New UK guidance on making mobile apps privacy compliant

Katharine Alexander

With privacy and security concerns about apps regularly in the headlines, developers and brands commissioning mobile apps should factor in the important new guidance issued recently by the ICO. The guidance and practical illustrations are also relevant to other online platforms e.g. smart TVs and games consoles.

The Information Commissioner’s Office (ICO) has recently released guidelines for app developers to help them ensure apps comply with data protection laws. The guidance was released in the run-up to Christmas – when app sales soar (the ICO cites the statistic of 328 million apps downloaded in the UK on Christmas Day 2012). The guidance is timely, with privacy a worldwide concern: in the US, the  SpongeBob Squarepants app and Jay-Z’s Magna Carta app are two recent examples which have attracted adverse attention over alleged  lack of  privacy compliance, while in the UK security vulnerabilities in the SnapChat app have been in the news.  With app based games aimed at children currently under the scrutiny of the UK consumer enforcement authorities (see this article), the regulation of apps looks set to continue to be a hot topic in 2014.

Why the new guidance? Who needs to comply?

Launching the new guidance, the ICO’s office cites a survey (of 2,275 people) by YouGov, which has shown that 62% of app users are concerned about data security, and 49% have decided not to download an app due to data privacy worries. As described by Simon Rice (Group Manager at the ICO for the technology team) in his blog, this statistic demonstrates that compliance with the guidance makes commercial sense for app developers, as well as reducing legal risk.

The ICO’s guidance emphasises the need for privacy to be factored in at the design stage – and not just an afterthought addressed in a privacy policy. The Data Protection Act 1998 is technology neutral, and applies just as much to online activities such as apps, as well to offline data collection. What is valuable about the ICO’s very practical new guidance – and the numerous worked illustrations which run through it – is that it applies the principles of the DPA very specifically to the mobile app context. The document seeks to address some of the particular challenges of privacy compliance for apps – including space constraints, and the range of personal data to which apps typically have access which make privacy such a concern, such as access to a user’s location, the microphone, emails, SMS and contacts.

Datonomy readers may recognise that the ICO’s guidance is a more user-friendly version of the 30 page opinion published in February 2013 by the EU’s Article 29 Working Party (the body made up of national data protection regulators). That Opinion looked not only at compliance issues for developers, but also for OS and device manufacturers, apps store and other parties in the app ecosystem.

As Datonomy readers will be aware, the ICO guidance does not have the force of law, but is in effect a benchmark for compliance with existing rules in a particular context. With such targeted guidance available, it will be more difficult for organisations deploying apps to plead ignorance of their legal obligations.

All organisations and individuals involved in the development and use of apps should review current and new apps for privacy compliance in the light of the new guidance. Aspects of the guidance – particularly in relation to providing information and gaining consent – will also resonate with other online services, such as games consoles and smart TVs.

As with all data protection issues, a party’s exact compliance obligations will depend on understanding exactly what personal data is involved, who is the data controller and what the risks to individuals’ privacy are. Developers and commissioners therefore need to consider these issues at the design stage in order to minimise and manage their legal risk – and preserve the commercial value of customer data collected.

Basic DP concepts applied to the app ecosystem: personal data; data controllers

The most fundamental question is what – if any – personal data the app is processing. Personal data is anything which can identify, or together with another piece of information to hand can identify, a living individual. In the mobile environment, this can extend from something obvious such as a name or address, to something more specific such as a device IMEI number. The guidance gives useful illustrations and suggestions for data minimisation in order to reduce risk.

The next key issue is to identify the data controller (or data controllers) in the particular app scenario, since legal liability rests with them. This is the person or organisation who decides how personal data is dealt with. The guidance provides useful analyses of who may be the data controller in various scenarios, including social media apps, reviews and ad funded games. This will always be fact dependent. The guidance includes a reminder that the data controller(s) will be subject to the full range of normal DPA obligations e.g. registration with the ICO; transparency information; and the requirement to respond to data subject access requests. Where personal data is shared with another entity which processes it on the controller’s behalf, the normal requirements for minimum contractual protections apply. They must also be careful to demonstrate adequate protection when transferring data outside of the EEA.

What data to collect

The guidance on collecting data via apps includes:

  • only collect the minimum data necessary for the app to perform its function;
  • never store data for longer than necessary;
  • pay extra attention if the app is aimed at children not old enough to understand the significance of providing personal data;
  • allow users to permanently delete their personal data and account; and
  • ensure you have informed consent to collect usage or bug report data, otherwise use anonymised data. If using anonymised data, ensure that the minimum data necessary is still the first step, and anonymise from there.

The ICO recommends data controllers use a privacy impact assessment to ensure compliance.

Informing users and gaining consent – good practice for privacy notices

Complying with the DPA Principles on information and consent poses particular challenges in the mobile environment, where space constraints and consumers’ expectations of convenience and user friendliness make it impracticable to provide detailed privacy notices. In order to achieve this, app developers should:

  • use plain English;
  • use language appropriate for the audience (e.g. children);
  • clearly explain the purpose of collecting the personal data;
  • make privacy information available as soon as possible before the app begins to process personal data; and
  • use a layered approach – detailing the key points in summary, with access to more detail if the user wants it. Containing a privacy policy in one large document may be difficult for a user on a mobile app, on a small screen.

The guidance provides a number of very useful, short, privacy notices which illustrate how information and consent requirements can be complied with, despite the challenges.

The guidance also gives more specific advice, such as:

  • use colour and symbols;
  • highlight unexpected or onerous actions and highlight differences between platforms;
  • make use of just-in-time notifications, which are provided immediately before the data is processed, for example when requesting to use someone’s location for GPS, or when using new features of an app for the first time; and
  • ensure consent is obtained if the app passes data onto any other organisations, ensure it is clear if the app is supported by advertising, and give information on any analytics used.

It is always important to be as clear and transparent as possible. However, there is no need to state the obvious to a reasonably-informed user. The ICO uses an example of an app used to deliver orders – the need for a delivery address is obvious. They also state that if the information is given in the app store, there is no need to repeat this at a later stage (unless onerous or unexpected, as above).

Users should also be given an element of control over the use of their data – with granular options, and ensuring it is easy to review and change personal data settings from one obvious settings location.

Good data security practice for apps

The 2 pages devoted specifically to security include the following recommendations – highlighting that developers should adhere to up to date good security practices both in design of the app, and of the central servers the app communicates with:

  • ensure passwords appropriately salted and hashed on any central server;
  • use encrypted connections for usernames, passwords, sensitive information;
  • use tried and tested cryptographic methods;
  • avoid writing new code where well established implementations can be sued instead; and
  • take particular care where the app accessed data from other apps or locations.

The guidance also highlights examples of vulnerabilities specific to mobile apps, for example inter-app injection flaws, and failing to check or misconfiguring SSL/ TLS.

Other important legal compliance issues

In addition to compliance with data protection principles, the guidance provides a helpful checklist of the consumer protection rules which  app developers must also comply with:

Datonomy comment

As the ICO’s press release reminds us, ‘compliance is not a bolt-on included in the final phase of a product’s development, but is an aspect of an app’s design that should be considered at the start of the process”.

Datonomy agrees – and the ICO’s targeted guidance and illustrations are certainly a step in the right direction. Datonomy readers may also be interested in this recent article by our colleague Matt Pollins which looks at the wider legal landscape for the growth of the app.

Leave a Reply

Your email address will not be published. Required fields are marked *