PRIVACY ISSUES FOR BUSINESSES IN THE APP UNIVERSE
The proliferation in smartphone and tablet use globally has been driven by their ability to host specially developed software applications, or "apps" as they are more commonly known.
Despite providing consumers with access to a vast array of services and information, apps increasingly seek to obtain significant amounts of the personal data that reside on a user's device. naturally, this has led to a rise in privacy-related concerns. it is clear that businesses should be careful about how their apps operate to ensure regulatory compliance and continued customer loyalty.
This article looks at recent privacy-related incidents involving apps and outlines certain key issues for businesses to be aware of when including an app platform in their business strategy.
RECENT INCIDENTS
A number of recent data privacy incidents have involved apps that automatically obtain data residing on a user's smartphone or tablet.
For example, the practice of accessing and copying a user's contacts in a device's address book came to prominence earlier this year when a user of the iPhone app from Path noticed that his entire address book was being uploaded to the app's servers without his permission being asked for or given.
In June 2012, it was reported that the professional networking site LinkedIn was transmitting user data without their knowledge. After the Path and LinkedIn incidents, both companies said they would cease the practice.
Recently, a number of German Facebook users threatened to sue Facebook if it failed to update its service to provide a consent form for users who access the App Center on the website. A failure to obtain explicit consent was an alleged breach of European privacy laws.
As illustrated by these examples, collection of data via an app is often undertaken without the device owner's knowledge or consent. Regional data privacy laws and good business practice dictate that businesses intending to collect information relating to a user should seek their informed consent for, and prior to commencing, all data processing activities.
WHAT SHOULD BUSINESSES DO?
A successful app depends not just on how much end-user information it can obtain, but on the trust that can be built in your business in the online environment.
What can a business do to balance the benefits that can be obtained by knowing where an app's users are, their sex, age and the like, with building a trustworthy platform?
Firstly, the incidents above all point to a requirement for app development processes to include pre-launch assessments to ensure both compliance with applicable legislation and regulations and transparent data gathering approaches that do not threaten customer loyalty.
Secondly, as with any online presence, it is essential that businesses have a clear privacy policy that sets out exactly how they will collect, handle and intend to use personal information collected through their apps. A common approach we have seen is for businesses to reuse their standard website privacy policies for their apps, but these do not address the specific issues raised by the increased functionality and data creation potential of apps.
If an app will be used to collect personal information then, as a general approach, the informed consent of users should be sought. Some of the information that should be communicated to users of an app includes:
- What data will be collected – is it just the user's contact details or does it extend to the user's location, the contact details of other users of the device or any one of a number of other pieces of information that may be ascertained from using the app?
- The length of time such data is to be retained – certain jurisdictions have strict regulations and legislation around how long a business can store certain types of information.
- Why the data is being collected – it is no secret that the profitability of many apps, especially in startups, rely on in-app advertising and this, in turn, depends on providing advertisers with as much information about users as possible.
- Which, if any, third parties might have access to the data – it is common practice for a business to cross-refer customer information within its group of companies and even to external third parties (or store it with third parties, either locally or off-shore).
- Any specific features of the data collection – this may include locationbased information or voice data.
Even if information is going to be harvested from an app in such a way that personal data will be stripped out, it is good practice to tell users all of these things and obtain their consent in any event – this fosters trust in the app and, more importantly, the business's brand.
NAVIGATING APP PRIVACY ISSUES
Successfully entering the app market requires businesses to think about privacy issues and ensure that their existing privacy policies reflect the scope of data collection that may occur through a user's interaction with their app. In developing your privacy policy, as with all issues relating to the cross-border collection and flow of personal data, you should seek appropriate advice to avoid any risks while still being able to ensure the full value of the app to your business.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com
