Accounting for privacy and properly managing PII in the development of mobile apps

/, Digital - Mobile Blog, Privacy/Accounting for privacy and properly managing PII in the development of mobile apps

Accounting for privacy and properly managing PII in the development of mobile apps

It behooves mobile application developers to adopt privacy aware best practices as part of their development processes. Privacy issues relating to mobile application development and deployment will continue to receive heightened state and federal regulatory scrutiny, and adopting such a methodology will help ensure that apps pass regulatory muster. Additionally, adopting a privacy aware ethos could emerge as a marketing advantage in so far is it promotes brand trust and loyalty with consumers.

To help mobile app developers adopt privacy aware best practices, the California Attorney General, in January 2013, issued a consumer privacy guidance document for mobile application developers. The publication, “Privacy on the Go,” is a great roadmap for developers to follow.

Privacy aware checklist

As part of a privacy aware development process, the California Attorney General suggests that mobile app developers begin with a data checklist. I have summarized the recommendations below, but recommend readers review the entire report for a comprehensive understanding of the issues.

First, begin with an assessment of the personally identifiable information (PII) an app may collect:

  • Unique device identifier
  • Geo-location (GPS, WiFi, user-generated)
  • Mobile phone number
  • Email address
  • User’s name
  • Text messages or email
  • Call logs
  • Contacts/address book
  • Financial and payment information
  • Health and medical information
  • Photos or videos
  • Web browsing history
  • Apps downloaded or used

Then developers should create a matrix as to how the PII will be used, such as:

  • Is the data type necessary for the app’s basic functionality?
  • Is the data type necessary for business reasons (e.g., billing reasons)?
  • How will the data be used?
  • Will the data be stored offsite or on the device?
  • Will the data be shared with third parties (e.g., advertising networks, analytics companies, etc)?
  • Is the app directed to or likely to be used by children under the age of 13?

Next, developers should assess overall privacy practices. Developers should:

  • Be transparent: Make privacy practices available to users before the app is downloaded, make the governing privacy policy readily accessible from within the app, use enhanced measures to make users aware of data practices that are unexpected or involve sensitive information, and routinely communicate data-handling processes.
  • Limit data collection: Avoid or minimize the collection of PII and sensitive information, use an app-specific or non-persistent device identifier, allow users to control which PII is collected for uses that fall outside the scope of the app, explain the consequences of not allowing the collection of data, default to “privacy protective”, and understand nuances and legal obligations relating to apps targeting children under the age of 13.
  • Limit data retention: Do not retain data that can be used to identify a user beyond the time necessary to complete the app’s necessary functions.
  • Give users access: Develop mechanisms that gives users the ability to access their PII and control how it’s used.
  • Use Security safeguards: Limit access to PII inside the organization, encrypt PII during the transit/storage of such, mandate security measures of business partners and third parties, comply with the Payment Card Industry Data Security Standard if the app collects payment information.
  • Be accountable: Review and update as necessary your privacy policy when the app is updated, maintain archived copies of previous privacy policies, train employees on privacy obligations, keep abreast of changes in state, federal, and international privacy laws and regulations.

After defining appropriate privacy practices, developers should describe them within the governing privacy policy. The California Attorney General recommends that developers:

  • Make the privacy policy easy to find: Make it conspicuous, accessible, and available to users before app download; consider linking to the policy within the app, and make the policy easy to read using clear and understandable plain language.
  • Describe data use and PII practices: The policy should describe the sharing, use, collection, disclosure, and retention of PII data.

Finally, for apps that collect sensitive information or PII not related to the basic functionality of the app, developers should supplement their app notification processes and general privacy policy with enhanced measures designed to alert users. In this case, developers should consider:

  • Special notices: Use special notices for functionality not necessary to the core operation of the app, when accessing text messages, call logs, etc, a change in process that results in a different set of disclosures or data sharing, the collection of sensitive information (e.g., precise geo-location).
  • Special notices verbiage: Deliver special notices in context, explain the intended use, provide users an easy way to allow or disallow the collection of the data, include a link to your privacy policy.
  • Short privacy statement and controls: Consider giving users ready access within the app to privacy controls via a dashboard and include a method to revoke prior choices.
By | 2014-12-06T08:23:17-06:00 August 21st, 2013|Big Data, Digital - Mobile Blog, Privacy|0 Comments

About the Author:

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.