The Attorney General of California made it clear that its Online Privacy Protection Act would be enforced on apps (CalOPPA). To make sure these laws were actually being followed California’s Department of Justice set up a Privacy Enforcement and Protection Unit in July of 2012. This may sound like it’s only valid for developers based in California, but it’s actually a call for compliance for anyone possibly targeting Californians.
Path, Delta and others have been charged or fined because of non-compliance with privacy laws. The FTC and AG of California published guidelines on things to consider when developing mobile applications.
The simple first question you have to ask yourself is: do I/does my app collect/store/share personal data?
Personal data can be a lot of things: a first and last name, an email address, a telephone number, location data and many more like analytics or ads (examples for personally identifiable information according to AG of California).
Last year AG Harris and the six leading mobile application platform providers agreed to bring the mobile application industry into compliance with the terms of CalOPPA following this two-page Joint Statement of Principles. More, dedicated State laws are very likely to be coming up soon.
Let’s assume you have an app that is geared towards European users. The picture doesn’t change. The relevant EU legal framework is the Data Protection Directive (95/46/EC). It applies in any case where the use of apps on smart devices involves processing personal data of individuals. Basically whenever your app is used in the EU, even if you are not residing there (the national law of a Member State is also applicable in cases where the controller is not established on Community territory and makes use of equipment situated on the territory of that Member State. Since the device is instrumental in the processing of personal data from and about the user, this criterion is usually fulfilled), you need to ensure compliance with all the requirements defined under the Data Protection Directive.
The ePrivacy directive (2002/58/EC, as revised by 2009/136/EC) sets a specific standard for all parties worldwide that wish to store or access information stored in the devices of users in the European Economic Area. Many provisions of the ePrivacy directive may not directly apply to you as a developer, but the most important one in regards to developing for mobile platforms is article 5(3) stating that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, among other things about the purposes of the processing.
It is important for app developers to know that both directives are imperative laws in that the individual’s rights are non-transferable and not subject to contractual waiver. This means that the applicability of European privacy law cannot be excluded by a unilateral declaration or contractual agreement.
Therefore you must:
- who you are (identity and contact details),
- what precise categories of personal data the app wants to collect and process,
- why the data processing is necessary (for what precise purposes),
- whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
- what rights users have, in terms of withdrawal of consent and deletion of data.
According to European laws if your app services European citizens. This document by the Article 29 working party provides interesting insights.
Similar laws exist for most major legislations with slight modifications that might apply to your unique situation. Here’s a link to Australia’s Information Commissioner and docs.
Third Party Services/App Stores
There are other things to consider than pure legislation-skimming. Here are two more for you:
What Could Possibly Happen if I Don’t Include One?
Luckily a) isn’t true anymore. iubenda’s editor makes it very easy to make compliant privacy policies for mobile apps quickly.
For b) most of you will know about Path’s costly $800,000 settlement as well as Delta’s case in court that has them at risk of paying a $2500 fine for every app download (the case has been dismissed recently, but surely is not going to rest there). Similar not well known cases are out there as well.
Rest assured that in the wake of PRISM and the growth of the mobile ecosystem all of the above will be more and more important and not the other way around. Be clever and play by the rules.
While this post covers some of the reasons and legal grounds for the privacy policies in mobile apps, it doesn’t say much about the situation across the app stores. That’s why we’ve compiled two guides regarding that:
Hopefully these resources will be helpful on the way to your perfect app store listing.