Navigating App Privacy Laws and Best Practices
By Tim Kridel for Digital Innovation Gazette
More than half of app users have uninstalled or decided to not install an app due to concerns about personal information, according to a recent Pew Internet Project survey. If that isn’t motivation enough to protect customer privacy, consider the growing number of federal and state laws penalizing breaches.
But how can developers determine which laws apply? And what about industry best practices such as those from the Mobile Marketing Association (MMA) and CTIA – The Wireless Association? We spoke with Alan Chapell, co-chair of the MMA’s privacy and advocacy committee, about what developers need to know to protect customer privacy -- and, in the process, their app’s market potential.
A new Pew survey reiterates why app developers need to take privacy concerns seriously. But how can developers determine which federal, state and local laws apply to their app?
And last, but certainly not least, the office of California Attorney General Kamala D. Harris recently reached an agreement with mobile application platforms on a set of principles designed to ensure compliance with California’s Online Privacy Protection Act.
If developers have questions about privacy laws and industry best practices, and they can’t find the answers in the MMA’s collateral, where can they turn for additional information?
A.C.: All of the resources listed above are excellent. However, it is always a good idea to work with a qualified attorney and privacy professional to best understand the current legal framework and ensure that your business has embraced a “privacy by design” approach. App developers may also want to consider laws the European Union and other places where consumers may be downloading their applications.
How do privacy considerations vary by the app’s target demographic? For example, if the app is aimed at kids and teenagers, is there a different set of considerations versus an app designed for adults? Or if they're developing an app for a healthcare client, how do they determine whether HIPAA applies?
A.C.: In the U.S., the collection of personally identifiable information from children under 13 by website operators is subject to the Children’s Online Privacy Protection Act (COPPA). The Federal Trade Commission is seeking public comment on additional proposed modifications to COPPA, which should certainly be considered by companies operating in the mobile space.
The digital advertising trade associations (e.g., the Network Advertising Initiative and Digital Advertising Alliance, the latter of which includes the Mobile Marketing Association) have incorporated the spirit of COPPA in that they treat even non-PII segments of persons under 13 as deserving additional consideration in digital advertising. Similarly, the digital advertising trade associations have recognized that certain medical conditions and information that may be used to make adverse credit or employment decisions as being worthy of additional consideration. They’ve incorporated those considerations into the DAA Code, available at www.aboutAds.info.
What are some cautionary tales that illustrate what happens when a developer doesn't take privacy concerns seriously?
A.C.: Any company operating in the digital marketing ecosystem should take special care to ensure that they are operating within the confines of law and current best practice standards. Failing to incorporate a “privacy-by-design” approach can result in an investigation by regulators such as the Federal Trade Association and state attorneys general.
Moreover, there have been several examples over the years of companies in the digital marketing space (e.g., Ringleader Digital) being the subject of class action suits for alleged privacy issues. And even Apple’s apparent decision to depreciate mobile unique identifiers has impacted companies seeking to deliver, tailor and report on mobile advertising campaigns on behalf of their advertising clients.
There are a lot of APIs available from carriers and other third parties that allow developers to do various things with their apps. What privacy-related issues should developers keep in mind when using those APIs?
A.C.: While I think the carriers and mobile app platform providers are increasingly doing a better job of policing around privacy in their ecosystem, mobile app developers should recognize that their interests are not always perfectly aligned with those of the other companies with whom they partner. As such, it is important to build an internal checklist of considerations.
Firstly, developers should only obtain information that they actually need for a reasonable business purpose. Do apps really need to collect precise location information at all times, even when the app isn’t running? Developers should also consider whether the entity providing the information has the rights to provide it to them via that API.
Is a consumer’s consent required for the developer (or any third party advertising partners the developer is working with) to obtain, use and/or store that information? Does any of the information they are obtaining fall into any of the potentially sensitive segments such as those discussed above? Do they have the right to transfer any of this data to others such as an advertiser or other third party? These are just a few examples.
Photo: Corbis Images
Copyright (c) 2012 Studio One Networks. All rights reserved.>