The market for mobile applications (or mobile apps for short) is growing rapidly and, as a result, people are becoming more worried about the amount of information mobile apps are able to collect and use.


The Privacy Sweep

In May 2014, a network of 26 privacy enforcement authorities from all over the world, who are concerned with data protection, known as the Global Privacy Enforcement Network or GPEN, carried out a Privacy Sweep.

GPEN Logo

It was clear that due the growth of mobile apps and their use of personal information, this "Privacy Sweep" should be centered on privacy practices for mobile apps. GPEN looked at 1,200 mobile apps from all over the world and analyzed what permissions these apps were seeking from users, e.g. use of the camera, use of location, use of the microphone.

Both mobile app marketplaces and mobile app developers should look at their current practices and how their practices can be improved based on the findings from this "Privacy Sweep" by GPEN.

Mobile apps are bought from marketplaces. The most known mobile apps marketplaces are Google Play Store or Apple's App Store.

This is how the Google's Play Store looks like:

Screenshot of Google Play Store

This is how the Apple's App Store looks like from an iPhone:

Screenshot of Apple App Store

The "Angry Birds Seasons" mobile game asks the user to access the mobile device's system tools, storage, location and phone calls. Here's how the mobile game is requesting these permissions before the user downloads the app:

Permissions asked by Angry Birds app

The link to the Privacy Policy of Angry Birds Seasons app is located at the "Developer" tab:

Privacy Policy Link of Angry Birds App

Asking for permissions from the user can also come as pop-up request at the time the app needs the permission. Here's how the Skype app asks for permission to use the camera:

Camera Permission from Skype App

Because the iOS permission request window doesn't allow it, Skype doesn't link to their Privacy Policy agreement.

On iOS, the privacy permissions for each individual app can be managed from the iPhone "Settings" screen:

Apple Privacy Permissions in Settings

What GPEN wanted to find out was whether the permissions these apps were asking for were going further than what would be usually expected for that app based on what that app is used for.

For example, look at this example of permission request from the "Google Maps" app:

Location Permission from Google Maps App

It's clear and expected that a mobile app focused on maps will ask permission for the user's location. But what about other apps? Do they need to ask for the user's location information?

Mostly Yes. If you ask for location data, update your Privacy Policy to inform uses about this.

GPEN also investigated the way the apps explained their reasons for needing particular permissions and what they were planning to do with the data they collect.

Results from the Privacy Sweep

A high proportion of the apps examined in the sweep (75%) requested one or more permissions. The permissions that were asked for most often were location, device ID, access to other accounts, camera, and contacts.

In Canada, 26% of the apps reviewed either had no Privacy Policy agreement at all or contained one which was found to be problematic with regards to how the mobile app developer was going to collect, use and share personal information.

But the Canada's PIPEDA requires a Privacy Policy for mobile apps if the mobile app collects personal data from its users.

In Ireland, over half of the mobile apps analyzed were found to have not enough privacy information. Many apps were requesting data that could be considered sensitive under certain laws.

This shows how important it is that mobile apps need to become more straightforward and open about their privacy practices. Other apps were requesting location data without giving the reason for needing that data.

In fact, 31% of the mobile apps analyzed by GPEN in the "Privacy Sweep" contained permissions requests that were impossible for the members of GPEN involved in the sweep to understand why they were being asked for after reading the entire mobile app's privacy policy.

43% of the apps that did have Privacy Policy agreements had not formatted their agreements for a small screen on a phone. This meant that often they were unreadable as the text was too small and the user had to scroll through several screens to read the whole legal agreements

What this means

For mobile marketplaces

Following this "Privacy Sweep", data protection authorities from all over the world wrote an open letter to these mobile app marketplaces (Apple's App Store, Google's Play store) asking them to make the links to the Privacy Policy agreements of each mobile app collecting personal information compulsory.

This letter was only addressed to the main marketplaces like Apple and Google, but the DPAs emphasized that their suggestions were "intended for all stakeholders that operate an app marketplace."

If you're developing a marketplace for mobile apps, these suggestions may apply to you too.

As a mobile developer, this means that you need to have a Privacy Policy agreement even if you don't collect any personal data.

