Office of the Privacy Commissioner | Apps guidance
NEED TO KNOW OR NICE TO HAVE : Making app privacy your competitive advantage
Apps can gather large amounts of data about their users, but users generally won’t focus on this – they just want the app to do what it says it does.
When apps don’t convey basic information about what the business is collecting personal information for, it’s hard for people to feel confident that their information is being looked after. But when an app developer finds a way to be clear about what is happening, people notice. It’s a way to convey to users that you’re trustworthy, that you know the value of their information and you’ll treat it with respect.
For this reason, it’s really important that local agencies, businesses and app developers know that collecting more information than you need is unlawful. It is also important that when these apps require permissions that might not make sense at first glance, the customer is told and can understand why these permissions are be necessary.
Developers need to plan how they will handle information they collect and generate. This guide is here to help you build user trust and loyalty through solid privacy practices.
The guide is built on five simple, but key points:
|
1. |
Integrating privacy starts on day one - make a plan and spot the risks [more] |
|
2. |
Be open and transparent about your privacy practices - when a user makes decisions - to download your app, update it, or share personal information - be there with the right information [more] |
|
3. |
Collect and keep only what your app needs to function, and secure it - "Nice to know" doesn't mean "need to know" [more] |
|
4. |
Obtain meaningful consent despite the small screen challenge - spend time working out how to make privacy understandable and relatable with the tools you have [more] |
|
5. |
Timing of user notice and consent is critical - providing information in real time is as important as being up front in advance [more]. |
For more information, click through any of the points above. Keep reading the more general advice below or download the whole guide as a pdf here [PDF, 1.9 MB].
Getting privacy right for apps
Apps can gather large amounts of data about their users, but users generally won’t focus on this – they just want the app to do what it says it does.
We all know about the sneaky ‘clone’ apps, siphoning up personal information or tricking you into endless micro-transactions, but what about the photography app that says it needs your location? What about the banking app that wants access to your address book?
In December last year 64% of New Zealanders between 16 and 65 owned a smartphone.[1] However, not all of them know exactly what it can do. In a recent Netsafe survey, 75% of NZ respondents reported there was nothing sensitive stored on their smartphone.
Consumers assume that established, trusted businesses will develop trustworthy apps. A strong brand can be enough to persuade a person that the permissions an app wants are necessary. If they’re not, the brand will suffer along with the developer.
For this reason, it’s really important that local agencies, businesses and app developers know that collecting more information than you need is unlawful. It is also important that when these apps require permissions that might not make sense at first glance, the customer is told and can understand why these permissions are be necessary.
Make user privacy your competitive advantage
Privacy is part of the landscape, and users are getting more and more privacy literate. If you treat them with respect, they’ll be more likely to trust you.
When apps don’t convey basic information about what the business is collecting personal information for, it’s really hard for people to feel confident that their information is being looked after.
It also means that when an app is clear about what is happening, it stands out. It’s a way to convey to users that you’re trustworthy, that you know the value of their information and you’ll treat it with respect.
Letting people know what you’re doing is the bare minimum. Conveying it in a way that they can process without a law degree is better. But really, we want to see privacy threading its way through the design process from start to finish – putting together a privacy policy should come naturally because you want to tell users what’s going on.
How does the Privacy Act apply to developers?
The Privacy Act 1993 is New Zealand's main privacy law. It covers “personal information”. If you’re using personal information in your app you need to comply with the Privacy Act.
Personal information is any piece of information that relates to a living, identifiable human being. People’s names, contact details, financial, health, or purchase records: anything that you can look at and say “this is about an identifiable person."
Even if no names appear, it could be personal information. The question is whether there’s a reasonable chance that someone could be identified from the information. The information does not need to be “secret” or “sensitive” – it just needs to be about them.
The Act is structured around 12 information privacy principles. These principles can be summarised as:
1. Only collect personal information if you really need it.
2. Get it straight from the people concerned where possible.
3. Tell them what you're going to do with it.
4. Be considerate when you're getting it.
5. Take care of it once you've got it.
6. People can see their personal information if they want to.
7. They can correct it if it's wrong.
8. Make sure personal information is correct before you use it.
9. Get rid of it when you're done with it.
10. Use it for the purpose you got it.
11. Only disclose it if you have a good reason.
12. Only assign unique identifiers where permitted.
Together, these principles form a kind of ‘life-cycle' for personal information.
Agencies must first decide what information they need, and where and how they are going to get it. They then need to ensure they hold the information with appropriate protections and that they comply with any access or correction requests they receive. Finally, personal information should be used and disclosed with care and kept securely, and in line with the purposes for which the information was collected.
Key privacy considerations for developing mobile apps
The treasure trove of data carried around by each user, the breakneck development cycle and the need to communicate with users through a small glass rectangle mean that the mobile environment presents a unique challenge for privacy, but not an insurmountable one. A little bit of extra care needs to be taken.
Developers need to plan how they will handle information they collect and generate.
This guide is here to help you build user trust and loyalty through solid privacy practices.
It's not just about compliance
The Privacy Act sets out the obligation to inform users, but make sure you’re working towards informing users and not to show that you’re legally compliant.
When people try and comply with our Act (and others) there’s a tendency to go heavy on the legalese. We don’t think the users should have to have a law degree to read the terms of service. We believe you’ve got a responsibility to speak to users in language that they understand. To ensure that when they do consent, it’s informed.
As phone manufacturers invent more sensors, and as people find more ways to collate and exploit information, you can expect increased scrutiny from us, from other privacy regulators and from the market itself.
Acknowledgements
We would like to thank the Office of the Privacy Commissioner of Canada, Information and Privacy Commissioner of Alberta and Information and Privacy Commissioner for British Columbia for their guidance entitled Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps (October 2012), which we have adapted to the New Zealand context.
[1] Frost & Sullivan: By 2018, New Zealand will have 90% smartphone and 78% tablet ownership levels - http://www.frost.com/prod/servlet/press-release.pag?docid=288249825