OAIC releases privacy ‘better practice guide’ for mobile app developers

The Office of the Australian Information Commissioner (OAIC) has been busy of late.  As well as releasing the second stage of its Draft Australian Privacy Principles Guidelines for consultation in late September, it recently sent an open letter to Facebook, which we posted about here.

However, it’s not very often that we see regulators encouraging the use of graphics, colour and sound, but the ‘Mobile Privacy’ guide (Guide), released by the OAIC on Monday does just that.  These ‘common sense’ lessons can be adopted with much broader application than just the privacy space [Eds: we’re imagining clear, colourful, social media house rules or website terms and conditions!]. The Guide is a ‘better practice guide’ for mobile app developers grappling with their privacy requirements, both under the existing National Privacy Principles (NPPs), and the incoming Australian Privacy Principles (APPs), which will commence from 12 March 2014.  A copy of the Guide is available online here.

But privacy statements usually look boring.  How do graphics, colour and sound come into it?

The OAIC acknowledges that obtaining meaningful consent from users is difficult, particularly on a small mobile screen.  Coining it “the small screen challenge” the Guide then goes on to discuss ways to ensure users get appropriate notice, and avoid “notice fatigue” (where people ignore notices or warnings because of over-exposure).  The OAIC suggests:

• using short form notices, which are specific, targeted, and no longer than a single screen, and which draws user attention to any collection, use or disclosure that they would not otherwise reasonably expect;
• providing a privacy dashboard, an easy-to-use tool which allows users to tighten their settings and explains the consequences of making a choice to provide data; and
• using techniques other than text, including:
  • graphics (suggesting that the first layer of your mobile privacy policy could be icons, labels or images which link to more-detailed text, or activating a symbol or icon to raise user awareness at a moment when sensitive information is about to be transmitted and user consent is required, for examples, see Aza Raskin’s Alpha Release of Privacy Icons available online here);
  • colour (alerting the user by changing the intensity of the colour in a way which corresponds with the importance of the decision or the sensitivity of information); and/or
  • sound (ie scaling the device’s volume to draw attention to a privacy-related decision that needs to be made in a timely way).

The Guide then suggests that if your app uses these tools, you should also offer an alternative way for users with a disability (ie those who are blind and use screenreaders, colourblind, deaf or hard of hearing) to get the information.

It’s not all about the pretty pictures.  Timing is important too.

Wherever possible, mobile app developers should seek express consent from users to any changes that could impact on their privacy.  The Guide suggests that “when people use mobile devices, their attention can be intermittent and limited” [Eds: social media users, multi-taskers? Never!]  For this reason, timing of notice and consent is also critical.  Suggested practices include:

• highlighting privacy practices during the download/purchase process and also upon first use; and
• providing ‘in-context notices’ (ie if your app takes photos or video, providing clear notice about what information will be collected and used the first time the user activates the photo or video function).

And it’s not just on the surface.  Make sure you’ve got the back office in order. [Eds: say it with us… “governance”]

The Guide is focussed on helping mobile app developers to embed better privacy practices in their products, and encourages a ‘privacy by design’ approach, where privacy and data protection is built up front, into the design specifications and architecture of apps.  The Guide encourages:

• applying privacy-enhancing practices throughout the life cycle of personal information handling, from collection, to use (including data matching, targeted advertising and analytics), disclosure, storage and destruction;
• conducting a Privacy Impact Assessment in the planning stages for an app, to map where information is going, identify potential privacy risks, and assist with privacy planning (for more information see the OAIC’s Privacy Impact Assessment guide online here);
• identifying someone to be responsible for privacy protection;
• putting in place controls (ie contracts or user agreements) to ensure third parties which access personal information through your app respect their privacy obligations; and
• putting in place appropriate safeguards (ie encryption) to protect the personal information you are handling.

So what if I don’t?

The Guide suggests that given the popularity of apps, app developers should expect increased scrutiny of privacy practices in the app industry in the years to come, both from regulators and the market itself, “driven by increasingly informed, discerning and influential customers”.  The Guide includes many examples and survey results of user backlash over privacy concerns, including that 69% of Australians surveyed had refused to use an application or website because it collected too much personal information.[1]  There are many examples of similar user backlash, for example the Instagram saga of late 2012, which we posted about here.  The examples of reputational damage are backed up by hefty legal consequences including changing the way your app handles personal information, paying compensation to affected users, or (after 12 March 2013), a civil penalty.

The Guide also includes a six point checklist and three pages of informative links to other sources.  While this year has seen many different guidelines released suggesting different ways for companies and brands to approach legal issues in the online space, it’s quite refreshing to see some really useful and practical suggestions.  Whether you’re an app developer, advertiser, mobile platform provider, or privacy lawyer, it’s definitely worth a read.  Stay tuned for updates in this constantly developing area.