IP, Technology & Data

California’s attorney general last week announced a new rule, seemingly agreed with the major apps vendors (Apple, Google/Android, RIM, Windows, HP and Amazon), requiring mobile apps to have in place clearly displayed privacy policies.

Of course, for those of us in Europe, this is nothing new; European data protection laws have required this for years.

However, to date many app providers have paid little attention to privacy rules.

I think this is down to a number of factors:

  • Apps are generally sold through app stores operated by Apple, Google and Microsoft etc – but these companies only act as agents in the sale. When you buy an app, you are buying a licence from the company that made the app – not Apple/Google etc (unless it is one of their own apps). The app store providers are not responsible for that app or how it is used. They just provide the app store infrastructure and provide payment processing services;
  • The app store environment has made it very easy for anyone to create and sell apps – a genuine cottage industry, where a niche app can suddenly become very successful. But many small start-ups will launch an app without properly considering legal and regulatory requirements;
  • App stores tend to operate on a global basis. This means that most app providers are unlikely to be aware of local law requirements in many of the countries in which their app is sold. Use of Apple’s App Store in the UK may be subject to UK specific terms and conditions, but the licence governing the user’s use of the app will often still be subject to US law, with little attention paid to local laws.

In relation to this last point, data protection law is a good example. There is currently some debate as to whether or not cookies deployed by websites hosted outside the EEA are subject to EU data protection rules. The position with apps is analogous with apps sold by providers outside the EEA. As part of the proposed reform of EU data protection law, the European Commission is pushing to make clear that EU data protection laws will apply to all websites and apps used by users in Europe – even where the website or app provider is located outside the EEA.

As I note above, app store providers are not generally responsible at law for ensuring that apps on their platform comply with data privacy rules. It is the provider of the app itself. However, it seems that recent incidents (for example tracking of geolocation data and uploading of address books) has led the Californian Attorney General to go after the people best placed to force app providers to improve the privacy of their apps. We can assume that following this undertaking privacy settings will now form part of the app approval process.

So what should I do if I am designing an app?
First of all, you should have in place a privacy policy, which sets out what information your app collects, what is done with that information, why it is collected, and who it is disclosed to.

However, it’s not enough to simply provide a privacy policy.

  • The privacy policy needs to be written in a way that is clear and transparent.
  • Particular consideration needs to be given to sharing of data with third parties and ensuring that the third party’s privacy policy is incorporated and accepted – for example, an app that overlays data on a Google Maps interface.
  • The user’s informed consent needs to be obtained. The privacy policy cannot be hidden deep in the app. Some revised rules on obtaining consent were issued last year.
  • In particular, if the app collects/uses geolocation data then you need to consider how consent is obtained from the user.

Do you need to collect the data in the first place?
In her speech announcing the new rules, the Californian Attorney General said that the new rules do not change what a mobile app can or cannot do, but instead simply require the app to be upfront about what it is doing.

This may be the case under Californian privacy law, but one of the key principles of European data protection legislation is that the data collected is not excessive, and that the processing is fair and lawful. This means that you need to consider whether the data that you are collecting and the processing that you are carrying out is reasonable – do you need to track a user’s location or upload his address book just because you can? You can’t simply rely upon a user’s consent.

Privacy by design
Finally, app developers should bear in mind forthcoming changes in EU data protection laws.

Under the proposed EU regulation, the requirement for privacy by design/privacy by default will be formalised. Under this concept, data controllers should design their systems (such as apps and websites) so that privacy is considered from the outset and the default setting is that the minimum amount of data is collected from the user, unless he agrees otherwise. If privacy by design is considered from the outset, then many potential privacy issues can be avoided.

PS I’m pleased to see that the GSMA have just endorsed my recommendations that app designers take heed of the Commission’s privacy by design initiative, with the launch of new app privacy guidelines for apps developed by GSMA members. The guidance is well worth reading if you are involved in app development.

Follow me