In December 2013, the United Kingdom’s Information Commissioner’s Office (ICO) issued “Privacy in Mobile Apps–Guidance for App Developers.”1 According to the ICO, the guidance is not only relevant for apps used on mobile devices such as smartphones and tablets, but also for “other devices using similar app technology, for instance living-room devices such as smart TVs or games consoles.”
The guidance is addressed to organizations developing apps for the UK market, regardless of their location. However, it addresses key EU privacy issues and may be useful for any organization developing apps for individuals located in the European Union (EU). In addition, the ICO guidance should be read together with the opinion on mobile apps issued by the Article 29 Working Party (the body of European data protection regulators) in March 2013, a summary of which we have provided here.2 Listed below are the key takeaways and recommendations from the guidance.
Takeaways and Recommendations
- Unique device identifiers can be personal data: Under EU data protection law, personal data is interpreted broadly and may include information that is not limited to traditional identifiers such as an individual’s name or photograph. According to the ICO, “a good example in the mobile environment would be a unique device identifier such as an IMEI number: even though this does not name the individual, if it is used to treat individuals differently it will fit the definition of personal data.” The ICO notes that when an app developer is uncertain about whether the data is personal, it would be simpler to treat it as personal from the start.
- Who is the data controller?: Under EU data protection law, data controllers are those that define the purposes and the means of the processing. They are generally responsible for ensuring compliance with data protection law (including filing a registration with ICO and responding to subject access requests), even if they contract out tasks such as hosting. For example, apps such as social media and advertisement-funded games (that decide how personal data is handled) will likely be data controllers. App developers are unlikely to be data controllers if the app code runs solely on a mobile device but does not collect or transfer data elsewhere. According to the ICO, when developing an app on behalf of a client, “you may well not be a data controller,” but rather a data processor. “If this is the case, expect the client to insist on a written contract which covers appropriate security measures.”
- Minimum data necessary: Apps should not collect and process more data than the minimum necessary to perform the tasks of the app. According to the ICO, “collecting data just in case you may need it in the future is bad practice, even when the user has consented,” and it also increases the risks of accidental loss or misuse of the data. When designing the app, the ICO suggests considering the data types the app might access, collect, or transmit, and how these could affect a user of the app. In addition, “you should aim to use the least privacy-intrusive data possible.” For example, ensure that a social media app by default strips out unnecessary metadata (e.g., creation date, location) from each image before uploading it. If an app uses GPS-location services to recommend activities near the user’s location, design the app so that the device itself functions in the town closest to the user’s location, thus avoiding the need to send exact GPS coordinates of the user’s location back to the central server. Users who want results based on their accurate location can change the default behavior. Finally, users should be able to permanently delete their personal data and any account they may have set up.
- Privacy policies: Users of the app must be properly informed about what will happen to their personal data if they install and use the app. However, it may be inconvenient for users to be presented with a lengthy privacy policy or numerous prompts. The ICO encourages alternative ways to provide information on a device with a small screen and a touch-based interface, such as the ones described in ICO’s “Privacy notice code of practice.” Furthermore, the ICO flags the following important points:
- Use plain English
- Use language appropriate to the audience (e.g., children)
- Be transparent about which data the app wants and why
- Make the privacy information available as soon as practicable, ideally before the user downloads the app (e.g., via the app store or a link to the privacy policy)
- Use just-in-time notifications or other alert systems for more intrusive data (e.g., GPS location) or unexpected processing (e.g., uploading data to the Internet)
- Use a “layered” approach (e.g., first present a summary of important points, including more detail that is readily available), if appropriate
- Give users feedback and control: Users should be allowed to make meaningful decisions. The ICO recommends that rather than giving users a single “all or nothing” choice, give users a granular choice where possible. This includes allowing users to easily review and change their decisions after the app is installed and used (e.g., menu and settings, privacy-friendly defaults). In addition, if geolocation services are running in the background, consider using clear and recognizable icons to indicate that this is occurring and, where necessary, include an option to stop.
- Keep the data secure: The ICO suggests ensuring that passwords are “appropriately salted and hashed on any central server.” In addition, the ICO suggests using “encrypted connections to ensure security of the data in transit, using SSL/TLS for instance,” especially where this incudes “transmitting usernames, passwords and any particularly sensitive information, including device IDs or other unique IDs.” However, for transmitting or storing data, the ICO suggests using “tried and tested cryptographic methods, rather than implementing your own cryptography.” Furthermore, “be particularly careful if your app accesses data from other apps or locations.” Finally, “pay attention to vulnerabilities which are more relevant in a mobile apps environment” (e.g., inter-app injection flaws, failure to properly check SSL/TLS certificates).
Conclusion
The ICO guidance shows the need to consider privacy implications early on in the app development phase. It is a practical example of how to implement the “privacy by design” and “privacy by default” principles that are supported by EU regulators and will most likely be included in the upcoming EU Data Protection Regulation. The underlying message of the guidance is to take privacy into account at an early stage; this will help your app be compliant in the UK and other EU countries.
1 “Privacy in mobile apps – Guidance for app developers,” UK ICO, available at http://ico.org.uk/for_organisations/data_protection/topic_guides/online/~/media/documents/library/Data_Protection/Deta.
2 “European Regulators Issue Opinion on Mobile Apps,” WSGR Alert, available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-EU-mobile-apps.htm, March 22, 2013.