Late last month, the Federal Privacy Commissioner and Alberta and British Columbia Information and Privacy Commissioners issued new privacy guidelines for mobile app developers to assist them in complying with Canadian privacy laws. In making the announcement, the Federal Privacy Commissioner’s office said:
“The mobile era has led to the placing of an increasing amount of personal data such as contacts, photos, emails and texts onto one device, which can be tracked in real time. As a result, mobile apps may not just provide users with unparalleled information and fun at their fingertips, but also hold the potential for comprehensive individual surveillance. A recent study showed that privacy concerns are swaying consumer choices. In September, the Pew Research Center released a report finding 57 per cent of users surveyed had either dropped or avoided installing an app over concerns about use of their personal information.”
The new privacy guidelines for app developers are generally structured around the following five core principles: accountability, transparency, collection, meaningful consent in the context of small screens and user notices and timing of consent.
Best Practices Checklist
More specifically, the guidelines provide a detailed discussion of the types of potential privacy issues that the Federal and Provincial privacy authorities see in relation to the rapidly developing mobile app industry and the following best practices checklist (a sort of do’s and don’ts privacy compliance list for app developers):
You are accountable for your conduct and your code
Your company, which may just be you, is responsible for all personal information collected, used and disclosed by your mobile app.
Make sure to have controls in place, such as contracts or user agreements, to ensure that third parties accessing personal information through your app are respecting their privacy obligations.
Map out where the information is going and identify potential privacy risks.
Be open and transparent about your privacy practices
Develop a privacy policy that informs users, in simple language, what your app is doing with their personal information.
Post a privacy policy where users can easily find it, and where it is readily accessible to potential users who are considering downloading your app.
Have a monitoring program in place to ensure that personal information is being handled in the way described in your privacy policy.
When updating an app, inform users of any changes to the way their personal information is handled, and give them an easy way of refusing the update.
Collect and keep only what your app needs to function (and secure it)
Limit data collection to what is needed to carry out legitimate purposes.
Do not collect data because you think it may be useful in the future.
Allow users to opt out of data collection outside of what they would reasonably expect is necessary for the functioning of the app.
Have appropriate safeguards to protect personal information (and use encryption when storing and transmitting personal data).
Allow users to delete the personal information your app has collected. If they delete the app, their data should be deleted automatically.
Obtain meaningful consent despite the “small screen challenge”
Select the right strategy to convey privacy rules in a way that is meaningful on the small screen.
This could include: layering privacy information, placing important points up front and providing links to more detailed explanations; a privacy dashboard that displays a user’s privacy settings and provides a convenient means of changing them; and visual cues such as graphics, colour and sound to draw user attention to what is happening with their personal information, the reasons for it, and choices available to the user.
Timing of user notice and consent is critical
Users should be told how their personal information is being handled at the time they download the app, when they first use the app, and throughout their app experience, to ensure their consent remains meaningful and relevant.
Be thoughtful and creative when deciding when to deliver privacy messages to most effectively capture users’ attention and achieve the most impact at the right time, without causing notice fatigue. For example, if your app is about to actively tag photos with the user’s location data, you could activate a symbol as a cue to the user, providing them with a choice to refuse.
____________________
For copies of the Federal Privacy Commissioner’s news release and guidelines see: Privacy Commissioners Help Developers Seize Opportunity to Create Privacy-Friendly Apps and Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps.
For more information about our regulatory law services contact us: contact
For more regulatory law updates follow us on Twitter: @CanadaAttorney
Templates/precedents and checklists to run promotional contests in Canada
Templates/precedents and checklists to comply with Canadian anti-spam law (CASL)
