Privacy Policies and other legal documentation are occasionally viewed as an afterthought of the mobile development process—something to be hastily included after all of the conceptual design and development work is complete. This legal safeguarding may seem like a last-minute addition that doesn’t merit much thought, but it may be the most important component of your entire business.
Only a few weeks ago, social app Path was fined nearly 1 million dollars by the FTC (Federal Trade Commission) for privacy violations. The $800,000 penalty stemmed from two lethal mistakes made by the app:
- storing third-party names and numbers from their users’ address books, without proper disclosure;
- failing to comply with the provisions of COPPA, a law that applies to every app that knowingly collects information from children.
But there’s more. The FTC published a long document with recommendations for app developers and even platform-specific advisement for big platforms like Android and iOS.
Privacy by Design
The FTC wants app developers to use a (relatively) new approach called “Privacy by Design.” “Companies should build in privacy at every stage in developing their products.” This means a number of things:
- before building an app or a feature, think of the privacy implications;
- if you collect information, protect it. Follow the security recommendations of the FTC (with special attention to the third-party software you used) and be careful not to overpromise or make generic reassuring statements;
What Does It Mean for App Developers?
There are known best practices—some of them coming from the California Attorney General—to give you some legal protection and prevent problems, privacy breaches, and lawsuits. But this is what the FTC actually says that developers should do.
You should provide “just-in-time disclosures” and obtain affirmative express consent when collecting sensitive information from outside the platform’s API.
You already know that iOS pops up a notification that a certain app is requesting access to the user’s location or other private data. In this case, the disclosure and the consent are taken care by Apple. But, your app might as well collect other important stuff, and a pop-up notification is the best way to make sure the users know. FTC names financial, health, or children’s data, but also a generic “sharing sensitive data with third parties” as sensitive private information, so it’s best to err on the side of caution.
Know the legal implications of the code you’re using.
It’s normal for app developers to use third-party packages, SDK, and the like. You should make sure this code is secure and fully understand exactly what information it pulls, because you’re ultimately legally responsible for it. There’s a long list of questions to ask yourself, including:
- Does this library or SDK have known security vulnerabilities?
- Has it been tested in real-world settings?
- Have other developers reported problems?