of privacy terms within the website doesn’t really lend itself to the world of app development and use. Having a long and cumbersome document doesn’t really fit into the immediacy of apps and the mobile world in general, where small screens and intuitiveness reign supreme. If you can’t find, download, install and start using an app within the space of 30 seconds, then it’s an uphill struggle.
Apps are not exempt from the requirements under the Data Protection Act. Therefore, how can developers address the requirements of privacy and the use of a users personal data within apps, while at the same time retain the immediacy required to ensure the app retains the best possible chance of success. The ICO’s guidance looks to address some of these issues by giving advice as to how privacy policies should be updated for the mobile app world.
Cards on the table…
The advice tackles the issue of informing users about what happens to their personal data if they install and use the app. This goes to the heart of the first principle of the Data Protection Act, which looks to ensure that processing of personal data remains fair. To be fair, a user must have been given adequate information regarding the processing and its purpose. As mobile phone/tablet technology develops, apps will always look to find ways to use such technology in interesting and innovative ways. This means more reasons to access the personal data on your phone.
The ICO therefore set out a few key points to consider when providing notices to users around how the app uses the data:
– use plain English;
– know your audience – use language understandable to your likely users;
– make the information available as soon as possible. Ideally, information should be available before download of an app. However, a long privacy document is unlikely to be welcome, so giving structure to the information is key. The ICO recommends summarising the most important provisions, with the rest of the information provided in a readily available manner. This other information could be provided by way of a link, for example (it could be that this is through a link to the rest of the terms);
– be open about the data you collect and what you are using it for. The better understanding a user gains as to what their personal data is being used for, the more unlikely the user will raise a complaint.
The ICO goes on to clarify that app developers are not expected to notify a user about the collection of data if it was not obvious what that data would be used for. The ICO gives the example of an app that handles the delivery of orders, which would obviously require a user’s address details.
Just in time…
The ICO also advocates the use of “just in time” notifications, being notices that pop up just before a user’s data is accessed. The notification would need to clearly state:
– what the app is trying to do; and
– give the user a clear choice as to whether they want to go ahead with the function requested.
The choice can also be “remembered” by the app, but developers should note that this does not mean that consent is provided for an indefinite period of time. Although the ICO doesn’t go into specifics, the advice does make clear users would have to be reminded about their choice from time to time.
Just in time notifications fit in well with the app world, and provide developers with easy and intuitive ways of keeping users up to date with how their data is being accessed and used as their app is updated to find new ways of using a phone’s features. However, this shouldn’t be relied on as the “one stop shop” for privacy notifications. As the guidance suggests, so far as is possible, notifications should be given prior to any download of the app.
What’s privacy without security…?
One of the key provisions of the Data Protection Act is that data controllers have in place appropriate and organisational measures against unauthorised or unlawful processing. The ICO guidance includes a section on keeping the data secure once collected, including using tried and trusted cryptographic methods and being aware of the particular vulnerabilities associated with mobile apps, including inter-app injection flaws and a failure to properly check SSL/TSL certificates.
The advice can be read in full on the ICO website.
Although most users of your website will not read your terms, this is an important part of your business. Having to argue in court is expensive, so a little investment to avert the risk is a pragmatic approach. This article highlights some of the most common points which your terms should cover so that the risks explained below do not crystallise.
If your business involves sending personal data outside the UK and EEA, you may be aware of the need for a transfer risk assessment (TRA) to demonstrate that you have properly considered and mitigated any associated risks.
When it comes to commercial negotiations, they often don’t turn out the way you had hoped and then there is no going back. Instead of struggling on your own, losing a lot of management time and still not being sure you have got the best deal, let us negotiate for you.