First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Privacy practices for developing mobile applications (apps)


Image: Idea go /

Privacy practices, and all things mobile, are both hot topics these days. This is in part because mobile devices and apps are fun, cool, provide value, and are on the rise. They are used by professionals of all types, and people of most any age, including our youth. This however feeds the assumption that technology in general, including mobile devices and applications (apps), is threatening the privacy rights of individuals.

With this in mind, on October 29, 2012, the Privacy Commissioners of Canada, Alberta, and British Columbia published a detailed guidance document on privacy considerations for developing mobile apps.

This document starts by pointing out that Canada’s privacy laws require all businesses to balance innovation and entrepreneurialism with effective privacy protection, and that this applies to mobile app developers, whether they work on their own, or on behalf of an organization. The document also emphasizes that,

…there is an expectation and a legal requirement that app users are to be informed of what information is being collected, used and disclosed about them, as a matter of transparency and openness, and for their consent to be meaningful”.

The document further notes that:

  • given the popularity of apps, mobile app developers can expect increased scrutiny of the privacy practices in their industry in the years ahead – both by regulators and the market itself, driven by increasingly informed, discerning and influential consumers
  • mobile app developers need to improve their privacy practices and the features of their apps, as both are fundamental to helping users decide which apps they will trust and continue to use
  • following these practices will help to reassure users that the app developer has given the protection of the users privacy the attention it deserves

Within the document there is a checklist and key considerations including:

  • the criticalness of the timing of the user notice and of obtaining meaningful consent;
  • being accountable for conduct and code;
  • being open and transparent about privacy practices; collecting, and
  • keeping only what the app needs to function and securing this.

Further, the guidelines suggest that developers:

  • Build a privacy management program that includes assigning one person, or a team of persons, to be responsible for privacy protections
  • Establish a privacy policy
  • Create a description of the data collection, usage and flow that can be mapped and evaluated in accordance with the privacy policy
  • Institute proper controls such as contracts or user agreements in accordance with your privacy policy to ensure that third parties accessing collected data are bound to comply with the privacy requirement

I contacted Absolute Software (one of the stakeholders concerned with the guidelines) to obtain some feedback about the Privacy Commissioner’s initiative. Caroline Nelson, Corporate Counsel for Absolute Software responded by stating,

We support the direction being taken by the Privacy Commissioners of Canada’s new guidance entitled ‘Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps’. With the rapid growth of mobile apps we are pleased to see guidance put in place to protect the privacy of Canadian consumers. This guidance will educate consumers about the information being gathered and accessed through mobile apps. We are carefully reviewing the guidance to identify appropriate changes to our own initiatives.”

While most mobile app developers will likely, in time, respond in the same way as Absolute Software, in the meantime it may be that:

  • many consumers will continue using and adding mobile apps without knowledge of or concern for the degree to which the app does or does not adhere to privacy laws or the new guidance
  • related risks will increase (be particularly true or higher) during the current holiday and gift giving season and this may yield interesting news in 2013
  • particular aspects of the guidance may be difficult for mobile app developers to apply quickly on a go-forward or retroactively
  • particular aspects when implemented may provide the most practical value (e.g., a sub-point of obtaining meaningful consent says that selecting the right strategy to convey privacy rules in a way that is meaningful on the small screen could include a privacy dashboard that displays a user’s privacy settings and provides a convenient means of changing them)

As always, comments are welcomed.

In the meantime, I would like to wish you all a happy holiday season and a great new year.

Ron Richard, I.S.P., ITCP/IP3P
linkedin profile

Follow me

Ron Richard

Quality, Information Technology and Enterprise Risk Management specialist at Ron Richard Consulting
Ron Richard, Quality, Information Technology and Enterprise Risk Management specialist has held positions at most any level of an organization, and acquired more than 30 years of relevant experience including related work done at the College of the North Atlantic. Ron is author of Inherent Quality Simplicity and the Inside Internal Control newsletter Modern Quality Management series. Read more
Follow me

, , , , , , , , , , , , , , , , , , , , , ,

Comments are currently closed.