It behooves mobile application developers to adopt privacy aware best practices as part of their development processes. Privacy issues relating to mobile application development and deployment will continue to receive heightened state and federal regulatory scrutiny, and adopting such a methodology will help ensure that apps pass regulatory muster. Additionally, adopting a privacy aware ethos could emerge as a marketing advantage in so far is it promotes brand trust and loyalty with consumers.
To help mobile app developers adopt privacy aware best practices, the California Attorney General, in January 2013, issued a consumer privacy guidance document for mobile application developers. The publication, “Privacy on the Go,” is a great roadmap for developers to follow.
As part of a privacy aware development process, the California Attorney General suggests that mobile app developers begin with a data checklist. I have summarized the recommendations below, but recommend readers review the entire report for a comprehensive understanding of the issues.
First, begin with an assessment of the personally identifiable information (PII) an app may collect:
- Unique device identifier
- Geo-location (GPS, WiFi, user-generated)
- Mobile phone number
- Email address
- User’s name
- Text messages or email
- Call logs
- Contacts/address book
- Financial and payment information
- Health and medical information
- Photos or videos
- Web browsing history
- Apps downloaded or used
Then developers should create a matrix as to how the PII will be used, such as:
- Is the data type necessary for the app’s basic functionality?
- Is the data type necessary for business reasons (e.g., billing reasons)?
- How will the data be used?
- Will the data be stored offsite or on the device?
- Will the data be shared with third parties (e.g., advertising networks, analytics companies, etc)?
- Is the app directed to or likely to be used by children under the age of 13?
Next, developers should assess overall privacy practices. Developers should:
- Limit data collection: Avoid or minimize the collection of PII and sensitive information, use an app-specific or non-persistent device identifier, allow users to control which PII is collected for uses that fall outside the scope of the app, explain the consequences of not allowing the collection of data, default to “privacy protective”, and understand nuances and legal obligations relating to apps targeting children under the age of 13.
- Limit data retention: Do not retain data that can be used to identify a user beyond the time necessary to complete the app’s necessary functions.
- Give users access: Develop mechanisms that gives users the ability to access their PII and control how it’s used.
- Use Security safeguards: Limit access to PII inside the organization, encrypt PII during the transit/storage of such, mandate security measures of business partners and third parties, comply with the Payment Card Industry Data Security Standard if the app collects payment information.
- Describe data use and PII practices: The policy should describe the sharing, use, collection, disclosure, and retention of PII data.
- Special notices: Use special notices for functionality not necessary to the core operation of the app, when accessing text messages, call logs, etc, a change in process that results in a different set of disclosures or data sharing, the collection of sensitive information (e.g., precise geo-location).
- Short privacy statement and controls: Consider giving users ready access within the app to privacy controls via a dashboard and include a method to revoke prior choices.