Companies that create and distribute mobile apps are under increasing pressure to protect user data. In 2013, the U.S. Federal Trade Commission and the California Attorney General each published privacy recommendations for mobile apps. Among other things, the FTC urges “privacy by design,” advising companies to build privacy protections into apps from the outset. The FTC also has updated its regulations on children’s privacy to address the mobile realm.
What exactly should an app developer do as a practical matter to stay on the right side of these emerging legal rules?
1. Meet Early With Your App Development Team
A quick note on vocabulary: This guidance is intended for the companies that are known in the parlance of the mobile space as app “developers.” Let’s say that Company X wants to issue a mobile app to consumers, and it hires a vendor to write the code. Company X, not the code-writing vendor, is the developer.
What the FTC calls “privacy by design,” an internal lawyer at an app developer should call “get yourself into the first meeting.” That is, be there in the room with your businesspeople and sensitize them to privacy concerns when the app is initially being designed. Nothing is more important. It is generally too late to effectively vet an app for privacy concerns if you come in toward the end when the app is mostly “baked.”
Your goal is to gather information. First, understand exactly how the app will function. Second, inventory what personally identifiable information (PII) the app could collect. PII includes obvious items like name, email address and credit card number, and less-obvious items like geo-location information and persistent identifiers associated with a smartphone (e.g., unique device identifier [UDID] or Apple’s identifier for advertising [IFA or IDFA]) that can be used to track a user across apps. Third, identify what PII the app really needs for its basic functions. PII should be collected when it’s intrinsic to those functions—not because a programmer thinks it’s interesting, or because you might have a need for it in the future. Location data may be necessary for a restaurant locator app, but probably not for a flashlight app.
After that, list any “sensitive information” the app may collect or access. This includes precise geo-location data (e.g., street address or coordinates), contacts, photos/videos, financial or medical information, and information like race or religion. Lastly, identify any third parties that will collect app data or run app analytics on your company’s behalf. Is your company using a vendor to collect and maintain data? Will third-party code be integrated into the app to gather analytics (e.g., audience metrics and usage data)? Will ads be delivered in the app through use of an advertising network?
With this information, you are ready to move on to the fun part—actually building privacy protections into the app. The FTC says those protections should provide “transparency” and “control.” That means providing users with clear notices about the data that will be collected and getting user consent when appropriate.
