Late last month, the Federal Privacy Commissioner and Alberta and British Columbia Information and Privacy Commissioners issued new privacy guidelines for mobile app developers to assist them in complying with Canadian privacy laws. In making the announcement, the Federal Privacy Commissioner’s office said:
“The mobile era has led to the placing of an increasing amount of personal data such as contacts, photos, emails and texts onto one device, which can be tracked in real time. As a result, mobile apps may not just provide users with unparalleled information and fun at their fingertips, but also hold the potential for comprehensive individual surveillance. A recent study showed that privacy concerns are swaying consumer choices. In September, the Pew Research Center released a report finding 57 per cent of users surveyed had either dropped or avoided installing an app over concerns about use of their personal information.”
The new privacy guidelines for app developers are generally structured around the following five core principles: accountability, transparency, collection, meaningful consent in the context of small screens and user notices and timing of consent.
Best Practices Checklist
More specifically, the guidelines provide a detailed discussion of the types of potential privacy issues that the Federal and Provincial privacy authorities see in relation to the rapidly developing mobile app industry and the following best practices checklist (a sort of do’s and don’ts privacy compliance list for app developers):
You are accountable for your conduct and your code
Your company, which may just be you, is responsible for all personal information collected, used and disclosed by your mobile app.
Make sure to have controls in place, such as contracts or user agreements, to ensure that third parties accessing personal information through your app are respecting their privacy obligations.
Map out where the information is going and identify potential privacy risks.
Be open and transparent about your privacy practices
Develop a privacy policy that informs users, in simple language, what your app is doing with their personal information.
Post a privacy policy where users can easily find it, and where it is readily accessible to potential users who are considering downloading your app.
Have a monitoring program in place to ensure that personal information is being handled in the way described in your privacy policy.
When updating an app, inform users of any changes to the way their personal information is handled, and give them an easy way of refusing the update.
Collect and keep only what your app needs to function (and secure it)
Limit data collection to what is needed to carry out legitimate purposes.
Do not collect data because you think it may be useful in the future.
Allow users to opt out of data collection outside of what they would reasonably expect is necessary for the functioning of the app.
Have appropriate safeguards to protect personal information (and use encryption when storing and transmitting personal data).
Allow users to delete the personal information your app has collected. If they delete the app, their data should be deleted automatically.
Obtain meaningful consent despite the “small screen challenge”
Select the right strategy to convey privacy rules in a way that is meaningful on the small screen.
This could include: layering privacy information, placing important points up front and providing links to more detailed explanations; a privacy dashboard that displays a user’s privacy settings and provides a convenient means of changing them; and visual cues such as graphics, colour and sound to draw user attention to what is happening with their personal information, the reasons for it, and choices available to the user.
Timing of user notice and consent is critical
Users should be told how their personal information is being handled at the time they download the app, when they first use the app, and throughout their app experience, to ensure their consent remains meaningful and relevant.
Be thoughtful and creative when deciding when to deliver privacy messages to most effectively capture users’ attention and achieve the most impact at the right time, without causing notice fatigue. For example, if your app is about to actively tag photos with the user’s location data, you could activate a symbol as a cue to the user, providing them with a choice to refuse.
____________________
SERVICES AND CONTACT
I am a Toronto competition/antitrust lawyer and advertising/marketing lawyer who helps clients in Toronto, Canada and the US practically navigate Canada’s advertising and marketing laws and offers Canadian advertising/marketing law services in relation to print, online, new media, social media and e-mail marketing.
My Canadian advertising/marketing law services include advice in relation to: anti-spam legislation (CASL); Competition Bureau complaints; the general misleading advertising provisions of the federal Competition Act; Internet, new media and social media advertising and marketing; promotional contests (sweepstakes); and sales and promotions. I also provide advice relating to specific types of advertising issues, including performance claims, testimonials, disclaimers, drip pricing, astroturfing and native advertising.
For more information about my services, see: services
To contact me about a potential legal matter, see: contact
For more regulatory law updates follow me on Twitter: @CanadaAttorney
