11 Dec 2014, 09:00

The NZ Privacy Commissioner is among 23 privacy authorities from around the world which have signed an open letter to the operators of seven app marketplaces urging them to make links to privacy policies mandatory for apps that collect personal information. The 9 December 2014 letter was sent to Apple, Google, Samsung, Microsoft, Nokia, BlackBerry and Amazon, but is intended for all companies that operate app marketplaces.

Dear Sir or Madam,

We are writing to you as privacy enforcement authorities to highlight an important privacy issue for individuals, related to mobile applications (“apps”). While this letter has been addressed to a few key players that operate app marketplaces, our advice and recommendations are intended for all stakeholders that operate an app marketplace.

This year, the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep took place, involving 26 privacy enforcement authorities from around the world. The Sweep offered insights into the types of permissions sought by more than 1,200 of the world’s most popular apps and the extent to which consumers were informed about each app’s privacy practices.

One of the Sweep observations that was of particular concern was that there were numerous instances of apps which appeared to collect personal information but which did not have a privacy policy (or other up-front privacy information), thus removing the ability for individuals to be meaningfully informed when making decisions about the collection, use, and/or disclosure of their personal information. While, by our observation, most marketplaces allow app developers to include a link to a privacy policy, this did not appear to be a mandatory practice.

While app developers clearly have a responsibility to communicate their privacy practices, mobile operating system developers and other app marketplace operators play a unique and integral role in users’ interactions with apps, made available through their various app stores and app marketplaces. The app marketplace is an important consumer landing spot where individuals can search for new apps, read reviews, and access technical information about a particular app prior to downloading it - and this information is made available so individuals can make informed decisions about products in that marketplace.

Like any marketplace, there is an expectation that consumer protection issues will be addressed in a positive and privacy friendly manner. 

App marketplaces already facilitate communication about a number of matters related to apps, such as details of the app, age rating, size, and version. As noted, while privacy policy links sometimes appear in the app marketplace listings, we observed during the Sweep that this practice is not consistently applied. Given the wide-range and potential sensitivity of the data stored in mobile devices, we firmly believe that privacy practice information (for example, privacy policy links) should be required (and not optional) for apps that collect data in and through mobile devices within an app marketplace store. Such links provide a simple and convenient manner for individuals to obtain privacy-related information which they need to be meaningfully informed regarding the collection and use of their data before making the decision to download the app.

All the undersigned privacy enforcement authorities believe that an app marketplace operator should, acting as a responsible corporate citizen, make the basic commitment to require each app that can access or collect personal information, to provide users with timely access to the app’s privacy policy. We therefore expect a marketplace operator would put in practice, if it has not already, this advice, and implement the necessary protections, to ensure the privacy practice transparency of apps offered in their stores.

Original signed by

Jill Clayton - Information and Privacy Commissioner of Alberta

Original signed by

Timothy Pilgrim - Privacy Commissioner of Australia

Original signed by

Jörg Klingbeil - Landesbeauftragter für den Datenschutz Baden-Württemberg

Original signed by

Thomas Kranig - President of the Bavarian Data Protection Authority for the private sector

Original signed by

Willem Debeuckelaere - President of the Belgian Commission for the protection of privacy

Original signed by

Elizabeth Denham - Information and Privacy Commissioner for British Columbia

Original signed by

Daniel Therrien - Privacy Commissioner of Canada

Original signed by

José Alejandro Bermúdez Durana - Superintendente Delegado para la Protección de Datos Personales, Colombia

Electronically authorised

Dr. Viljar Peep, Director General, Estonian Data Protection Inspectorate

Original signed by

Reijo Aarnio - Data Protection Ombudsman, Finland

Original signed by

Isabelle Falque-Pierrotin - Chairwoman of the CNIL

Original signed by

Paul J Canessa - Gibraltar Data Protection Commissioner

Original signed by

Allan Chiang - Privacy Commissioner for Personal Data, Hong Kong

Original signed by

Helen Dixon - Irish Data Protection Commissioner

Original signed by

Alon Bachar - Head of the Israeli Law, Information and Technology Authority

Original signed by

Antonello Soro - Il Presidente, Garante per la protezione dei dati personali, Italy

Original signed by

Chan Hoi Fan - Coordinator, Office for Personal Data Protection of Macao, China

Original signed by

Jacob Kohnstamm, Chairman, Dutch Data Protection Authority

Original signed by

John Edwards, New Zealand Privacy Commissioner

Original signed by

Bjørn Erik Thon, Data Protection Commissioner of Norway

Original signed by

Dr Byung Gyu No - Vice President, Korea Internet and Security Agency

Original signed by

Christopher Graham - Information Commissioner, United Kingdom

Electronically authorised

David Watts - Commissioner for Privacy & Data Protection, Office of the Victorian Privacy Commissioner