A recent survey of over 1,200 of the top mobile apps in 19 countries by the Global Privacy Enforcement Network (“GPEN”) has found that 85% of the apps reviewed were non-compliant, failing to provide even the most basic privacy information to users.
In addition, 43% failed in their obligation to tailor privacy notices to smaller screens and almost 30% unlawfully requested excessive personal data from users.
Concerns for users are compounded given the lightning speed at which new apps are hitting the market. Last year, for example, in excess of 1 million apps were reported to be available via Apple’s iOS App Store.
Should developers care about these findings?
In short, yes, especially given that the UK privacy regulator, the Information Commissioner’s Office (“ICO”), has recently conducted research that demonstrates that around half of app users have decided against downloading an app due to privacy concerns at some point in time.
Risk for developers does not stop there either.
As has been well reported elsewhere, privacy regulators in Europe now have the power to fine developers “on the spot” who breach relevant laws. For example, in the UK, the ICO has the power to issue fines up to £500K (approximately US$800K).
Some regulators, including the ICO, have further announced that “mobile” has now been moved to the top of the enforcement agenda. In other words, the regulators do have a stick and they appear willing to use it.
When brand damage associated with any enforcement action (such actions are published) and potential civil action is thrown into the mix, this could well compound problems, or even sound the death knell, for any developer who chooses to ignore privacy compliance.
I’m an app developer – what should I do?
The ICO has published guidance for app developers to help them understand their legal obligations when collecting personal data and to ensure users’ privacy. By adhering to this guidance, developers will be much less likely to fall foul of EU/UK privacy laws and find themselves on the end of an enforcement action.
The guidance covers key issues such as how to communicate privacy related information to users, how to obtain meaningful consent from users (all in the context of a small screen), as well as how developers should keep information within an app secure.
Top tips for privacy compliance during app development include: (i) using “in-time” notifications when more intrusive data is being collected, e.g., GPS location data; (ii) using links to separate sections of a privacy policy and to keep things short and snappy (given the size of screens involved); and (iii) avoiding being legalistic in language used in privacy notices.
Comment
This app sweep by GPEN is one of the latest initiatives which suggests regulators are taking compliance issues in this area much more seriously and that a greater use of enforcement action is on the horizon. The time is ripe, therefore, for developers to audit their data collection and data use activities and to review the policies they have in place to assess their exposure to regulatory enforcement. Transparency and clarity are key. Adhering to such principles should not only help keep the regulators at bay, but also have a significant effect on a developer’s bottom line.