A survey by the Global Privacy Enforcement Network has found that of over 1,200 mobile apps reviewed 85% failed to explain to users how they were collecting, using and disclosing personal information.
The Global Privacy Enforcement Network comprises privacy regulators in various countries around the world. As part of the survey, the UK’s Information Commissioner’s Office reviewed 50 of the top apps released by UK developers (though it is unclear how that “top 50” was determined).
Other issues identified by the survey include:
- 59% of apps left users struggling to find basic privacy information
- Almost 1 in 3 apps appeared to request an excessive number of permissions to access additional personal information
- 43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print, or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages
The issues identified by the survey indicate a number of areas where there may be potential non-compliance with EU privacy laws, including the requirements to provide fair notice of processing, obtain freely given user consent, and not to process excessive amounts of data,
Mobile apps and privacy
I’ve blogged before about mobile apps and privacy. As I said in that post, there are a number of reasons why many mobile apps are failing to properly address privacy issues:
- The market is immature, with many apps developed by individuals or small companies not familiar with privacy laws, but whose products have become hugely popular.
- The distribution model is fragmented and apps frequently incorporate third party services (for example, mapping data) into their functionality. SDKs and OS developer rules impose strict controls on developers, yet they don’t always provide the necessary tools to ensure that developers adopt privacy by design (iOS 8 is notable for including a number of new tools and user prompts and controls, which should help to improve user privacy in apps).
- The mobile app market has developed at the same time as a vast expansion in the data created by devices, such as geolocation data.
- Many app developers are located outside the EU and are therefore unfamiliar with European privacy rules, despite the fact that they are selling their apps to users in the EU through global app stores.
In the UK, the ICO has also released a guide to Privacy in Mobile Apps (PDF).
The guide covers issues such as the importance of a privacy impact assessment, user notices and consent and just-in-time notification, and the sharing of data with third parties. It also includes examples of good and bad practice. If you are involved in app development, or commissioning mobile apps, then it is well worth reading.
If you are involved in the development of commissioning of a mobile app, and would like to understand more about your obligations under data privacy laws, please get in touch.
The ICO has also published guidance for users of smartphones and mobile apps to help them understand what they can do to better protect their privacy.
On September 17, 2014