What the DPAs were most worried about was that the mobile apps that didn't a Privacy Policy agreement, but were collecting personal data anyway. This is why marketplace owners must notify developers that it's mandatory to have the legal agreement posted online and made available to users.

As a marketplace owner, you should make sure that you have implemented a way for mobile app developers to add the link to their agreement. Then, the link must be visible for all users.

Here's how Facebook is showing the link to the Privacy Policy of the developer that has a app published in Facebook's App Store or using Facebook's APIs:

Buffer Login Dialog

This is actually a requirement from Facebook: all apps on Facebook must have a Privacy Policy.

Most marketplaces - either for mobile apps or not - usually display useful information to users, such as ratings, the size of download, version of the app, reviews. In this kind of section, make it a requirement for the developer to link to their Privacy Policy agreement.

For mobile app developers

As a mobile app developer, you should make sure that you're informing your users about your privacy practices before they download your mobile app.

This is done through the "Privacy Policy" agreement that must be made available to all users, regardless if they are logged-in or not, if they have downloaded your mobile app or not.

Apple's App Store requires a Privacy Policy for all iOS apps. Google's Play Store also requires the Privacy Policy for all Android apps.

Seek sensitive personal information, such as location data, only when you need it and inform users why you're requesting that information. Make sure that the legal page is properly sized for small mobile screens to readable.

Here's a screenshot of a Privacy Policy agreement that has a readable font which is adapted for mobile screens:

Privacy Policy Font on Mobile Screen

The GPEN's "Privacy Sweep" found that the best practice for mobile app's Privacy Policy agreement was whenever the app used a combination of larger font, pop-ups, layered information, and just in time notification of collection of data (the app informed users when the collection was about to happen.)

GPEN's analysis over these 1,200 mobile apps found the most popular apps in marketplaces were the ones with properly explained privacy practices and permissions.

Both large and small app developers are embracing the potential to build user trust by providing clear, easy to read and timely explanations about what information they will collect and how they will use it. Others are missing that opportunity by failing to provide even the most basic privacy information.


This quote from Commissioner Therrien of the Office of the Privacy Commissioner of Canada highlights and sums up just how important having clear legal agreements is for maintaining a good and trusting relationship with your users.

Path Logo

One of the biggest mistakes developers makes when they create a mobile app is that they think of the legal documentations as an afterthought. Who enjoys reading lengthy, jargon-filled Privacy Policy anyway?

However, this piece of seemingly unimportant detail can actually cost you a lot of money, or your business even. Case in point, Path.

The FTC fined the photo-sharing and messaging service Path $800,000 because of two huge mistakes: for storing third-party names and numbers from their address books without proper disclosure, and for failing to comply with the provisions of COPPA, a law that applies to every app that knowingly collects information from children who are 13 years of age and below.

Canada Flag

The Office of the Privacy Commissioner of Canada published a list of "10 Tips for Communicating Privacy Practices to your App's Users" that covers 3 key issues:

Transparency

  • Be specific
  • Speak to your audience
  • Tailor to the environment: mobile, website etc.

Requesting and collecting data

  • Describe how your mobile app uses the permissions it seeks
  • Explain the data you gather through social media logins
  • Permission to access is not necessarily consent to collect, use or disclose

Accessibility of the privacy policy

  • Provide a privacy policy, even if you don't collect any personal information
  • Include the privacy policy and/or a link to it, in your mobile app directly
  • Allow individuals to visit the Privacy Policy at any time

FTC Logo

The FTC in the US suggests a "Privacy by Design" approach. It encourages companies to consider the privacy of its user at every stage of their app's development.

This implies 3 things:

  1. Make sure the data you collect stays secure. Do not promise anything you don't intend to keep and avoid generic reassuring statement.
  2. Before you build an app or add a new feature, think about its impact on privacy
  3. Keep your Privacy Policy updated to address changes brought by new features and updates

To summarize:

  • As a marketplace, ensure that developers have a place from where they can add the necessary links to their legal agreements. Even go so far as to make it mandatory for these developers to do so.
  • As a developer, make sure your legal agreements are available on your app's page on the marketplace website or app screen, on your website and throughout the app itself whenever you are requesting permissions from your users. Adapt these legal agreements for mobile screens to make it easier to read.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy