Privacy policies have long been the domain of the desktop web experience. For anyone motivated enough to seek them out, they are commonly found in a utility bar at the top of a web page, or buried somewhere in the site’s footer. The policy typically governs what the site owner does with users’ information – from personal information actively submitted through a form, to broader information passively attained such as browser type or device, and how the site uses cookies and similar technologies to track users’ online activity.
With the explosion of mobile devices, app developers face a much broader scope of information that privacy policies must address. With the treasure trove of information available via users’ mobile devices, developers must take great pains to detail what information is gathered and how that information is used. Privacy policies not only inform a user-base and foster good-will, but also ensure that the application does not abuse its access to information and run afoul of the law.
Just last month, the Federal Trade Commission (FTC) came down hard on a development company for failing to properly inform users how it gathered and shared their information. This is the first time the FTC has taken enforcement action regarding location-based technology and should serve as a reminder to app developers of the importance of creating and adhering to a privacy policy (PDF|40KB).
Idaho-based Goldenshores Technology LLC was the subject of the FTC’s action, and the infringing app is the innocuous sounding Brightest Flashlight app. As the name suggests, when activated the app illuminates a mobile device’s screen and/or the camera flash, allowing the device to serve as a flashlight. A free app and popular download on Android devices, Brightest Flashlight has over 100 million users.
The app’s privacy policy stated that users’ data would only be used for internal purposes. Users even had the option to check a box to refuse both location tracking and the collection and sharing of that information with third parties. The checkbox provided a false choice, however, because regardless of which selection a user had made, the company shared precise location data and unique device ID information with third-party advertisers.
In response to the FTC’s enforcement, Goldenshores Technology agreed to rewrite its privacy policy to accurately describe what information is used and how that information is shared with third parties. The company also agreed to delete the existing personal information it collected from its users.
Goldenshores also faces possible liability of $16,000 for each violation, to be determined by the FTC in the pending consent order.
With the cautionary tale of Goldenshores Technology in mind, what do app developers need when crafting a privacy policy?
The following list may serve as a good starting point:
- Clearly communicate the types of information collected by the app
Mobile apps can collect various types of information – from call logs and device location, to email and text message data. While the collection of some information may seem more intrusive than others, clearly defining what information is collected and how it is used may assuage users’ concerns. Although even more significant is prominent disclosure of actual practices and consistency between disclosed practices and actual practices.
Swiftkey is a popular text prediction app that allows users to quickly type out messages on a mobile device by predicting users’ next words. The app is customized to each individual by examining the writing habits of the user. It does this, however, by scanning (with permission) users’ text messages emails and social media posts to determine their writing styles and language usages. While this may raise concerns about user privacy issues, the company behind the service has been transparent about the information collected and how it is used. Swiftkey’s privacy policy provides detailed information about the use and storage of personal information. Apparently, with over 1 million downloads, and several “Editor’s Choice” awards, users have voted through their actions that privacy concerns are outweighed by the apps utility.
- Understand the Landscape of Information Sharing and Third Parties
While there are still many stand-alone apps, many more exist within a networked environment, connecting to and sharing information with other services. For example, it is a common feature now to sign-in to a third-party service using a Facebook or Twitter account. A range of third party apps leverage the popularity of those social media sites by integrating with their application programming interfaces (APIs), and connecting users seamlessly with already existing accounts. Such apps include Runkeeper’s health-and-fitness tracking app and the popular Huffington Post news feed app.
In employing these services, app developers must understand that they are accepting the Facebook or Twitter API terms of services. Those terms include what may be done with the information shared with the API, and may directly affect what is done with the information users share with the third-party app. Developers should inform their intended users of any related privacy policies that may impact the use and collection of user information.
- Be aware of the Children’s Online Privacy Protection Act.
App developers must understand that their services may be impacted by federal regulations. For example, if the app targets children under the age of 13, the collection of information must adhere to the Children’s Online Privacy Protection Act (COPPA), covering what type of information is collected, with whom information is shared and what is done with the information. Furthermore, notices to parents must be provided and verifiable parental consent must be obtained.
- Follow Your Policies
Finally, as illustrated with the Brightest Flashlight app case, the problem was not that Goldenshores Technology shared users’ information with advertisers, but that its actions were contrary to its stated policies. Giving users the option to opt-out of sharing information with third-parties but then ignoring that choice essentially violated their users’ trust (as well as their contract rights). As obvious as it may seem, terms set forth in the developer’s own privacy policies should be followed by the developers themselves. As is the case with the Swiftkey app, even terms that seem invasive at first blush may be accepted if the service proves valuable enough.
Add Comment